Two Unofficial IE Patches Block Attacks

Pentrex writes "eWeek reports that two well-respected Internet security companies (eEye and Determina) have released unofficial patches to correct the vulnerability being exploited to load spyware, bots and Trojan downloaders on Windows machines. Microsoft isn't sanctioning the third-party patches, which include source code for review. As always, the advice is to weigh the risks before opting for an unofficial hotfix."

Re:Why doesn't Microsoft...

[ZiakII]

Why doesn't Microsoft just tell people to switch to Ubuntu and use Firefox? It would save them a hassle and a lot of work.

Maybe because they like money?

Free as in...

[HolyCrapSCOsux]

Some folks would like you to believe that free as in beer software is a horrible thing.

The question is, would people patch if they had to pay for them?

Are there not risks even with official patches?

[El Cubano]

As always, the advice is to weigh the risks before opting for an unofficial hotfix.

Is this not something that smart admins/companies so even with official patches and fixes? To me, the fact that the source was released shows that these people are quite serious about being taken seriously. I suppose that is better than MS assurances that they extensively tested the fix before release.

weigh the risks

[enrevanche]

Certainly you should weigh the risks with any patch but since an "official" patch would come from the originators of the flaw (and numerous others) why should it be considered any better than an "unofficial" patch? At least these patches can be scrutinized by the outside world for problems. A MS patch will be forever hidden. The perils of closed source!

But how many would install them?

[E IS mC(Square)]

Given the fact that the average IE user would not even be aware of the flaw, how would he even know such third party patches even exist?

Most of them are going to be patched only when MS releases the patch, AND they have selected to be updated automatically.

Its a horrible situation.

Re:Other patches:

[Volanin]

1. [apple.com] and 2. [mozilla.com]

Yeah, but only number 2 "include source code for review."

Re:Free as in...

[monkaduck]

If they were told to, yes. Never underestimate the lemmingness of the human species.

Fat, slow, and lazy

[dtfinch]

If third parties can regularly patch your bugs before you do, without access to the source, after giving you a generous head start... Well, I guess that could mean a lot of things. They're definitely lazy, to say the least.

Re:Other patches:

[Poltras]

does that mean it's less effective?

Re:Are there not risks even with official patches?

[Ravatar]

Without releasing the source, they have almost no credibility. If they hadn't released the source, slashdot would be packed with cries of "who would actually run this?!" "wtf, no source? no thanks".

Re:Are there not risks even with official patches?

[tshak]

I suppose that is better than MS assurances that they extensively tested the fix before release.

This quite far from the truth. Reading source code will not find the integration problems that can come up when you release a patch on millions of machines with different configurations.

Re:Fat, slow, and lazy

[dtfinch]

If it was just a testing thing, they wouldn't wait until the 2nd Tuesday of the following month. Minor patches can wait, but delaying critical patches is inexcusable.

Re:Fat, slow, and lazy

[tshak]

... or they run through rigorous tests since they have to answer to millions of customers on millions of different system configurations. I'm not saying that MS shouldn't be faster about patching, but they have improved their turnaound and there's only so much you can do if you care about rigorous quality assurance.

Re:Why doesn't Microsoft...

[X0563511]

True, it's not like they sell IE seperate. They have no real reason to be so die-hard about IE.

Re:But how many would install them?

[ClamIAm]

Better question: how many of them know that Microsoft releases patches?

Re:How do they even write these patches???

[Anonymous Coward]

You better watch out :)

From the EULA:
"LIMITATION ON REVERSE ENGINEERING,
DECOMPILATION, AND DISASSEMBLY. You may
not reverse engineer, decompile, or disassemble the
Product"

In memory fix

[roman_mir]

the patch fixes the affected DLL in memory by overwriting a byte that is stored in RAM for MSHTML.DLL this begs a freaking question, should a modern OS even allow some application to modify behaviour of another application in memory, especially behaviour of a system level application, an OS DLL? I believe the patch needs to be installed from an administrator account, but even then, this doesn't mean that it is good design decision, to allow an arbitrary application to overwrite in memory code of another application. Of-course if that wasn't possible this specific patch couldn't exist, but still, the OS allows questionable application behaviour to say the least.

Re:Why doesn't Microsoft...

[Cromac]

True, it's not like they sell IE seperate. They have no real reason to be so die-hard about IE.

Microsoft views IE as a "rich client" and one more reason to tie people to Windows. MS may one day have a 100% standards compliant browser but I gaurentee they will also have another 20% worth of features that only work in IE as one more way to try and keep people using Windows.

It's the same reason they will never have a Linux version of Office as long as they view Linux as any kind of threat to their OS.

Re:Are there not risks even with official patches?

[whitehatlurker]

And yet, we will accept the same from MicroSoft without the assurance of source ;-)

Anyone remember?

[WalterGR]

Does anyone remember the previous third-party patch to IE? This is from December of '03.

Slashdot: "Open Source Firm Releases Patch for IE Bug [UPDATED]"

An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer... Update: Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code. (link [slashdot.org])

Re:Applying Patches Is Not Free

[apoc.famine]

I'm missing the part where the sense is....If MS released all patches as soon as they were ready, everyone who wanted to patch right away could. If large corporate IT depts still want to patch every 2nd tuesday, they still can! Scheduled Downtime is Scheduled Downtime is Scheduled Downtime. I see no connection between when MS releases a patch and when an IT department schedules their downtime to roll that patch out. (Well, other than the fact that the patch has to come first. ;)

This whole "scheduled patching" bit really is BS. All it does is leave critical problems unpatched longer than necessary, so that managers can point to MS when bad shit happens to the network. "Well, we couldn't patch until two days after patch-day, because we needed to test the patches." works lots better than "We got fucked because I decided that it wasn't critical enough to test and deploy right away."

While I can see where it would make a lot of people more confortable to know that there is patching every third Wed or something, I just don't see the value in withholding critical patches because "they aren't scheduled yet". At the very worst, let the IT departments decide if they want to schedule additional downtime, because ultimately, they know whether it will affect their systems or not. But then again, MS knows best, all the time, doesn't it?

Re:Why doesn't Microsoft...

[drsmithy]

Microsoft views IE as a "rich client" and one more reason to tie people to Windows.

There's also the rather significant problem of Firefox not being a drop-in replacement for IE.

It's the same reason they will never have a Linux version of Office as long as they view Linux as any kind of threat to their OS.

OS X is a vastly greater "threat" to Windows than Linux is on the Desktop, but Microsoft are happy to make money selling Office for OS X. Your argument does not hold water.

Re:How do they even write these patches???

[igny]

But you can reverse engineer, decompile, or disassemble the exploit.

Re:Bug fixes

[LardBrattish]

XP has relatively few new features over Windows 2000 which is why I didn't list Win 2k (Or Windows NT for that matter)

Win 3.1 was an (admitedly significant) upgrade of 3.0 which they charged for.

Similarly 98 was incremental on 95, 98SE on 98, Me on 98SE all of which you had to pay for yet none of which offered significantly more than bug fixes & drivers.

That's my point.

Re:Why doesn't Microsoft...

[Anonymous Coward]

OS X is a vastly greater "threat" to Windows than Linux is on the Desktop, but Microsoft are happy to make money selling Office for OS X. Your argument does not hold water.

Microsoft Office was originally written for Mac.

Re:How do they even write these patches???

[Anonymous Coward]

5 minutes to change single byte ... 2 weeks of patching of other MS applications, which never expected an error code from that function and their error handling is broken...

Re:Other patches:

[chrome]

Don't be silly. You wouldn't consider it because your a unix zealot :P

Re:Other patches:

[ettlz]

Don't be silly. You wouldn't consider it because your a unix zealot :P

So what is OS X? A VMS offshoot? Grandparent is a total disclosure zealot. I don't condemn the grandparent for having this attitude.

Anyone else see a trend here?

[g0bshiTe]

I wonder how this makes Microsoft feel, and imagine the embarassment from having 3rd parties release hot fixes (work arounds, or patches) before your release cycle.

It's like the security community is slapping them in the face and saying that their current model of using patch cycles is not good enough for threats on todays internet.

In my opinion this makes Microsoft look very bad, this is that I know of the second time a patch has been released for an MS product before an official fix release.

And they even produce sourcecode for community scrutiny/review.


To eEye and others making these patches for MS products, thanks guys for making sure my parents don't get inundated by malware.