Two Unofficial IE Patches Block Attacks 233
Pentrex writes "eWeek reports that two well-respected Internet security companies (eEye and Determina) have released unofficial patches to correct the vulnerability being exploited to load spyware, bots and Trojan downloaders on Windows machines. Microsoft isn't sanctioning the third-party patches, which include source code for review. As always, the advice is to weigh the risks before opting for an unofficial hotfix."
How do they even write these patches??? (Score:5, Interesting)
Yep, the more I watch the ills that befall the Microsoft-bound, the more I'm happy with my decision to go Linux-only a few years back.
Re:Free as in... (Score:3, Interesting)
Re:How do they even write these patches??? (Score:5, Interesting)
opensource? (Score:4, Interesting)
Maybe the code would be completley different but would it achieve its goal by going about the same ways as the unofficial patch? Or would it be patched on a level deeper then we could access. I guess the most interesting part would be that a third party without access to the source code could actualy come together with a solution before microsoft. What would be more interesting is seeing how close those solutions match match each other. Sort of a test to how these third party programers can predict the neccesity or orders of different code they only have limited access to.
Re:How do they even write these patches??? (Score:5, Interesting)
When I do use a debugger, it's usually WinDbg. I like the command line interface and it has very good support for all versions of Windows. A lot of other security researchers use OllyDbg. For kernel debugging I use both WinDbg and SoftIce. SoftIce has the advantage of being able to follow code from user space to kernel space and back, which is very useful for analyzing kernel vulnerabilities.
Alexander Sotirov
Security Research
Determina Inc.
Re:In memory fix (Score:3, Interesting)
Re:In memory fix (Score:3, Interesting)
Re:Applying Patches Is Not Free (Score:2, Interesting)
From descriptions of the fix elsewhere here, it is a stupid mistake that never should have made it through any kind of testing that I routinely run my code through. So why the hell did it make it through Microsoft's superior testing that they have guaranteed since making security "job one" [just a hint of sarcasm there].
Perhaps the problem is really one of testing and verifying the code before it sold to a trusting customer base in the first place! That's right, you heard me; I too am blaming the customer: they fscked up! they trusted Microsoft to actually do something about making their code more secure!
Re:Does anyone on /. even use IE anymore? (Score:3, Interesting)
Of course, IE on that particular network has a proxy server of 127.0.0.1 pushed out via group policy, with an exemption for the intranet. You could sneak around that by installing a proxy server on the machine you're using, but most of my users aren't that sharp. I've got Firefox 1.5.whatever running on everything now, so I can let my users off the leash a little.
The only thing I miss about IE is the ability to push settings to the browser via group policy. It's nice to be able to centrally manage an application like that. I haven't found a way to do that for firefox (HINT HINT).
Re:In memory fix (Score:3, Interesting)
Next they use the AppInit_DLL registry key, which essentially forces the Operating System to load this DLL into all applications that link against user32.dll (I think), hence no hackery is going across address space boundaries, there is nothing wrong with self modifying code.
Next you will be asking why this little DLL injection key exists, well it's useful, for making unofficial application patches for one thing, and it has other legitimate uses as well although I believe the key is now depreciated in favour of cleaner methods
Re:Another possibility (Score:1, Interesting)