Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-12-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Non-Microsoft Patch available for IE bug

Published: 2003-12-19
Last Updated: 2003-12-19 23:25:21 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

A patch was released at the OpenSoft website (security.openwares.org)
related to the recently discovered IE URL Spoofing Vulnerability bug [1].

This patch IS NOT an official patch released by Microsoft, and although it
may fix the URL bug, it may also add some additional flaws to Internet
Explorer.

According to a FD poster:

------------------------------------------

Openware.org IE fix introduces new flaws :
- The buffer to copy URL's is limited to 256 bytes

- Larger strings produce a buffer overflow, with possibility to
overwrite the stack.

-------------------------------------------

This patch should be handled with extreme care to avoid future problems.

Please note that Microsoft has not yet released an official patch for this
vulnerability.

Another patch for the IE vulnerability was released by Abracadabra Solutions [2], called UrlFilter.
No vulnerability this patch has been publically disclosed, users should be warned that this is not an official Microsoft patch.

Some info about this Microsoft IE vulnerability can be found at [3].

References:

1- http://www.secunia.com/advisories/10395/

2- http://www.abracadabrasolutions.com/UrlFilter.htm

3- http://www.securityfocus.com/archive/1/346948
----------------------------------------------------

Handler on duty: Pedro Bueno (bueno@ieee.org)
Keywords:
0 comment(s)
Diary Archives