Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Non-Microsoft Patch available for IE bug - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Non-Microsoft Patch available for IE bug

A patch was released at the OpenSoft website (security.openwares.org)
related to the recently discovered IE URL Spoofing Vulnerability bug [1].

This patch IS NOT an official patch released by Microsoft, and although it
may fix the URL bug, it may also add some additional flaws to Internet
Explorer.

According to a FD poster:

------------------------------------------

Openware.org IE fix introduces new flaws :
- The buffer to copy URL's is limited to 256 bytes

- Larger strings produce a buffer overflow, with possibility to
overwrite the stack.

-------------------------------------------

This patch should be handled with extreme care to avoid future problems.

Please note that Microsoft has not yet released an official patch for this
vulnerability.

Another patch for the IE vulnerability was released by Abracadabra Solutions [2], called UrlFilter.
No vulnerability this patch has been publically disclosed, users should be warned that this is not an official Microsoft patch.

Some info about this Microsoft IE vulnerability can be found at [3].

References:

1- http://www.secunia.com/advisories/10395/

2- http://www.abracadabrasolutions.com/UrlFilter.htm

3- http://www.securityfocus.com/archive/1/346948
----------------------------------------------------

Handler on duty: Pedro Bueno (bueno@ieee.org)
Pedro

155 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!