Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Non-Microsoft Patch available for IE bug SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Non-Microsoft Patch available for IE bug

A patch was released at the OpenSoft website (
related to the recently discovered IE URL Spoofing Vulnerability bug [1].

This patch IS NOT an official patch released by Microsoft, and although it
may fix the URL bug, it may also add some additional flaws to Internet

According to a FD poster:

------------------------------------------ IE fix introduces new flaws :
- The buffer to copy URL's is limited to 256 bytes

- Larger strings produce a buffer overflow, with possibility to
overwrite the stack.


This patch should be handled with extreme care to avoid future problems.

Please note that Microsoft has not yet released an official patch for this

Another patch for the IE vulnerability was released by Abracadabra Solutions [2], called UrlFilter.
No vulnerability this patch has been publically disclosed, users should be warned that this is not an official Microsoft patch.

Some info about this Microsoft IE vulnerability can be found at [3].





Handler on duty: Pedro Bueno (

155 Posts
ISC Handler
Dec 19th 2003

Sign Up for Free or Log In to start participating in the conversation!