Fix released for flawed open source IE fix

A website that published a third-party patch to fix a security flaw in Microsoft's Internet Explorer has had to re-issue the patch after the original was found to be flawed.

Openwares.org published the second patch on Saturday after the first was found to contain a buffer-overflow exploit. This exploit allowed an attacker to take control of the patched PC, which might have been far more damaging than the flaw that the patch was trying to fix.

According to Openwares, only about 6,500 people downloaded the original patch. Security experts that silicon.com's sister site ZDNet spoke to last week warned against installing the patch, saying that aside from trust issues, the patch author would not have had access to IE source code and so the patch could interfere with future updates from Microsoft.

The Internet Explorer flaw, which was first reported in late November, allowed a browser to display one URL in the address bar while the page being viewed is actually hosted elsewhere, making the user more susceptible to ruses like phishing. However, Openwares.org's first fix, which worked by filtering out any URL's containing suspicious characters, would work only with addresses that had less than 256 bytes - larger addresses produced a buffer overflow.

Openwares.org's administrator said: "The new version has been re-written and tested by dozens of users who helped out. If you're unsure, look at the new source code for yourself." By Monday lunchtime, there had been 2,500 downloads of the new patch but this is a minute fraction of IE users, who make up more than 90 per cent of the internet population.

Microsoft has still not released a fix for the problem or given any indication as to when it will be available. In October, Microsoft adopted a policy of releasing only one patch each month, but it has already announced it will be skipping its December release, so IE is expected to remain vulnerable till at least mid-January 2004.

Earlier this month, weeks after the IE flaw was discovered, Iain Mulholland, security programme manager for Microsoft, said the company was putting heavy emphasis on increasing the quality of its patches, and that has had an effect on the release timing. "It is not that we are not doing anything, it's just that we don't have a patch ready in the pipeline," he said.

Normally, spending one or two months developing a patch would go unnoticed because security flaws are usually reported to Microsoft long before they are made public; but in this case, the software giant did not get any advance notice. "They put Microsoft's nose out of joint by publishing it, rather than telling Microsoft first and keeping quiet for the requisite six weeks," said Graham Titterington, principal analyst at Ovum.

Munir Kotadia writes for ZDNet UK, CNET News.com's Robert Lemos contributed to this report