‘Open source’ IE patch withdrawn for further patching
Thanks, but no thanks
The third-party 'open source' patch for Internet Explorer that we told you about earlier today, contains more than a few potentially nasty surprises. As we noted, German tech site Heise had already warned of dangerous buffer overflows.
Openwares.org, a month-old site which boasts "Software is free" today published source code and a binary executable purporting to fix a loophole in Internet Explorer for Windows. It's unusual, but not unprecedented, for third parties to issue their own fixes for Microsoft's exploit-riddled browser. But Heise advises that this patch could be more trouble than it's worth, and the fix has already been taken in for some maintenance.
"This patch addresses a vulnerability in Microsoft Internet Explorer that could allow Hackers and con-artists to to display a fake URL in the address and status bars. The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL," according to a release note accompanying the patch.
Unfortunately, the authors of the patch also enabled a Windows Registry key used by spyware. IEmsg.dll.
"When we're absulotly [sic] sure that the code is bulletproof we'll re-release it," says Openwares's forum administrator.
There's little that could make Microsoft's security and patching mechanisms look good right now. But this could just do the trick.
"Wow, this was a truly poor attempt at a fix. Buffer overflows, memory leaks, and a nice liveupdate.exe hidden in the registry. I thought proprietary Microsoft software was bad!" writes one poster.
Do any readers have more information to share about the mysterious Openwares site? As a helpful reader points out, this is not Open Source, and the code has not been distributed under an OSS license.
"All the best for flying the Open Source flag :-) " writes a poster - the only poster - in OpenWares "feedback" forum. ®
Sponsored: Global DDoS threat landscape report