The Register®

Biting the hand that feeds IT

‘Open source’ IE patch withdrawn for further patching

Thanks, but no thanks

By Andrew Orlowski in San FranciscoGet more from this author

Posted in Security, 19th December 2003 22:11 GMT

The third-party 'open source' patch for Internet Explorer that we told you about earlier today, contains more than a few potentially nasty surprises. As we noted, German tech site Heise had already warned of dangerous buffer overflows.

Openwares.org, a month-old site which boasts "Software is free" today published source code and a binary executable purporting a href="http://www.openwares.org/index.php?option=com_remository&Itemid=&func=fileinfo&parent=folder&filecatid=17" target="_blank">to fix a loophole in Internet Explorer for Windows. It's unusual, but not unprecedented, for third parties to issue their own fixes for Microsoft's exploit-riddled browser. But Heise advises that this patch could be more trouble than it's worth, and the fix has already been taken in for some maintenance.

"This patch addresses a vulnerability in Microsoft Internet Explorer that could allow Hackers and con-artists to to display a fake URL in the address and status bars. The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL," according to a release note accompanying the patch.

Unfortunately, the authors of the patch also enabled a Windows Registry key used by spyware. IEmsg.dll.

"When we're absulotly [sic] sure that the code is bulletproof we'll re-release it," says Openwares's forum administrator.

There's little that could make Microsoft's security and patching mechanisms look good right now. But this could just do the trick.

"Wow, this was a truly poor attempt at a fix. Buffer overflows, memory leaks, and a nice liveupdate.exe hidden in the registry. I thought proprietary Microsoft software was bad!" writes one poster.

Do any readers have more information to share about the mysterious Openwares site? As a helpful reader points out, this is not Open Source, and the code has not been distributed under an OSS license.

"All the best for flying the Open Source flag :-) " writes a poster - the only poster - in OpenWares "feedback" forum. ®

Free Report - "High-level Best Practices in Software Configuration Management: How to deploy SCM software to the maximum advantage"

40 years of software engineering

Cold War, Nato and the geeks

China melamine scare

Bad science and food poisoning

Don’t Miss

Warning: roadworksNetbooks and Mini-Laptops

Buyer's Guide They're little and we love 'em. But which ones are best?

How the fate of the US economy rests on a Dell workstation

Quick, someone send Bernanke a supercomputer

Hard DriveHow many terabytes can you fit on a 2.5-inch hard drive?

Fun with areal densities

Flag ChinaChina's nonstop music machine

Exclusive Baidu versus business