Feeds

‘Open source’ IE patch withdrawn for further patching

Thanks, but no thanks

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

The third-party 'open source' patch for Internet Explorer that we told you about earlier today, contains more than a few potentially nasty surprises. As we noted, German tech site Heise had already warned of dangerous buffer overflows.

Openwares.org, a month-old site which boasts "Software is free" today published source code and a binary executable purporting to fix a loophole in Internet Explorer for Windows. It's unusual, but not unprecedented, for third parties to issue their own fixes for Microsoft's exploit-riddled browser. But Heise advises that this patch could be more trouble than it's worth, and the fix has already been taken in for some maintenance.

"This patch addresses a vulnerability in Microsoft Internet Explorer that could allow Hackers and con-artists to to display a fake URL in the address and status bars. The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL," according to a release note accompanying the patch.

Unfortunately, the authors of the patch also enabled a Windows Registry key used by spyware. IEmsg.dll.

"When we're absulotly [sic] sure that the code is bulletproof we'll re-release it," says Openwares's forum administrator.

There's little that could make Microsoft's security and patching mechanisms look good right now. But this could just do the trick.

"Wow, this was a truly poor attempt at a fix. Buffer overflows, memory leaks, and a nice liveupdate.exe hidden in the registry. I thought proprietary Microsoft software was bad!" writes one poster.

Do any readers have more information to share about the mysterious Openwares site? As a helpful reader points out, this is not Open Source, and the code has not been distributed under an OSS license.

"All the best for flying the Open Source flag :-) " writes a poster - the only poster - in OpenWares "feedback" forum. ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.