An open source and freeware outfit on Friday issued a patch for a URL-spoofing
security hole in Microsoft’s Internet Explorer browser but developers are warning that the patch has some problems of its own.
Just hours after OpenWares posted its IE patch, techies noticed the
OpenWares fix contained a buffer overflow vulnerability and a mechanism that
funneled information back to the open-source group.
OpenWares confirmed the buffer overflow problems and promised a newer
version would be released.
Because URL-spoofing is a technique used by scammers to trick
unsuspecting surfers into giving up sensitive information such as credit card and social security numbers, security researches have slapped a “high risk” rating on the flaw but an official fix from Microsoft
has not yet been released.
Microsoft confirmed the existence of the browser problem and promised a patch would be issued. But the release of a problematic fix by a third-party outfit underscores another twist in an already complex effort by the company to get software patches out in a timely manner.
The URL-spoofing flaw is not the first Microsoft security bug that
remains unpatched. Last month, Chinese researcher Liu Die Yu warned of five serious
IE vulnerabilities that could lead to system takeover.
Yu’s warning was released on several public mailing lists and carried a ‘critical’ warning that the flaws could lead to system access, exposure of sensitive information, cross site scripting and security bypass.’
The public release of proof-of-concept exploits before fixes are issued is an ongoing issue is the security industry where independent researchers are chided for jumping the gun with vulnerability alerts. On the other hand, the researchers say software vendors repeatedly ignore private warnings to avoid the PR backlash associated with product flaws.