Microsoft Slow to Patch IE Security Loophole 2006-03-29Posted by clype in Articles of Interest, Gizmo.
Security firms have released ‘patches’ for a critical loophole in ‘Microsoft’s’ browser that leaves users open to attack. The release pre-empts ‘Microsoft’ which is not due to release a fix for the bug until 2006-04-11. The security firms said the ‘patches’ were needed because hundreds of websites had been created to exploit the loophole. But ‘Microsoft’ said it did not recommend that users apply the ‘patches’.
In late 2006-03, three security loopholes were found in ‘Microsoft’s’ ‘Internet Explorer’ browser by security firms. The most serious of the three, known as the ‘CreateTextRange bug’, allowed malicious hackers to take over a PCs if it was used to visit specially crafted webpages. Now two firms, ‘eEye Digital Security’ and ‘Determina’, have separately produced software patches that close this loophole. Earlier, ‘Microsoft’ said it would produce a ‘patch’ in time for the next scheduled ‘Windows security update’ that falls on 2006-04-11. Mr.Marc Maiffret, ‘eEye’s’ co-founder and chief hacking officer, said its patch was a stop-gap prior to the official version from ‘Microsoft’. He said ‘eEye’s’ ‘patch’ would disable itself once the official version was released and installed.
‘Microsoft’ said it could not endorse the ‘patches’ or recommend that users install them as they had not been through the software giant’s testing and evaluation program. Although ‘Microsoft’ has played down the threat from people exploiting this loophole, others have found hundreds of websites built to take advantage of the bug in the ‘IE’ web browser. ‘Websense’ said it had seen more than 200 unique web links that were trying to catch people out using the loophole. On its security blog, ‘Microsoft’ said it was working with law enforcement to shut down websites created to exploit the bug.