Security Firm Releases Patch For Zero-Day IE Flaw - InformationWeek
IoT
IoT
News
News
3/28/2006
06:26 PM
50%
50%

Security Firm Releases Patch For Zero-Day IE Flaw

eEye's patch is meant as a placeholder until Microsoft releases a permanent fix, which is expected by April 11.

EEye Digital Security has released a temporary patch for a zero-day vulnerability in Internet Explorer that is being used by malicious Web sites to install spyware on users' computers, officials said Tuesday.

The eEye patch is meant as a placeholder until Microsoft Corp. releases a permanent fix, which is expected by April 11, Marc Maiffret, co-founder and chief hacking officer of eEye, based in Aliso Viejo, Calif., said. At that time, users of the eEye patch are advised to use the add/remove program in Windows to delete the fix before installing the Microsoft patch.

Meanwhile, Websense Inc. said Tuesday that the number of Web sites exploiting the vulnerability has declined from the 200 reported Monday. However, Dan Hubbard, senior director of security at the San Diego-based company, said he has seen an increase in the number of different exploits, indicating that more people or groups are writing code to take advantage of the flaw. As a result, the number of malicious Web sites was expected to increase.

The vulnerability, called the CreateTextRange bug, enables hackers to exploit active scripting in IE to install keystroke loggers and other malicious software. Active scripting is a Microsoft technology that allows different software components to interact over the Internet.

The eEye patch analyzes a computer for the vulnerability, which is in IE 5.01, 6.0, and the January version of IE 7 Beta 2 Preview. The application makes a backup of the flawed code, patches the vulnerability in the original and deploys it.

EEye released the patch at the request of customers, the majority of whom use the company's vulnerability assessment product, Maiffret said. EEye also makes software for detecting and blocking malicious Web sites.

"We decided it would be crazy not to provide a work around, since we already have a product that protects against the flaw," Maiffret said. "The patch is a slimmed down version."

The IE vulnerability allows for remote code to be executed on the computer visiting a malicious Web site. Experts believe people are most likely being lured to the sites through spam.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll