Establishing Digital Trust: Don't Sacrifice Security for Convenience
The release of two third-party patches to fix serious security holes in the Internet Explorer browser is a "side-effect of Microsoft not being able to protect its users," according to Marc Maiffret, an executive of one of the companies releasing free security software this week.
EEye says its free patch has been downloaded more than 63,000 times since becoming available Monday. The software addresses what Maiffret, the firm's co-founder, in a statement called a "critical vulnerability that needs to be addressed immediately."
Maiffret said since the vulnerability became public last week, hundreds of Web sites have included code that exploits the hole in how IE processes the "createTextRange()" tag.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iOn the heels of eEye's patch, another unofficial solution came from Determina, a Redwood City, Calif., security company.
The patches come just months after the last third-party fix for a Microsoft flaw was adopted.
January, Russian software developer Ilfak Guilfanov offered a patch to solve a hole in Windows Metafile (WMF). The third-party solution was adopted by SANS and security firm F-Secure. At one point, the crush of people attempting to download the patch crashed the software developer's Web site.
Microsoft, for its part, Tuesday updated its security advisory, noting it has "confirmed new public reports of a vulnerability" in IE.
The software giant said a cumulative patch is on schedule for April, "or sooner as warranted."
"If it were up to Microsoft, you would be vulnerable for 16 days," Maiffret said. Microsoft's patching schedule "is not timely enough."
The eEye and Determina patches are meant as temporary fixes and are designed to stop working once Microsoft's official patch is released.