Open-source group issues Microsoft patch

An open-source software development group posted a file on its Web site this week it claims will patch a recently disclosed security hole in Microsoft Corp.'s Internet Explorer (IE) Web browser that allows online scam artists to fake Web page addresses.

The decision by Openwares.org to publish the IE patch is just the latest example of third parties preempting Microsoft with fixes for security holes in the company's products. But one security expert warns that installing the unauthorized patch could introduce more problems than it solves and advises Microsoft customers to wait for an official fix from the Redmond, Washington, company.

The file, called IEpatch.exe, appeared on Monday on Openwares.org, a public open source and free software development Web site. IDG News Service e-mailed requests seeking comment to representatives from Openwares.org, which is registered to an individual named Ori Rejwan in Tel Aviv, Israel, but they were not immediately answered. Microsoft declined to comment on the patch Friday.

The patch is said to fix a vulnerability that surfaced Dec. 9 and allows attackers to use special characters in a URL (uniform resource locator) to display a domain name of their choice in the Internet Explorer address and status bars, which Internet users rely on to tell them which Web site they are visiting.

The new security hole was first publicized in a message posted to online discussion groups that focus on computer security. A demonstration of the uses of the vulnerability was also provided by the message's author at http://www.zapthedingbat.com/security/ex01/vun1.htm, which showed how a suspicious Web address such as "http://www.microsoft.com@zapthedingbat.com/security/ex01/vun2.htm" could be displayed as "www.microsoft.com" in the IE address field, making users think they were viewing Microsoft's Web site.

The vulnerability could be exploited by those who run "phishing" Web sites, which mimic legitimate sites to capture personal account information. With the new vulnerability, phishing site operators could also use the actual address to disguise their sites, adding to the ruse, security experts warn.

The source code for the IE patch was posted along with the patch, but no information was provided on how the patch fixes Internet Explorer or changes the program's configuration to prevent the URL spoofing vulnerability from being used.

In addition, a review of the patch from the German online technology review publication, Heise Zeitschriften Verlag, which appeared on the Web site www.heise.de, claims the patch is poorly written and contains its own buffer overflow vulnerability, which could enable an attacker to take control of the machine that installs the patch. (http://www.heise.de/newsticker/data/dab-19.12.03-002.)

IE users are better off waiting for Microsoft to issue an official patch for the URL problem than installing the Openwares.org fix, said Richard Smith, an independent security consultant in Boston.

While the vulnerability could make it possible for phishing sites to appear even more authentic, most victims of such sites are already fooled by similar Web page graphics and Web addresses that approximate the site they are spoofing, and don't scrutinize the address, he said.