Re: Patches released for zero-day IE threat...

Imhotep wrote:
UPDATE: Hundreds of malicious Web sites are attempting to exploit the most
critical of two flaws announced last week in Microsoft's browser,
convincing two companies to release workarounds late Monday to head off the
threat.

http://www.securityfocus.com/news/11384?ref=rss

Im

Here is ISC's take on the temporary patches... Source :
http://isc.sans.org/diary.php?date=2006-03-28

Temporary Patches for createTextRange Vulnerability
Published: 2006-03-28,
Last Updated: 2006-03-28 18:26:03 UTC by Johannes Ullrich (Version: 1)

Eeye released a temporary patch for the current createTextRange vulnerability. The patch can be found here:
http://www.eeye.com/html/research/alerts/AL20060324.html. A second patch has been made available by Determina.

At this point, we do not recommend applying this temporary patch for a number of reasons:

The workaround, to turn off Active Scripting AND to use an alternative browser is sufficient at this point.

We have not been able to vet the patch. However, source code is available for the eEye and the Detmina patch (for Determina: the source is part of the MSI file. for eEye: The source code is available as a seperate file)

Exploit attempts are so far limited. But this could change at any time.
Some specific cases may require you to apply the third party patch. For example, if you are required to use several third party web sites which only function with Internet Explorer and Active Scripting turned on. In this case, we ask you to test the patch first in your environment. You may also want to consider contacting Microsoft.

We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.

Please let us know about issues (or successful installs) of either patch. We will summarize issues here.



This is one site that I do trust with my security. If they say don't
use IE at all, then I won't use it. If they say follow Microsoft's
advice, then that's my recommendation. And, for the people who will say
that they are a "Microsoft Puppet", they were extremely critical of how
Microsoft handled the WMF vulnerability. Just go back through their
archives and look.

Patrick.

P.S. Nice false follow-up. It almost tricked me into not being able to
post my reply.
.