Open-source IE patch hits trust barrier

Open-source IE patch hits trust barrier

Summary: An open-source Web site has published a patch that could fix a vulnerability in Internet Explorer, but software developers and analysts are suspicious

TOPICS: Security
6, an open-source software development Web site, has posted a patch that purports to fix a critical vulnerability in Microsoft's Internet Explorer browser, but software developers and analysts are advising against installing it.

The vulnerability in question allows IE to display one URL in the address bar while the page being viewed is actually hosted elsewhere. This makes users more susceptible to ruses such as phishing, in which online-banking users receive emails that seem to have been sent by their bank, asking them to click on a link in order to visit the bank's Web site and "confirm" their security access details. Crude phishing attempts are obvious because the address bar in Internet Explorer would show a URL different to that of the bank, but elaborate phishing schemes could exploit the IE vulnerability and therefore make the ploy more plausible.

Despite the apparent attraction of downloading the patch - for which Microsoft as yet has no equivalent -- analysts warned against doing so. Graham Titterington, principal analyst at Ovum, is suspicious of the update and advises companies to wait till Microsoft releases an official patch, because although the patch may work, it could cause problems with future Microsoft updates. "They don't have access to the source code and Microsoft does," said Titterington. "Even if it is a bona fide patch and it works, how compatible will it be with future Microsoft patches that come along?"

According to, the patch has been downloaded around 1,000 times since it was published on Monday. The site publishes software that has been written and submitted by its readers, raising concerns on developer discussion groups about the motivations of the writer. Some developers are wary of the patch because its code sends URLs back to the author's servers, which could be a privacy threat in itself. Advocates say such action may well be necessary to help the code do its job, particularly since only suspect URLs were redirected. And some contributors welcomed the patch because although it has been almost two weeks since Microsoft admitted the vulnerability exists, it has not yet released its own fix.

But Titterington advises companies to wait for the official patch from Microsoft: "Microsoft is going to have to patch it -- this came into the public domain with MS unprepared so there will be a time lag involved, so organisations are advised to sit tight and wait for Microsoft patch to come along," he said.

Microsoft was unable to comment on its progress towards creating a patch or give any advice on whether the open-source patch should be used or not; but in the company's Knowledge Base support Web site, among other solutions, users are advised to view links in notepad before clicking on them to identify the actual destination. One basic rule of thumb says that if the URL contains "%00", "%01" or "@" characters, it is suspicious, if it does not, it is probably safe to click. Alternative browsers, such as Mozilla and Opera, are not affected by the problem.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Let's see, these 'analysts' think it is better to wait for that indefinite, golden moment when Microsoft will deign to release a fix, than to make use of a fix that's available now? A fix that is completely transparent and auditable? HAHAHAHAHA what a bunch of maroons

    Though the real maroons are people who continue to use Internet Explorer. I think any IT dept. that lets users use IE is guilty of malpractice. Use Mozilla, use Opera. use anything but IE. How many times do people have to get hosed by insecure, buggy software before they make a change? Infinity + 1, apparently.
  • It's a bit ridiculous that MS hasn't yet released a patch for this vulnerability. MS and the proponents of proprietary software should see what's happening here: you're being upstaged at your own game on your own field by programmers you've tried to characterize as malcontent losers. I suspect we'll be seeing more of this in the future. Furthermore, the article mentions that trust is an issue, but the source code -- the individual lines of code that make the program do what it does -- is freely available to all for inspection. Sunshine has a way of exposing problems when they exist.
  • Yeah. right. Trust Microsoft instead. What a bumch of Maroons!
  • Looking at the source i don't see anything suspicious. The link to their own website just reported the spoofed URL so they can show the user what's going on. they could log this information, but what harm can you do with that?
    The only thing I don't know is how the patch is integrated in IE. I simply don't have the knowledge of how this works. Maybe someone can explain that part of the source to me. The way they do this might pose a problem when you're installing future MS patches or might break other things, so that might be a good reason for not installing this patch.

    Just one more thing: Their source code is open, but not as open as one would expect. Just look at this comment in the code:

    // ---------------------------------------------
    // Terms of Agreement:
    // ---------------------------------------------
    // By using this source code, you agree to the
    // following terms:
    // 1) You may use the source code, resource
    // files for educational purposes only.
    // 2) You MAY NOT redistribute this source code
    // without written permission. Failure to do
    // so is a violation of copyright laws.
    // 3) The author of this code may have retained
    // certain "additional copyright rights".
    // If so, this is indicated in the author's
    // description.

    This means you cannot base your own patch on this code without permission. Not a big issue in this case, but still it is one...
  • The patch works by grabbing any url that is clicked and checking it before i.e. gets its hands on it.

    The patch checks to see if its one of these tricky urls, if it is it redirects you to the site to tell you whats happened.

    If not then it simply gives the url to i.e. to process as normal.

    The patch simply uses the standard MS API, and does not actually alter the code of i.e. its a seperate program ( think google toolbar ). So the idea that it would be a problem when an official patch comes out is incorrect.

    These people are just morons. How they get there jobs is beyonf me, they obviously don't know a dam thing about programming.
  • Yeah, these analysts just don't want to get their fingers burned if anything does go wrong.

    Finding workarounds and patches for Microsoft bugs has been a staple of many a programmer's job for the best part of 20 years. That using an undocumented feature may cause you trouble when MS can be bothered to provide a fix or an upgrade is just part of the game - I can't see that many non-technical users are going to download an open-source patch in any case, so I don't see a problem at all. Caveat Emptor, obviously, but then if it's free open-source I don't suppose you're really emptoring are you?