Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Third-Party IE Patches Moving Fast As Spam Attack Starts

Tens of thousands of Internet Explorer users aren't waiting for Microsoft Corp. to provide a patch for the critical bug in their browser, and have instead installed unsanctioned fixes from security companies.

On Thursday, a spokesperson for eEye Digital Security said that its workaround had been downloaded by more than 94,000 users, while another security vendor warned that attackers were drawing people with a large-scale spam campaign to malicious Web sites which exploit the flaw.

The vulnerability is in IE's processing of the "createTextRange()" JavaScript method call, and is currently being exploited by hundreds of Web sites, including legitimate sites that have been compromised by hackers. Security organizations have tagged the zero-day bug with "extremely critical" labels, and Microsoft has promised it will patch the flaw no later than April 11, its next regularly-scheduled update.

As in the Windows Metafile (WMF) vulnerability and outbreak of December and January, others have stepped in where Microsoft has been unable to tread. Then, independent researcher Ilfak Guilfan created an unsanctioned patch for the problem. This time, two companies, eEye Digital Security of Aliso Viejo, Calif. and Redwood City, Calif.-based Determina, have proffered patches.

Determina was not able to provide a tally of the number of users who have downloaded its fix.

  • 1