The unofficial fix blocks access to the vulnerable component in the Microsoft Web browser, preventing malicious Web sites from taking advantage of the vulnerability, said Steve Manzuik, security product manager at eEye in Aliso Viejo, Calif. Microsoft does not have a fix for the flaw available yet.
Though eEye's patch does protect PCs against attacks that take advantage of the flaw, the company recommends installing the fix only as a last resort. "Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation," Manzuik said. Disabling Active Scripting is Microsoft's suggested work-around.
"This patch is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw," Manzuik said.
eEye, which makes an intrusion-prevention product called Blink, crafted the fix at the request of its customers, Manzuik said. "Customers who don't have Blink deployed yet were looking for a temporary solution," he said. However, eEye has made the fix available for anyone, on its Web site.
Microsoft doesn't recommend installing eEye's fix. "We have not tested this mitigation tool," said Stephen Toulouse, a program manager in Microsoft's Security Response Center. "We can't recommend it because we have not tested it...Customers should weigh the risk of applying something like this to their systems."
The vulnerability has to do with how Internet Explorer handles the "createTextRange()" tag in Web pages. Since the flaw was disclosed publicly last week, more than 200 Web sites have been found to exploit it. These sites typically install spyware, remote control software and Trojan horses on vulnerable PCs, according to security company Websense.
Microsoft has also seen the attacks, but Toulouse said "the spread rate appears to be relatively limited." That means there aren't many new attacks being launched. Microsoft is working with law enforcement to take down Web sites that are hosting the attacks, which are often hacked sites, he said.
WMF flashback
The situation with the createTextRange() bug is reminiscent of another high-profile Windows flaw earlier this year. That flaw was in the way the operating system handled the Windows Meta File image format. A European software developer created a fix, which security experts in an unprecedented move even endorsed.
This time, however, the third-party eEye fix isn't getting the same backing.
"I don't think we will endorse this patch," said Johannes Ullrich, chief research officer at the SANS Institute. "There is no source code available, so we are not able to validate the patch."
eEye originally said it would not make the source code available, but late Monday the company posted the source code on its site.
Also, experts including Ullrich, don't see the threat level as equal because there were no practical work-arounds for the Windows Meta File flaw. "Unlike for WMF, there is a valid work-around here by disabling active scripting...I am not sure if the current situation warrants users to install such a patch."
Ken Dunham, director of the rapid response team at iDefense, also would not recommend the eEye fix. "Every time a company introduces new software into their environment, there are risks involved," he said. "There may be compatibility issues, or it may even introduce new security holes that didn't exist prior to the patching."
Still, if the attacks proliferate, some users may want to test eEye's patch to be ready when there is a more widespread exploit, Ullrich said.
Meanwhile, Microsoft is working on an official fix, which it might release outside of its monthly patch schedule. "The update is still being tested," Toulouse said. "An out-of-band release is still on the table." Microsoft's next "Patch Tuesday" bundle of fixes is scheduled for release April 11.
The last time Microsoft issued a fix early was two months ago, for the WMF bug. That flaw was also being abused to attack Windows users.
The eEye patch was developed to work on computers running Windows with IE 5 or IE 6.
