Open source firm releases patch for IE spoofing flaw

Discussion in 'other security issues & news' started by MickeyTheMan, Dec 18, 2003.

Thread Status:
Not open for further replies.
  1. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    http://www.smh.com.au/articles/2003/12/18/1071337072117.html
    Open source firm releases patch for IE spoofing flaw

    Why couln't MS come up with it first beats me ;)
     
  2. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Frankly, I would like to learn more about this company before trusting them with a download ...

    After a brief investigation I found the following reasons to avoid this possible crapware:
    -the filename as indicated on the download link on their site gives the impression that it is an official Microsoft patch. I don't think this is an accident.

    http://www.openwares.org/index.php?option=com_remository&Itemid=&func=fileinfo&parent=folder&filecatid=17

    -Apparently the company is foreign owned. The problem with this is that they are beyond the force of our laws and depending on the country who the hell is watching over them?.
    The company is a Vaunatian company, with branches in Israel, the US and
    France.

    http://groups.google.com/groups?q=openwares.org&hl=en&lr=&ie=UTF-8&oe=utf-8&selm=Pine.LNX.4.58.0312191355460.470%40aselli.local&rnum=2


    -There is a report that it has bugs and may be spyware

    http://groups.google.com/groups?q=openwares.org&hl=en&lr=&ie=UTF-8&oe=utf-8&selm=tIyEb.13691%24ws.1341484%40news02.tsnz.net&rnum=5[/url]
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    I will say right out that based upon the things I'm reading about this patch that it should not be used.

    There are questions about the quality of the code, also that this patch may add potential buffer overflows to IE along with a memory leak. There may be issues uninstalling it, as well. People have started looking at the source code and are questioning the programming skills of the coders.

    While this third-party patch may help with the exploit, it may also add additional problems. At this time, I would definitely hold off and wait for more analysis before thinking about using this patch.

    More information on the analysis of this patch here:

    http://www.dslreports.com/forum/remark,8826570~mode=flat
     
  4. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :rolleyes: FYI...interesting read:
    - http://www.theregister.co.uk/content/4/34610.html
    "...An open source and freeware development outfit, Openwares.org, has released a patch for an IE spoofing vulnerability. Unfortunately, it came with its own added buffer overflow vulnerability, together with a mechanism which appears to pass information over to the Openwares' web site...Microsoft itself has...only warned of the vulnerability, and has not issued its own patch yet...If Microsoft needed a case study to illustrate the importance of trustworthy computing and not rushing fixes out before you're absolutely sure of them...this is shaping up to be it..."

    - Edit/add - MS KB 833786 (Apologies, cannot post correct URL link due to board limitations).
     
  5. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    A follow up .
    A cyber-acquaintance who is a computer technician and very knowledgable about security issues informed me that:
    "I downloaded and installed the patch in a disposable test system, and there is nothing about the authorship, nothing about the spyware, and nothing resembling
    a EULA."

    This discussion reveals that among other things the patch transmitted the identity of ebery URL visited by the PC on which it is installed. Its creators installed an upgrade which was supposed to fix it but the upgrade still phones home.

    http://www.moosoft.com/forum/viewtopic.php?p=6101#6101

    I think these reports sort of says it all ... this is a patch from hell!
     
  6. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
Loading...
Thread Status:
Not open for further replies.