Open source firm releases patch for IE spoofing flaw

http://www.smh.com.au/articles/2003/12/18/1071337072117.html
Open source firm releases patch for IE spoofing flaw

Why couln't MS come up with it first beats me

 

Frankly, I would like to learn more about this company before trusting them with a download ...

After a brief investigation I found the following reasons to avoid this possible crapware:
-the filename as indicated on the download link on their site gives the impression that it is an official Microsoft patch. I don't think this is an accident.

http://www.openwares.org/index.php?option=com_remository&Itemid=&func=fileinfo&parent=folder&filecatid=17

-Apparently the company is foreign owned. The problem with this is that they are beyond the force of our laws and depending on the country who the hell is watching over them?.
The company is a Vaunatian company, with branches in Israel, the US and
France.

http://groups.google.com/groups?q=openwares.org&hl=en&lr=&ie=UTF-8&oe=utf-8&selm=Pine.LNX.4.58.0312191355460.470%40aselli.local&rnum=2


-There is a report that it has bugs and may be spyware

http://groups.google.com/groups?q=openwares.org&hl=en&lr=&ie=UTF-8&oe=utf-8&selm=tIyEb.13691%24ws.1341484%40news02.tsnz.net&rnum=5[/url]

 

FYI...interesting read:
- http://www.theregister.co.uk/content/4/34610.html
"...An open source and freeware development outfit, Openwares.org, has released a patch for an IE spoofing vulnerability. Unfortunately, it came with its own added buffer overflow vulnerability, together with a mechanism which appears to pass information over to the Openwares' web site...Microsoft itself has...only warned of the vulnerability, and has not issued its own patch yet...If Microsoft needed a case study to illustrate the importance of trustworthy computing and not rushing fixes out before you're absolutely sure of them...this is shaping up to be it..."

- Edit/add - MS KB 833786 (Apologies, cannot post correct URL link due to board limitations).

 

A follow up .
A cyber-acquaintance who is a computer technician and very knowledgable about security issues informed me that:
"I downloaded and installed the patch in a disposable test system, and there is nothing about the authorship, nothing about the spyware, and nothing resembling
a EULA."

This discussion reveals that among other things the patch transmitted the identity of ebery URL visited by the PC on which it is installed. Its creators installed an upgrade which was supposed to fix it but the upgrade still phones home.

http://www.moosoft.com/forum/viewtopic.php?p=6101#6101

I think these reports sort of says it all ... this is a patch from hell!

 

FYI...interesting "includes" in the new "Database Update for The Cleaner 3.x and 4.0 Professional":
- https://www.wilderssecurity.com/showthread.php?t=18242;start=msg112462#msg112462
"Database v3433 21.12.03
-------------------
Added Beglur
Added Cayam
Added Jubon
Added Ketch
Added Memas

Updated BioNet
Updated OpenwaresIEPatch..." <--

-