Temporary Patches for createTextRange Vulnerability
Eeye released a temporary patch for the current createTextRange vulnerability. The patch can be found here:
http://www.eeye.com/html/research/alerts/AL20060324.html. A second patch has been made available by Determina.
At this point, we do not recommend applying this temporary patch for a number of reasons:
We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.
Please let us know about issues (or successful installs) of either patch. We will summarize issues here.
http://www.eeye.com/html/research/alerts/AL20060324.html. A second patch has been made available by Determina.
At this point, we do not recommend applying this temporary patch for a number of reasons:
- The workaround, to turn off Active Scripting AND to use an alternative browser is sufficient at this point.
- We have not been able to vet the patch. However, source code is available for the eEye and the Detmina patch (for Determina: the source is part of the MSI file. for eEye: The source code is available as a seperate file)
- Exploit attempts are so far limited. But this could change at any time.
We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.
Please let us know about issues (or successful installs) of either patch. We will summarize issues here.
Keywords:
0 comment(s)
My next class:
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
×
Diary Archives
Comments