Security threats Toolkit

Open-source IE patch hits trust barrier

Munir Kotadia ZDNet.co.uk

Published: 19 Dec 2003 16:10 GMT

Openwares.org, an open-source software development Web site, has posted a patch that purports to fix a critical vulnerability in Microsoft's Internet Explorer browser, but software developers and analysts are advising against installing it.

The vulnerability in question allows IE to display one URL in the address bar while the page being viewed is actually hosted elsewhere. This makes users more susceptible to ruses such as phishing, in which online-banking users receive emails that seem to have been sent by their bank, asking them to click on a link in order to visit the bank's Web site and "confirm" their security access details. Crude phishing attempts are obvious because the address bar in Internet Explorer would show a URL different to that of the bank, but elaborate phishing schemes could exploit the IE vulnerability and therefore make the ploy more plausible.

Despite the apparent attraction of downloading the patch - for which Microsoft as yet has no equivalent -- analysts warned against doing so. Graham Titterington, principal analyst at Ovum, is suspicious of the update and advises companies to wait till Microsoft releases an official patch, because although the Openwares.org patch may work, it could cause problems with future Microsoft updates. "They don't have access to the source code and Microsoft does," said Titterington. "Even if it is a bona fide patch and it works, how compatible will it be with future Microsoft patches that come along?"

According to Opensource.org, the patch has been downloaded around 1,000 times since it was published on Monday. The site publishes software that has been written and submitted by its readers, raising concerns on developer discussion groups about the motivations of the writer. Some developers are wary of the patch because its code sends URLs back to the author's servers, which could be a privacy threat in itself. Advocates say such action may well be necessary to help the code do its job, particularly since only suspect URLs were redirected. And some contributors welcomed the patch because although it has been almost two weeks since Microsoft admitted the vulnerability exists, it has not yet released its own fix.

But Titterington advises companies to wait for the official patch from Microsoft: "Microsoft is going to have to patch it -- this came into the public domain with MS unprepared so there will be a time lag involved, so organisations are advised to sit tight and wait for Microsoft patch to come along," he said.

Microsoft was unable to comment on its progress towards creating a patch or give any advice on whether the open-source patch should be used or not; but in the company's Knowledge Base support Web site, among other solutions, users are advised to view links in notepad before clicking on them to identify the actual destination. One basic rule of thumb says that if the URL contains "%00", "%01" or "@" characters, it is suspicious, if it does not, it is probably safe to click. Alternative browsers, such as Mozilla and Opera, are not affected by the problem.