Workaround promises to protect browser in anticipation of official fix
Security vendor eEye Digital Security has created a temporary patch that protects end users and enterprises from an as of yet unpatched vulnerability in the Internet Explorer browser.
The vulnerability is caused by an error in the way that the browser processes the 'createTextRange' method call on a radio button. The bug allows attackers to take over control of a system by luring their victims to a specially crafted website.
Attackers are actively exploiting the flaw and Microsoft has hinted that it might release a so-called out of cycle patch.
Microsoft has previously advised users to disable Active Scripting in their browser settings (instructions can be found here).
Microsoft hasn't certified the eEye patch. The security vendor recommended that users try disabling Active Scripting first and use its workaround only if that doesn't work.
"eEye’s patch is not meant to replace the forthcoming Microsoft patch, but to provide immediate protection in lieu of an available fix," warned Marc Maiffret, co-founder and chief hacking officer at the security company.
"In fact, eEye has engineered the patch to automatically remove itself when Microsoft’s official patch comes through."
Security vendor eEye Digital Security has created a temporary patch that protects end users and enterprises from an as of yet unpatched vulnerability in the Internet Explorer browser.
The vulnerability is caused by an error in the way that the browser processes the 'createTextRange' method call on a radio button. The bug allows attackers to take over control of a system by luring their victims to a specially crafted website.
Attackers are actively exploiting the flaw and Microsoft has hinted that it might release a so-called out of cycle patch.
Microsoft has previously advised users to disable Active Scripting in their browser settings (instructions can be found here).
Microsoft hasn't certified the eEye patch. The security vendor recommended that users try disabling Active Scripting first and use its workaround only if that doesn't work.
"eEye’s patch is not meant to replace the forthcoming Microsoft patch, but to provide immediate protection in lieu of an available fix," warned Marc Maiffret, co-founder and chief hacking officer at the security company.
"In fact, eEye has engineered the patch to automatically remove itself when Microsoft’s official patch comes through."
Share this page
Email this page
Back to Top
Home
Edit Post
0 comments: