Temporary Patches for createTextRange Vulnerability

Published: 2006-03-28
Last Updated: 2006-03-28 18:26:03 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Eeye released a temporary patch for the current createTextRange vulnerability. The patch can be found here:
  http://www.eeye.com/html/research/alerts/AL20060324.html. A second patch has been made available by Determina.

At this point, we do not recommend applying this temporary patch for a number of reasons:
  • The workaround, to turn off Active Scripting AND to use an alternative browser is sufficient at this point.
  • We have not been able to vet the patch. However, source code is available for the eEye and the Detmina  patch (for Determina: the source is part of the MSI file. for eEye: The source code is available as a seperate file)
  • Exploit attempts are so far limited. But this could change at any time.
Some specific cases may require you to apply the third party patch. For example, if you are required to use several third party web sites which only function with Internet Explorer and Active Scripting turned on. In this case, we ask you to test the patch first in your environment. You may also want to consider contacting Microsoft.

We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.

Please let us know about issues (or successful installs) of either patch. We will summarize issues here.

0 comment(s)


Diary Archives