Eeye released a temporary patch for the current createTextRange vulnerability. The patch can be found here:
http://www.eeye.com/html/research/alerts/AL20060324.html. A second patch has been made available by Determina.
At this point, we do not recommend applying this temporary patch for a number of reasons:
We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.
Please let us know about issues (or successful installs) of either patch. We will summarize issues here.
I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020
Mar 28th 2006
1 decade ago