Third party solutions to the Internet Explorer

Third party solutions to the Internet Explorer CreateTextRange vulnerability

by Andrew Brandt

Windows users who have been at risk of falling victim to a newly-revealed security loophole in the Internet Explorer browser can fix their computers, courtesy of "unofficial" patches being offered for free download by two security companies.

Both eEye Digital Security and Determina released patches that shut off a feature in IE that hackers have figured out how to exploit for malicious ends. The patches were released when Microsoft announced that it would not fix the problem itself until April 11, the next "Patch Tuesday" in its cycle of regular monthly updates.

The vulnerability went from a theoretical to a real risk last weekend when security folks began seeing Web sites where malware authors were using the exploit to break into fully-patched Windows PCs. The quantity of sites hosting the malicious code now number in the hundreds.

But should you bother loading these third party patches? Surprisingly, analysts at the Internet Storm Center say no: You can thwart the vulnerability by not using Internet Explorer, or, failing that, by turning off Active Scripting support in IE (click Tools, Internet Options; click the Security tab, then the Custom Level button; scroll down to the Active Scripting option, and fill in the radio button next to Disable, and click OK twice).

Microsoft is, at least, providing an interim fix for people who think they may have already fallen victim to the new exploit: Head to the safety.live.com Web page, and you can scan your computer for malicious programs, including ones that use this unpatched bug to sneak into your PC.

source:pcworld