Microsoft plans to fix the Internet Explorer (IE) createTextRange flaw during its next scheduled patch release...
April 11. But IT professionals who don't want to wait that long now have two third-party alternatives.
The first comes from Aliso Viejo, Calif.-based eEye Digital Security Inc. Marc Maiffret, the firm's chief hacking officer, described the fix in a message to the patch management forum hosted by Roseville, Minn.-based Shavlik Technologies LLC Monday evening.
"This workaround has been created because currently there is no solution from Microsoft other than the workaround to disable Active Scripting," he said. "We have personally had requests from various customers and the community to help provide a free solution in the case that companies and users are not able to disable Active Scripting."
He acknowledged the free fix is experimental and should only be installed in IT shops that are unable to disable Active Scripting.
The second patching alternative comes from Redwood City, Calif.-based vulnerability protection firm Determina Inc. Using the technology from its Vulnerability Protection Suite (VPS), the company said in a Web site statement that it has engineered a "standalone shield" that provides "free and immediate protection to users worldwide that need to protect systems from related attacks until such time as Microsoft issues its own patch."
For its part, Microsoft said it's working feverishly on a permanent patch and plans to have it ready by April 11, if not sooner.
The Microsoft Security Response Center posted a statement in its blog Monday saying that the IE team "has the update in process right now and if warranted we'll release that as soon as it's ready to protect customers." Right now, the response center said, "our testing plan has it ready in time for the April update release cycle."
The latest flaw was discovered by Danish vulnerability clearinghouse Secunia. In an advisory, the company described the latest problem as an error in how the "createTextRange()" method is processed on a radio button control. "This can be exploited by a malicious Web site to corrupt memory in a way [that] allows the program flow to be redirected to the heap," Secunia said. "Successful exploitation allows execution of arbitrary code."
Secunia said the vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.
The third-party patches seem to suggest that the security community is growing more reluctant to wait for Microsoft to address potentially dangerous vulnerabilities. The last time third-party fixes were released for a Microsoft flaw was in January, when exploits circulated for the Windows Meta File (WMF) flaw. The software giant had planned to release a patch during its regularly scheduled Jan. 10 security update, but ultimately released an out-of-cycle fix five days ahead of Patch Tuesday.