[Full-Disclosure] Openware.org IE Fix - Withdrawn
helmut hauser
helmut_hauser at hotmail.com
Sun Dec 21 13:48:42 GMT 2003
And this is NO stupid thread ...
Open source' IE patch withdrawn for further patching
Quote:
The third-party 'open source' patch for Internet Explorer that we told you
about earlier today, contains more than a few potentially nasty surprises.
As we noted, German tech site Heise had already warned of dangerous buffer
overflows. Openwares.org, a month-old site which boasts "Software is free"
today published source code and a binary executable purporting to fix a
loophole in Internet Explorer for Windows. It's unusual, but not
unprecedented, for third parties to issue their own fixes for Microsoft's
exploit-riddled browser. But Heise advises that this patch could be more
trouble than it's worth, and the fix has already been taken in for some
maintenance.
"This patch addresses a vulnerability in Microsoft Internet Explorer that
could allow Hackers and con-artists to to display a fake URL in the address
and status bars. The vulnerability is caused due to an input validation
error, which can be exploited by including the "%01" and "%00" URL encoded
representations after the username and right before the "@" character in an
URL," according to a release note accompanying the patch. Unfortunately, the
authors of the patch also enabled a Windows Registry key used by spyware.
IEmsg.dll. "When we're absulotly [sic] sure that the code is bulletproof
we'll re-release it," says Openwares's forum administrator.
News Source:
http://www.theregister.co.uk/content/55/34618.html
_________________________________________________________________
FreeSMS abräumen mit dem MSN Messenger - der Countdown läuft!
http://messenger-mania.msn.de Jetzt mitmachen und gewinnen!
Full-Disclosure is hosted and sponsored by Secunia.