Open Source Firm Releases Patch for IE Bug [UPDATED]

An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.

No Trusted Computing logo on patch?

[Anonymous Coward]

I'm not downloading anything that isn't part of a MS plan. Sounds like a trojan attempt to me.

Re:Acceptance?

[TellarHK]

Why is the group releasing this on their own?
To quote the wise sages of the Quake 3 voiceover...

HUMILIATION!

New MS Security Fix

[Ironclad2]

This patch fixes a security bug in Internet Explorer that could allow someone who actually knows what they're doing to repair buggy programs on your computer.

What the "patch" really does....

[mikewren420]

What the article doesn't say is that the "patch" just removes IE and installs Mozilla. :)

No thanks

[Anonymous Coward]

Sorry, but its going to be a cold day in hell when I run something from a website named "openwarez.org".

OMG!!!

[Infernon]

It didn't ask me to reboot afterwards!!!
Someone start knitting a sweater for Satan...

did anyone else feel it...

[Stevyn]

when hell just froze over? Will microsoft actually have to acknowledge them? Thank them?

The patch was released a while back!!!

[Eberlin]

An open source firm issued the patch a while back -- It was called mozilla.

How does this affect IE, the MS EULA, and all the other wonderful legal stuff that could be dragged out simply because you modified software that wasn't meant to be modified outside the confines of One Microsoft Way?

Patch on, I guess...if you must. I sleep much more soundly with my RH9 and Firebird.

Re:... huh?

[arvindn]

Try some of these (funny yet scary at the same time):

• Next time there's a hole in MSIE so big you can drive a cart through it, MS will release a patch in a week and say: "See! We told you we're more secure than open source. We have a patch out already and openwares.org hasn't yet!"
• People will believe them when they say that
• Openwares is going to get sued by MS claiming there's no way they could have released a patch unless they illegally obtained the source
• I'm sure there's a joke or three out there about the name (wares->warez) but I can't find it :)

Crikey, mate.

[IvyMike]

That's not a link! This is a link:

http://www.openwares.org/downloads/IEpatch.EXE [openwares.org]

P.S. I haven't actually tried the executable out, I just added the clickable goodness. I also couldn't pass up the chance to make a Crocodile Dundee joke.

In other news...

[BladeMelbourne]

Open Source Firm Releases Patch for IE Bug

In other news...

Today Micro$oft contributed code to the Linux kernel, and announced plans to help iron out differences between Mozilla and MSIE :-)

Poor Microsoft... (Not really, but...)

[Pathway]

Poor MicroSoft!

Microsoft's biggest software threat gets a huge update, one of their own products gets a patch by a third party, Real Networks sues them for monopolistic activities, and Lord of the Rings - Return of the King (a movie made with cheap Linux boxes) is realeased. All this in a 48 hour period!

Man, it's been a rough couple of days.

Sm:)e.

Re:Seriously.

[NamShubCMX]

he's actually in a "too-much-win" situation :P

(t'was easy, sorry)

Re: isnt reverse engineering against the EULA?

[NortWind]

Maybe they forgot to sign the EULA?

Free IE patch and fix.

[ratfynk]

Found a wonderful fix it is called cfdisk! and slackware 9.1 setup, works great and no IE security issues!

Re:did anyone else feel it...

[WolfWithoutAClause]

Will microsoft actually have to acknowledge them?

Yes, of course! The subpoena will mention them by name.

Re:And this matters why?

[aled]

Sued by... by customers bwahaha haha... not... 'nough...ha haha... air...got...to...breath...hahah sued.... customers....

Re:No Trusted Computing logo on patch?

[Anonymous Coward]

Did you know that MS are now sending out these patches direct via email? Be sure to install it when it arrives.

How about this one ....

[taniwha]

M$ picks up an open source bug fix off the net, rolls it into IE and releases it real fast ..... 2 weeks later the FSF comes a knocking wanting to know where the source for IE is and "didn't you say in court your browser is so highly integrated into your OS it can't be removed ... we'll have the source to that too please" ....

Re:... huh?

[Niten]

<fingers_crossed>

If this patch gets the press coverage that it deserves, maybe people will learn to take Microsoft's claims of better security response rates than those open-source folk, with a grain of salt.

Or maybe Microsoft will actually start working harder to keep their software secure in a timely manner?

</fingers_crossed>

Re:This doesn't actually fix the problem

[Ironica]

While it's a nice step, it's no replacement for an official Microsoft patch.

It's no replacement for... nothing, in other words?

Microsoft hasn't even said they're *going* to patch this yet, you may be waiting an awful long time.

Re:Can we really trust this patch?

[Mikey-San]

How do we know the executable doesn't have crap in there?

You know, the same could be asked of Internet Explorer.

Re:Inept and free!

[lurker412]

Yeah, patch Q824145. In my case, it turned out to be a blessing. I got so pissed off that MSFT broke standard UI scrolling behavior that I switched to Firebird. I don't understand how a large, successful software company can do such sloppy QA and think that nobody will notice. But then, there are many things that I don't understand.

Deee-licious

[Saeed al-Sahaf]

Oh but wouldn't it be so deee-licious if people FED UP with Windoz bugs started relieasing fixes independent of M$? What do you suppose Bill and Friends would do?

Re:DMCA violator

[webtre]

in other news M$ sues SCO over patented intentional operating system backdoors

Re:How were they able to make such a patch...

[Geek of Tech]

>> Hmm, don't like that, it would be better to redirect it to someplace harmless like http://127.0.0.1

Don't bother. I'm so 31337 that I just hacked that 127.0.0.1 loser... In a minute someone should be noticing their root file system missing.... Heheheh

Hmmmm.... That's funny.... Where'd my MP3's go......

Re:No Trusted Computing logo on patch?

[zin]

Yeah next XP service pack won't install because you have a corrupt OS file (due to an unauthorized patch).

Re:No Trusted Computing logo on patch?

[nacturation]

Of course it isn't a trojan. It's a legitimate security update which gets run on your system and makes IE invulnerable to that particular spoof attack. Why, openwares.org even has a definition on their site of what a trojan is:

• Trojan and/or Worm loaders
  
  Trick unsuspecting users into downloading harmful viruses
  by disguising them as legitimate security updates.

So you see, this is nothing more than a legitimate security upd... wait a second!!

Re:Do Not Use It-It's Got a Huge Vulnerability Its

[qtp]

It seems you've got a good handle on this, so when can Openwares expect your patch for the vulnerability in thier patch?

In Other Other News...

[Anonymous Coward]

SCO Group of Lindon Utah announces that it has filed suit against Microsoft for including Unix/Linux code in Microsoft's Internet Explorer. Darl McBride says "There's no way these burger flipping losers could fix IE without our help. Microsoft couldn't even fix it without our lawyers."

Shrewd investors continue to laugh at the SCO Group's activities and have the following comments:

"The funniest thing I've seen since the Paris Hilton tapes!" - MSN

"A gut buster worthy of John Belushi - but SCO does more drugs" - Timothy Leary

SCO also announced that Caldera Linux licences still outpace all other SCO products - excluding lawsuits - by a 2:1 margin. Darl announced that they expect to make that 3 to 1 by next summer before they are purchased outright by IBM for $1.50 and a can of Red Bull.

Gasp! You violated copyright!

[Dwonis]

// Terms of Agreement:
//
// By using this source code, you agree to the
// following terms:
//
// 1) You may use the source code, resource
// files for educational purposes only.
// 2) You MAY NOT redistribute this source code
// without written permission. Failure to do
// so is a violation of copyright laws.
// 3) The author of this code may have retained
// certain "additional copyright rights".
// If so, this is indicated in the author's
// description.

Re:How were they able to make such a patch...

[jhoffoss]

...this is exactly the sort of shit that MS is talking about when it brings up it's FUD...

Bet'cha five bucks these guys are under-cover MS operatives ordered to spoil the image of open-source developers by writing shitty code to break people's operating systems. Wait, why would they have to be undercover?

Re:Use MyIE2 0.9.11

[insomaniac]

I know I'm going to get modded to hell for this but how about a w3c compliant html/css implementation?