IE Flaw Fears Prompt Non-MS Patch Downloads
More than 70,000 users hit the eEye security website to pick up the third-party patch they created to fix the createTextRange() vulnerability in Internet Explorer.
Despite protestations from Microsoft, users turned out in droves to pick up the patch developed by eEye, SecurityFocus reported. The temporary patch provided by eEye has been made freely available. A similar patch from Determina, an intrusion protection vendor from Redwood City, CA.
The patches arrive ahead of Microsoft’s efforts to patch the highly critical flaw themselves. Speculation that the company would release a patch outside of its normal release cycle has not yet been borne out by Microsoft. Both third-party patches can be uninstalled after the official patch has been applied, eEye and Determina noted on their respective advisories.
Microsoft has been following these developments as it works on an official fix to the problem. They have suggested a workaround where users disable Active Scripting in the browser. Also, they do not recommend using the third-party patches due to the modifications they make to Windows, despite both companies including uninstall routines with their patches.
The operations manager for Microsoft’s Security Resource Center posted those concerns along with some information on Microsoft’s progress. Said Mike Reavey: