A researcher beat Microsoft to the patch punch over the weekend by publishing an unofficial fix for a critical flaw in Windows XP and Server 2003 on PCs with Internet Explorer 7.
KJK::Hyperion, a.k.a. "Hackbunny," a researcher believed to live in Italy, posted a link to the 16KB patch on both his Web site and the Full Disclosure security mailing list Sunday. KJK's patch, dubbed "ShellExecuteFiasco," blocks the execution of malformed URLs and forces normalization of valid URLs. URL normalization, which can include tasks such as changing a URL to all-lowercase and stripping out the "www" part of the address, is a technique used by search engines to reduce indexing of duplicate pages.
Users who apply the patch do so at their own risk, KJK warned. "The present patch is dramatically under-tested and it has underwent [sic] no quality assurance procedure whatsoever, so please deploy with the greatest care," he said in the notes accompanying the fix. "It has a very good chance of misbehaving and making your system unusable."
His patch targets the Universal Resource Identifier (URI) vulnerability that Microsoft acknowledged last week. The company's security group issued an advisory that spelled out the problem, which could allow attackers to compromise systems running Internet Explorer 7 if users clicked on malicious links embedded in e-mail messages or posted on a Web page. Microsoft also said it would release a fix but would not commit to a schedule.
"The update will be part of our normal product update process [and] will be released as soon as we feel it's ready," said Mark Miller, director of the Microsoft Security Response Center (MSRC), last week.
Microsoft typically takes a dim view of third-party patches like the one KJK posted. Although it did not immediately reply to a request for comment, in past cases, it has cautioned users against deploying any unsanctioned fix.
Symantec gave much the same warning to customers of its DeepSight threat network this week. In the advisory, Symantec said it had not been able to verify the integrity of KJK's work and told users to "use extreme caution when using patches from third-party sources."
The unsanctioned patch can be downloaded from KJK's Web site.