The eEye hack for the createTextRange vulnerability
Summary: My advice? Don't install it.
(Please forgive any grammatical or logical flow errors - I'm running real short of time but wanted to get this live before starting my work day).
Two MS security bloggers have mentioned the eEye "patch" that protects against the createTextRange vulnerability.
http://blogs.technet.com/msrc/default.aspx
http://blogs.technet.com/ms_schweiz_security_blog/default.aspx
Both bloggers recommend that the patch not be installed.
Ok, I admit - the vulnerability is being exploited. That's bad. But, at the same time we need to have a realistic look at what is going on and compare risk to reward. On balance, after considering all the information I'm privy to (public and private) I have to say that I agree - do not install the third party patch.
Historically, third party patches and hacks have been problematic. Let's look at a couple of recent examples.
WMF Exploit hack
The WMF exploit patch was messy - to get the file to stick you had to mess around with cached copies of the file (gdi32.dll is protected by Windows File Protection). The changed file was also causing Windows Update to offer old security patches. Deregistering shimgvw.dll stopped Windows Picture and Fax Viewing from working.
The IE6/IE7 side by side hack
The IE6/IE7 side by side hack caused various symptoms, including opening a browser window that promptly hangs IE, opening links that render blank, and multiple windows opening when initiating a browser session.
The eEye hack (I refuse to call it a patch) doesn't fix the CreateTextRange vulnerability... it messes around with how Windows works. We have no way of knowing what may be broken by this change.
"Ah, but at least I'll be safe" I hear you say. "Safe from what?" says I. Let me explain.
First, according to http://www.microsoft.com/technet/security/advisory/917077.mspx "Antivirus companies indicate that attacks that exploit this vulnerability are being effectively mitigated by antivirus software with up-to-date signatures". The antivirus companies that have confirmed they provide protection against known vectors include:
Symantec
Computer Associates
McAfee
F-Secure Corporation
Panda Software International
Aladdin
Sophos
Eset Software
Trend Micro
Windows Live OneCare
Do you have up-to-date antivirus? Does it detect files that attempt to exploit the vulnerability? If so, why take the risk with a third party hack?
Second, sure there are lists going around warning that there are hundreds of sites that are taking advantage of the exploit. But, actually hitting one of those sites is needle-in-a-haystack stuff. Seriously. I've seen real-world, whats-actually-happening statistics that convince me that the risk of being hit by the exploit is not sufficient to risk damage that may be caused to a system's operation by the eEye changes.
On balance, considering the fact that MS and law enforcement have been very proactive in getting exploit sites shut down, considering the fact that there are not "hundreds" of sites out there (the number is far lower than that), considering the list of antivirus programmes that protect against known vectors, considering the fact that you'll have to be *real* unlucky to hit one of the sites that is still live without being taken by the hand and shown how to get there, and considering there are safer ways to protect yourself against the risk of exploit (disable active scripting or set to prompt), I say don't install the patch.
BTW, SANS Internet Storm Centre agrees - not with me per se, but with the risk assessment that the eEye patch shouldn't be installed:
http://www.incidents.org/diary.php?storyid=1226