A security researcher working under a pseudonym has released an unofficial patch to a recently discovered vulnerability in Windows and Internet Explorer 7.
KJK::Hyperion, aka "Hackbunny," believed to live in Italy, publicised the 16K patch on his website and the Full-Disclosure mailing list. KJK's patch, dubbed "ShellExecuteFiasco," blocks the execution of malformed URLs and forces normalisation of valid URLs. URL normalisation, which can include changing a URL to lower case and stripping out the "www", is a technique used by search engines to reduce indexing of duplicate pages.
Users who apply the patch do so at their own risk, KJK warned. "The present patch is dramatically under-tested and it has underwent [sic] no quality assurance procedure whatsoever, so please deploy with the greatest care," he said in the notes accompanying the fix. "It has a very good chance of misbehaving and making your system unusable."
His patch targets the Universal Resource Identifier (URI) vulnerability that Microsoft acknowledged last week. On Thursday, the company said the flaw could allow attackers to compromise systems running Internet Explorer 7 if users clicked on malicious links. Microsoft also said it would release a fix but would not say when.
"The update will be part of our normal product update process [and] will be released as soon as we feel it's ready," said Mark Miller, director of the Microsoft Security Response Centre (MSRC), last week.
Microsoft typically takes a dim view of third-party patches. Although it did not immediately reply to a request for comment, in past cases, it has cautioned users against deploying any unsanctioned fix.
Symantec gave much the same warning to customers of its DeepSight threat network. Symantec said it had not been able to verify the integrity of KJK's work and told users to "use extreme caution when using patches from third-party sources."
The unsanctioned patch can be downloaded from KJK's website.