eEye Security’s Temporary Patch for Zero-Day IE Exploit Surpasses 156,000 Downloads

By | April 11, 2006

eEye Digital Security(R), a leading developer of network security software and the industry´s foremost contributor to security research, announced that its temporary patch for the CreateTextRange() vulnerability (Microsoft Security Advisory 917077) has been downloaded by more than 156,000 customers over the last two weeks. Since its release on March 27, eEye has provided continuous support for the mitigation tool, which protects against the highly critical exploit circulating via a flaw in Microsoft´s (NASDAQ:MSFT) Internet Explorer (IE) Web browser. The patch, which is derived from Blink(R), eEye´s endpoint intrusion prevention solution, has worked flawlessly and there have not been any issues reported to the company. eEye recently conducted a survey of IT professionals to get a sense of their opinions on third-party patches and results have indicated that the vast majority of IT managers are in favor of a third-party patch, depending on the severity of the exploit.

eEye has received overwhelmingly positive feedback from companies who have downloaded the patch, thanking eEye for creating a mitigation patch ahead of Microsoft´s code patch, released today as part of Microsoft´s regular monthly patching cycle. Specifically, these organizations have indicated that the eEye patch gave them an extra layer of protection for their critical assets and eEye´s clear explanation and supporting data gave them the confidence to deploy eEye´s solution. John Gehrke, a systems administrator at the Branch of Quality Systems for U.S. Geological Survey, said, “eEye provided a very clear, informative and helpful description of the patch. I appreciated the ability to address the vulnerability immediately, so much so that I will check into Blink as an option for future protection.”

“We appreciated eEye´s timely protection and haven´t had any problems since our deployment,” added Douglas Calvert, an information security officer at a national banking chain. “We considered this flaw to be extremely critical as it´s located within a widely used consumer application, and we approached this zero-day with the mindset that, because it required user interaction to click on a link, it could be a targeted attack that therefore needed our immediate attention. We have so much confidence in the security knowledge eEye brings to its customers that it was an easy decision to install this patch, as it is just another way they are delivering that industry-leading knowledge to keep our information protected.”

The actual number of workarounds installed is much higher than the 156,000 downloads, with customers reportedly installing the patch to environments of hundreds of systems. This figure does not include patches reposted at other locations by users, such as Hitman Pro, a site based in the Netherlands, which automatically made eEye´s patch available to more than 1 million additional users.

eEye´s temporary offering was never intended to replace Microsoft´s official code patch, but rather to provide immediate protection in lieu of an available fix for those customers not using Blink(R), eEye´s award-winning endpoint intrusion prevention solution. In fact, eEye engineered its workaround to automatically remove itself once Microsoft´s patch had been installed.

Given the severity of this zero-day flaw, as well as the ability of eEye´s team to derive an effective patch from its Blink technology, it made sense for eEye to deliver proactive protection for its customers ahead of an official code patch from Microsoft. The primary purpose of eEye´s research team is to evaluate vulnerabilities in order to provide its enterprise customers with mitigation solutions prior to an attack. As a result, should future zero-day vulnerabilities require an immediate mitigation solution and eEye is capable of providing one, the company will not hesitate to do so.

“Although Blink has been protecting our customers against this vulnerability for the past year-and-a-half, once it became a zero-day, we felt it was in the security community´s best interest to have choices in terms of mitigation,” said Marc Maiffret, eEye´s co-founder and chief hacking officer. “Disabling Active Scripting and waiting 14 days for Microsoft to issue a patch was not a viable option for many organizations. This vulnerability needed to be dealt with immediately, and so our research team quickly developed and tested a patch that specifically addressed the issue without creating a loss of functionality. We´ve had a lot of feedback from people that have downloaded this patch, all of which has been positive. We are proud to say that having zero support issues is further proof that the quality of this patch is right on par with the quality of our products.”

Unlike signature-based solutions — such as anti-virus or behavior-based solutions — current Blink customers weren´t required to do anything to realize protection from this flaw. The result has been 100 percent protection, with zero downtime or impact to operations; businesses have been allowed to continue to function normally and IT departments can continue to deploy software patches according to regularly scheduled maintenance cycles. Current Blink customers should ensure that the Application Protection is enabled in their Blink policies.

For those interested in protecting corporate systems with Blink, eEye hosts frequent webinars on this subject. Please visit to register for these online events. An evaluation version is also available for download at .

As a service to the network security community, eEye´s Research Team, headed by Maiffret, conducts a Vulnerability Expert Forum during the second week of every month. These Web seminars enable participants to stay current on the potential risks and remediation requirements, such as those announced today, by exploring the effect that high-risk vulnerabilities and exploits have on network environments and infrastructures. To register for the April Vulnerability Expert Forum, scheduled for Wednesday at 11 a.m. PT, please visit .

Those looking for detailed technical information about the IE zero-day vulnerability, please visit eEye´s Security Alerts page at .

Over the last five years, industry experts have recognized eEye as the preeminent organization in the discovery of the most critical vulnerabilities in various platforms and applications, including the vulnerabilities subsequently leveraged by the Sasser, Witty and Code Red worms, as well as the Microsoft ASN vulnerability and hundreds of other important discoveries. This expertise gives eEye a distinct advantage in designing services and software solutions for the assessment, remediation and prevention of vulnerabilities and the attacks that leverage them.

Leave a Reply