As we reported in a previous news story (“ Flaw in Internet Explorer Makes Spoofing Easier,”) a flaw in Microsoft Internet Explorer versions 6.0, 5.5, and 5.01 was recently discovered that could be used to trick users into visiting a Web site they did not intend to visit. Microsoft produced an article ( 833786 ) that outlines various steps that can be taken to mitigate such risks.
However, an open source software group, Opensoft, has taken it upon themselves to produce a third-party patch for the flaw. Openwares.org published the patch on its Web site. The patch is available as a self-extracting executable and users can also download a zip file that contains the source code used to create the patch.
Users who tried the first version of the patch found that it contained various bugs that might have reduced security instead of increasing it. In addition some users reported that the patch contacted the Openwares.org Web site without users' prior knowledge and permission. Representatives of Openwares.org commented that the patch only contacted their Web site when a user clicked on a spoofed URL. The group claims they would have used such information to report the spoofed URLs to authorities. But even so, creating software that “phones home” without users permission is the equivalent of spyware regardless of the intent.
Nevertheless a new version 2.0 was subsequently released that supposedly doesn't “phone home,” but users have reported problems with that version too. For example, one user reports that with the patch installed he cannot login to his Hotmail account using his Microsoft Passport credentials.
In the past many security researchers have offered workaround methods for various security problems in Microsoft products but its rare when someone tries to produce a third party patch for public use. One obvious question raised by third-party patches is whether you should risk loading them?
The safe answer is that unless you have ample reason to implicitly trust the author of such a patch then you probably shouldn't load it. An exception might be in cases where you can examine the related source code carefully and compile it for your own use. But even then there could be unforeseen consequences. In the case of this particular patch the authors violated user trust by inserting a spyware feature, which of course is a security risk in and of itself. So much for trust and good will.