Third party solutions to the Internet Explorer CreateTextRange vulnerability

Hi everyone, Mike Reavey here.  I wanted to make everyone aware of some recent developments regarding the “Create TextRange” IE vulnerability.  First off we’re still not seeing increased spread of attacks, and in fact have been very active in taking down sites as they come up with law enforcement.  But attacks are still occurring so we certainly still recommend up to date AV software and our safe browsing guidance while we work on the update, and have updated the security advisory with a list of VIA partners that are currently providing protection. As always we’ll keep an eye out and we continue our work with law enforcement to take down any new attacks we see.

We’ve also been made aware of some third party solutions being made available for this vulnerability. Some of these solutions make modifications to Windows itself to bypass the attack vector of the vulnerability.  Of course, while the IE team is working on an update to address the problem, we certainly recommend a defense in depth strategy that involves third party tools such as AntiVirus or IDS/IPS solutions.  However we cannot recommend third party solutions that modify the way the product itself operates.  The reason is really around the fact that we carefully review and test our security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. And for IE it’s not only application compatibility, but web compatibility also. Our updates are offered in 23 languages simultaneously for all affected versions of the software. Microsoft cannot provide similar assurance for independent third party security updates or mitigation tools.

Customers of course can weigh the risk of deploying a third party “patch”  but it’s unclear what impact this will have on the system.  Addressing the vulnerability, as well as working with partners to address attacks, are a few of the main things that we’re working on and we’ll keep you up to date as progress is made.

-Mike Reavey

*This posting is provided “AS IS” with no warranties, and confers no rights.*