Bad web browser bug gets patched

Users face a tricky choice on whether they use the patches

Security firms have released patches for a critical loophole in Microsoft's browser that leaves users open to attack.

The release pre-empts Microsoft which is not due to release a fix for the bug until 11 April.

The security firms said the patches were needed because hundreds of websites had been created to exploit the loophole.

But Microsoft said it did not recommend that users apply the patches.

Patch problem

In late March, three security loopholes were found in Microsoft's Internet Explorer browser by security firms.

The most serious of the three, known as the CreateTextRange bug, allowed malicious hackers to take over a PC if it was used to visit specially crafted webpages.

Now two firms, eEye Digital Security and Determina, have separately produced software patches that close this loophole. Earlier, Microsoft said it would produce a patch in time for the next scheduled Windows security update that falls on 11 April.

Marc Maiffret, eEye's co-founder and chief hacking officer, said its patch was a stop-gap prior to the official version from Microsoft. He said eEye's patch would disable itself once the official version was released and installed.

Microsoft said it could not endorse the patches or recommend that users install them as they had not been through the software giant's testing and evaluation program.

Although Microsoft has played down the threat from people exploiting this loophole, others have found hundreds of websites built to take advantage of the bug in the IE web browser.

Websense said it had seen more than 200 unique web links that were trying to catch people out using the loophole.

On its security blog, Microsoft said it was working with law enforcement to shut down websites created to exploit the bug.