Open Source Firm Releases Patch for IE Bug [UPDATED]

An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.

How were they able to make such a patch...

[znode]

Without the original source to IE?

Re:How about this one ....

[CaptBubba]

I actually don't see any mention of the GPL on any of the pages, or in the downloadable source.

Doesn't this mean that nobody else is allowed to distribute it? I mean, MS could still get in a whole lot of trouble for inclusing this code in its patch, but they wouldn't risk losing source code.

Re:Hey, morons

hmm...
In ::BeforeNavigateEvent (IETray.cpp)
It copies the string to a MBCS buffer, and scans for %01, %02, and %DA. If none of these exist, the rest of the function is skipped. Don't see how this phones home.

Of course, the strings is malloc()ed but never free()ed... But that's another matter. That and for some reason they don't just use all-unicode (use wcsstr() etc.)... What if I wanted to surf to a site with a character that is not in the current code page? (e.g., search for Japanese text on Google using an English O/S) (Note that IE has the option of always sending the URL in UTF-8, so it has to be able to deal with characters not in the ACP)