Security firm plugs Internet Explorer hole

Workaround promises to protect browser in anticipation of official fix

Security vendor eEye Digital Security has created a temporary patch that protects end users and enterprises from an unpatched vulnerability in Internet Explorer. 

The vulnerability is caused by an error in the way that the browser processes a 'createTextRange' call on a radio button. The bug could allow attackers to take control of a system by luring victims to a specially crafted website.

Attackers are actively exploiting the flaw and Microsoft has hinted that it might release an out of cycle patch.

The Redmond giant had advised users to disable Active Scripting in their browser settings (instructions can be found at Microsoft's support website). 

Microsoft has not certified the eEye patch. The security firm recommended that users try disabling Active Scripting first and use its workaround only if this does not work.

"EEye's patch is not meant to replace the forthcoming Microsoft patch, but to provide immediate protection in lieu of an available fix," said Marc Maiffret, co-founder and chief hacking officer at the security company.

"In fact, eEye has engineered the patch to automatically remove itself when Microsoft's official patch comes through."