Security hole found in Internet Explorer

About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store

NEWS

Security hole found in Internet Explorer

By Joris Evers
November 21, 2000 8:49 am PT

MICROSOFT'S INTERNET EXPLORER Web browser has a security vulnerability that could let a malicious Webmaster take over a user's computer, a security expert said Monday.

ADVERTISEMENT

<a href="http://ad.doubleclick.net/jump/idg.us.info.news/article;abr=!ie;pos=imu;pkey=security;skey=;paud=;saud=;sz=336x280;tile=2;ord=523103081008?"> <img src="http://ad.doubleclick.net/ad/idg.us.info.news/article;abr=!ie;pos=imu;pkey=security;skey=;paud=;saud=;sz=336x280;tile=2;ord=523103081008?" border="0"> </a>

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

TOP NEWS

IT SOLUTION SEARCH

Georgi Guninski, a well-known Bulgarian bug hunter, on Monday posted a security advisory on his Web site, www.guninski.com. Guninski ranks the problem as high risk.

Malicious Webmasters can exploit so-called ".chm" files, a compressed help file format, to execute arbitrary programs on a user's computer, Guninski said. The bug also allows viewing of temporary Internet files stored on the user's hard drive.

Guninski said he reported a similar vulnerability to Microsoft "some time ago." The software was fixed by allowing .chm files to run programs only if the .chm was loaded from the local system. Guninski says this is no longer a limitation. He discovered a way Webmasters could access temporary Internet files on other users' machines. Explorer saves pages in a folder called "temporary Internet files."

"It is possible to find the temporary Internet files folder," Guninski said.

Explorer creates several of these folders on a PC using random names. With a special HTML document, a malevolent Webmaster can reveal the name and location of a temporary Internet files folder.

Once a folder name is known, it is possible to cache a .chm file in any folder and execute it, Guninski said.

Until Microsoft has issued a patch for the problem, users can protect their computer by disabling active scripting, a browser function that has repeatedly been associated with security issues.

Affected programs are Microsoft's Internet Explorer, versions 5 and higher. Because Explorer is integrated in Microsoft's e-mail clients, Outlook and Outlook Express are also affected. Other versions may also be unsafe, but those have not been tested, Guninski said in his advisory.

Redmond, Wash.-based Microsoft could not be immediately reached for comment.

Joris Evers is an Amsterdam correspondent for the IDG News Service, an InfoWorld affiliate.

RELATED SUBJECTS

Security

Web Technologies

SPONSORED WHITE PAPERS

EMC - Lower costs and improve reliability-Get the EMC CLARiiON white paper!
Ciphertrust - Are you ready for Sobig.G? Learn how to protect your email systems.
CDW - Personal attention. CDW. The Right Technology. Right Away.
EMC - Explore key performance features and capabilities of EMC ControlCenter 5.1.1.
Intel - Free Intel white paper shows you how to deploy a secure wireless LAN
Cisco - FREE WHITE PAPER: BLUEPRINT to design and implement secure VPNs
Verity, Inc. - "Mass Consolidation Hits the Web-Search Market"
McDATA - Download a FREE storage consolidation white paper from McDATA(R).
Lucent Technologies - Overcoming Common Firewall Limitations
Lucent Technologies - Leverage Your Mobile High Speed Data Access. Download Free White Paper!
Nokia - Get the scoop! Mobilizing business white papers & case studies.
BMC Software - Maximize the Potential of Enterprise Data: Free white paper!
Network Associates - Free white paper - Strategies for Optimizing Network Costs and Benefits
Entrust - Manage identities across applications. Improve productivity.
Stalker Software - CommuniGate Pro - Transform your Email and Calendaring
Remedy - A NEW Gartner Research Note:Producing Quality IT Services

Search the IDG White Paper Library:

SPONSORED LINKS

INFOWORLD MARKETPLACE

» IT Compliance Conference: Nov. 5-7 in San Diego
Best Practices, Peer Experiences, & Expert Advice for Building a Defensible IT Compliance Program
» FREE Sophos Threat Detection Test
Is your AV catching everything it should? Free virus, spyware and adware scan.
» IT Audit Checklists
Prepare for your next internal IT audit. Checklists cover security, risk management, PCI, and more.
» FREE White Paper: Mitigating Rock Phish Attacks
Standard anti-phishing methods cannot defeat complex Rock Phish attacks. Learn how to fight back...
» Apply BPM and ITIL at your IT Help Desk
ServiceWise brings BPM to complete IT service while eliminating integration cost. Learn more here.

>> BUY A LINK NOW

	HOME NEWS TEST CENTER OPINIONS PRODUCT GUIDE TECHINDEX	About : Advertise : Subscribe : Contact Us : Awards : Events
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy

All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services.

Computerworld :: Network World :: CIO :: PC World :: Darwin :: CMO :: CSO
IT Careers :: JavaWorld :: Macworld :: Mac Central :: Playlist :: GamePro :: GameStar :: Gamerhelp
ITWorld Canada :: Computerwoche :: Techworld UK :: tecChannel :: IDG.se :: IDG.no