New IE security hole found

Dan Kohn (dan@teledesic.com)
Thu, 6 Mar 1997 16:35:16 -0800


http://www.news.com/News/Item/0,4,8567,00.html

New IE security hole found
By Alex Lash and Nick Wingfield
March 6, 1997, 1:30 p.m. PT

Plug one hole, and another one opens. That's the situation Microsoft
(MSFT) is facing today.

Days after Microsoft patched a security hole in Internet Explorer, a
group of students from the University of Maryland say they have
discovered another hole in the browser that could allow a hacker to
remotely retrieve files or trigger programs on a user's computer and
install viruses from a Web site, according to a Web posting by the
students. This time, it is unclear whether the glitch affects only
Windows NT versions of Explorer 3.0 and not Windows 95 versions.

Today, Microsoft representatives said they were aware of the bug, but
they have not yet figured out which products it affects and what the
potential security risks of the bug are.

"We know about it," said Dave Fester, a lead product manager for
Internet Explorer. "We are currently researching it. It has something
to do with Iframe." Iframe is the "floating frames" feature of
Internet Explorer.

The programmers who discovered the hole are David Ross, Dennis Cheng,
and Asher Kobin. Their Web site claims that the hole is different from
a glitch discovered recently by a group of Worcester Polytechnic
University students that involved ".lnk" and ".url" files, also known
as Windows 95 and NT Shortcuts. Microsoft posted a patch for yesterday
morning that warns Explorer 3.0 and 3.01 users about this issue before
they download Shortcuts.

However, an Israeli security software company today said users are
still susceptible to "hostile links" through Microsoft's email and
newsgroup readers. EliaShim has found a message on a Usenet group that
encourages readers to click on a link and download a demo of Internet
Explorer 4.0. The link is instead a shortcut that deletes files on the
user's hard drive.

"The last couple of days had to do with links on Web pages," said
EliaShim technical support specialist Jerry Huyghe. "What we've found
is that the same type of security hole exists in Internet mail and
news applications."

A Microsoft spokesman said that the company was aware of the problem,
but that the IE patch posted yesterday fixes the newsgroup and mail
holes as well. EliaShim offers its own fix, called IE Safe, for free
download. It works as a companion application to Windows 95 and
prevents the download of executable code from a Web site.

The Shortcut security glitch stems from small files that are able to
bypass Explorer's built-in code checking feature to delete or alter
files on a user's hard drive.

"Microsoft sometimes goes way strong on the side of ease of use" while
sacrificing security features, said John Pescatore, senior security
consultant at Trusted Information Systems.

EliaShim's programmers in Israel found the message, which Huyghe
labeled a prank, and within 24 hours had posted a solution on the
company's Web site, he said. No information is known about the origin
of the message other than that it came from the address
"test@tudelft.nl".

<Picture: News Category>
Microsoft plugs IE security hole Mar. 5, 1997
<Picture>
Microsoft scrambles to plug IE hole Mar. 4, 1997
<Picture>

<Picture> The Net
<Picture>USWest to open 10 city guides <Picture> <Picture>Microsoft
security problems run deep <Picture> <Picture>New IE security hole
found <Picture> <Picture>No sign of Michelangelo virus yet <Picture>
<Picture>Big guns back Net ad association <Picture> <Picture>Java,
ActiveX security elusive <Picture> <Picture>MSN email goes down twice
<Picture> <Picture>GTE to enter new Net markets <Picture>
<Picture>NASA relaunches its Web site <Picture> Computing
<Picture>56-kbps upgrade for ISP servers <Picture> <Picture>Toshiba
turns standard on its head <Picture> <Picture>Micron line takes care
of business <Picture> <Picture>Top-tier PC vendor to back USR
<Picture> Intranets
<Picture>Partners to push in enterprise <Picture> <Picture>Intel
pushes voice onto networks <Picture> <Picture>Oracle releases ConText
2.0 <Picture> Business
<Picture>Nintendo matches Sony game prices <Picture>
<Picture>Verity won't meet estimates <Picture> <Picture>PC retailers
hit by slow-growing market <Picture> <Picture>Glitch throws AOL stock
ticker off <Picture>

<Picture>Copyright (c) 1995-97 CNET, Inc. All rights reserved.