|
Serious security flaw found in Microsoft
----- Begin NetScrap(TM) -----
Serious security flaw found in Microsoft
from USA today:
Serious security flaw found in Microsoft
browser
SEATTLE - Microsoft Corp. programmers hustled to fix a dangerous
security flaw in its Internet Explorer browser that could allow a Web site
operator to secretly run programs or destroy files on someone else's
personal computer.
Although the company said it had received no customer reports of
security breaches, a computer security expert said the problem was
extremely serious because it bypasses the widely used software's security
measures.
"It is as if you allowed someone to type on your computer and you go out
to lunch," said Simson Garfinkel, an author of Internet security books and
columnist for HotWired magazine and the Boston Globe.
The flaw could result in all sorts of mischief, such as preventing another
person's computer from starting up or sending e-mail from another
person's account, Garfinkel said.
Microsoft officials said Monday they were testing a solution for the
problem and expected to have it quickly posted to the company's site on
the World Wide Web.
Internet Explorer, Microsoft's key Internet product, is used by millions of
people worldwide to access the Web. Microsoft estimates it has a 25%
to0% market share, behind Netscape Communications Corp.'s
Navigator program.
Officials at Netscape, Microsoft's bitter rival, stressed their product does
not have the security flaw.
"Netscape does not have any similar problem nor have we had any attack
so wide in scope with any technology," said Eric Greenberg, senior
security product manager for Netscape.
"Microsoft is newer to the Internet arena and is encountering some of the
problems with trying to catch up," Greenberg said.
Paul Balle, a product manager for Microsoft's Internet Explorer team,
said Microsoft learned of the flaw Monday after it was discovered last
week by a student at Worcester Polytechnic Institute in Worcester,
Mass. The student, Paul Greene, and his friends posted information about
the flaw on their Web site.
"We take this very seriously," Balle said. "The moment we found out
about it, we got our developers and program managers on it."
Balle said the bug is especially worrisome because it bypasses even the
highest levels of Internet Explorer's security systems.
On his Web page, Greene noted that "Windows 95 comes with a variety
of potentially damaging programs which can easily be executed."
As an example, Greene said certain links could create and delete some
directories on a Windows 95 machine.
Greene said in an interview with InfoWorld Electric, posted to that Web
site Monday afternoon, that the problem appears only to affect Internet
Explorer.
"The ramification for [Internet Explorer] is that any anti-Microsoft jerk
can set up their Web site to be destructive to anyone using Internet
Explorer and safe for all other browsers," InfoWorld quoted Greene as
saying.
Although Microsoft was responding quickly, security expert Garfinkel
said eradicating the problem would still depend on all existing Internet
Explorer users modifying their software.
"The reason that it is so serious is that it is very easy to exploit this bug
and the knowledge on how to exploit it has been widely disseminated to
the public," he said.
"There are millions of people using Internet Explorer that would not move
quickly to update," he added.
Balle said that in the year that Internet Explorer versions.0 and.1 have
been available, this was the first time the security problem had been
reported to Microsoft. The problem primarily is in those versions of
Internet Explorer, but possibly might affect previous versions, he said.
The flaw involves basic functions found within Microsoft's Windows 95
and Windows NT operating systems.
When a PC user clicks on a hyperlink on a Web page, Balle explained, a
Web page creator could have that link connect to a file known as a
"shortcut" in Windows 95 and NT. Shortcuts are widely used to start
computer programs or functions.
If the "Webmaster" for the Web page can guess the precise location and
code needed on the user's computer, shortcuts on the Web page could
surreptitiously select and start programs on the user's hard drive.
"If they can guess it, they can get to it," Balle said.
Many widely available programs such as Windows 95 have standard
locations or addresses where their components are stored on computers.
Unless a PC user custom-installed or otherwise modified a program, the
addresses would be simple to guess.
More information about the flaw can be found at Microsoft's Internet site
(http://www.microsoft.com/ie/default.asp).
Greene's site is: http://www.cybersnot.com.
InfoWorld's site is: http://www.infoworld.com.
----- End NetScrap(TM) -----
Entered on: 05/19/1998
| Send it: |
Claim it:
|
|
Copy and paste this into an email to a friend. We can make it easy for you. Mail
it off with the Netscrap(TM) MailTool.
|
Did you do this? Do you own it? Can you prove it?
Netscrap.com's mission is to reunite jokes like this with their
creators. Take credit for your fine work.
|
|