MS patches IE hole, FrontPage still gaping

On Thursday, a German tester for Jabadoo Communications' c't computer magazine discovered that it was possible to spy on text, graphics and HTML files on somebody else's hard drive by embedding code in a Web page or e-mail message. Files could be viewed even on firewall-protected intranet and even if the highest security level was selected on IE.

The next day, Microsoft provided a patch to what it called the Freiburg text-viewing issue, after the town where Jabadoo is based. Alternatively, Microsoft said Internet Explorer 4.0's Security Zones can be configured to protect against the bug by disabling scripting for unfamiliar sites.

However, as of 10am Tuesday, October 21, Microsoft still hadn't managed to fix another security bug in the FrontPage 98 Server Extensions on Unix systems running the Apache Web server. Apache is a dominant leader in Web servers.

Discovered and highlighted on a page called Microsoft FrontPage 98 Security Hell, the issue is described as "a gaping hole" in security. On October 11, Microsoft responded with a note on its Web site four days later and is promising a "re-release" of the Server Extensions will be posted this week at http://www.microsoft.com/frontpage/wpp/.

On the Security Hell site, Webmaster Marc Slemko is damning of Microsoft. "It is no secret that the security of the FrontPage 97 and earlier Unix server extensions is quite poor," he writes. "However, a closer examination reveals startling flaws ... the gaping holes in this program show a complete lack of understanding of security in the Unix environment."