A Year Ago: Microsoft addresses another IE hole

First published: Mon, 23 Nov 1998 17:30:11 GMT

Microsoft has issued a security bulletin concerning a potentially dangerous new variation of the Cuartango Hole in Internet Explorer 4.01 and Windows 98 that BugNet reported last month.

Like its predecessor, The Son of Cuartango Hole bug exploits the fact that Cut and Paste functions are available to scripting tools in Internet Explorer 4.01, using them to circumvent the security protections Microsoft built into IE4 HTML file transfers.

According to Microsoft, "the underlying problem is the ability of a script to use the Document.ExecCommand function to paste a file name into the file upload intrinsic control. This should only be possible by explicit user action. Once the file name has been pasted into the control, a subsequent form submission could send the file to a remote web site. If the user has disabled the default warning that is displayed when submitting unencrypted forms, the file would be sent without any warning to the user."

Microsoft first attempted to address the problem with a patch issued Oct. 16. Unfortunately, another method of putting a file name into the file upload intrinsic control was discovered a few days later: The Son of Cuartango Hole. Microsoft released an updated patch Nov. 18. The updated patch fixes both the original problem and the newly discovered variant. "Microsoft highly recommends that all affected customers -- including anyone who downloaded the original patch before Nov. 18 -- download and install the updated patch to protect their computers," according to the security bulletin at http://www.microsoft.com/security/bulletins/ms98-015.asp.

Microsoft warns that the security hole could potentially also affect software that uses "HTML functionality provided by Internet Explorer 4.01, even if Internet Explorer is not used as your default browser." To obtain the patch, Internet Explorer 4.01 users should go to http://www.microsoft.com/ie/security/paste.htm.

According to Microsoft, "Windows 98 customers can obtain the updated patch using Windows Update. To obtain this patch using Windows Update, launch Windows Update from the Windows Start Menu and click 'Product Updates.' When prompted, select 'Yes' to allow Windows Update to determine whether this patch and other updates are needed by your computer. If your computer does need this patch, you will find it listed under the 'Critical Updates' section of the page."

Internet Explorer 3.x and 4.0 are not affected.