Analysis: IE5 flaw makes PCs vulnerable

Internet Explorer 5 design flaw leaves users' PCs vulnerable to malicious code via Web surfing and e-mail.

Some hackers search for security holes in order to exploit them; others look for them for the sheer intellectual challenge. The latter is true in the case of Bulgarian hacker Georgi Guninski, who has repeatedly exposed dangerous security holes in Microsoft products.

Guninski's latest discovery -- a treacherous design flaw in Internet Explorer 5.0 -- is perhaps the most serious ever. It allows anyone with a Web page to take over your computer system via a few simple lines of text within the HTML code that comprises the page. If you so much as visit the page, your system may be subject to the exploit.

As if this weren't bad enough, hostile HTML code can also be included in an e-mail message. This is possible because many e-mail programs, including Outlook Express, Outlook, Eudora Lite and Eudora Pro, invoke IE5 "behind the scenes" to display e-mail that contains HTML code. So, even if you are not using IE5 for your usual Web browsing, you may be susceptible.

Finally, the exploit can be triggered if you read Internet newsgroups with IE5, because -- as with e-mail -- a public message posted to one of these groups can contain the hostile HTML code that compromises your system.

Guninski's discovery involves an ActiveX control, included with IE5, that is designed to create "scriptlets" -- small programs that run on the user's machine when he or she views a Web page or e-mail message. (The control is called "Object for constructing type libraries for scriptlets".)

Unfortunately, the ActiveX control has free access to the user's file system and can easily be made to run amok, overwriting vital system files or planting Trojan Horse programs within the system. Because Windows 95, Windows 98 and Windows NT systems are all susceptible, the hole allows anyone with a Web page to plant malicious programs such as Back Orifice or Back Orifice 2000 on the system, invisibly taking it over.

Guninski's explanation of the hole, and the ways in which it can be abused, can be found at his Web site.

ActiveX, a scheme used by Microsoft (Nasdaq:MSFT) to create software "components" that can be run by other programs, has been critiqued by computer security experts because it lacks safeguards against abuse by malicious hackers.

Protect yourself
Since Microsoft has not posted a patch or even an advisory about the ActiveX scripting hole Guninski discovered, users must take steps themselves to prevent their systems from being exploited.

A partial solution is to run a different browser, such as Netscape Navigator or Opera. (Opera is gaining in popularity because, unlike Netscape, it does not flash distracting advertisements at the user while files are being downloaded or divert the user to Netscape's search pages.) However, because IE5 is very tightly "wired" into Windows 98, and may pop up unexpectedly or be invoked by third-party programs such as Quicken, TurboTax or Eudora, it is also important to take measures to disable the ActiveX feature that causes the vulnerability.

The best ways to do this are as follows:

Change the default security setting for the Active Desktop's "Internet Zone" from "medium" to "high."

Disable the option "Script ActiveX controls marked safe for scripting."

Disable IE's Active Scripting feature.

Disable all ActiveX controls and plug-ins.

It is recommended that users take not just one but all of these steps to protect themselves.

Microsoft has recently been embarrassed by other security holes, including one involving a security flaw in its Java Virtual Machine. At this writing, Microsoft has posted a security advisory concerning the JVM bug and has published a patch for it. However, it has not yet publicly addressed Guninski's ActiveX scripting hole, leaving users at risk of attacks.