IE 5.0 security hole exposed
This latest problem can occur through what appears to be a download file link on a Web page, newsgroup message or HTML e-mail message. The bogus download link can open a path to your computer, through which it's possible to read files on your computer. You don't need to click on the link to be affected because it possible to automatically activate the link when you view the Web page or e-mail message.
The problem is in the Active Scripting component of Microsoft (Nasdaq:MSFT) Internet Explorer 5. Working behind a corporate firewall or proxy is no protection from this security hole.
What can you do about it?
There's no patch available for the problem, though Microsoft has issued a security alert and is working
on the problem now.
In the meantime you can protect yourself by switching off the Active
Scripting component. In Internet Explorer 5, select Tools | Internet
Options, then click on the Security tab. Select the Internet Zone, then
click on the "Custom Level" button. Scroll down to the "Scripting"
heading, find the "Active Scripting" entry and change it to "Disable."
Click OK.
Keep in mind, this temporary fix may do you more harm than good. Scripting is used by many Web sites, and it's possible that some service on a Web page won't work once you turn scripting off. The best example of this is the Windows Update option in IE5 itself; this is the easiest way to update the browser with security patches and other new features. So if you turn off Scripting in IE5 you won't be able to use the Windows option to get the update to fix Scripting. Catch 22!
You could change the Scripting setting to "Prompt," which means you'll get a warning when you go to a Web page that has a scripting component. The problem with this is that the prompt gives you no indication of what the scripting will do so you're asked to make a decision with no information.
While the risk in the short term of this problem is relatively low, you can switch off scripting if you're concerned -- but keep in mind the consequences. Remember to turn scripting back on when using Tools | Windows Update to check for an update. Let's hope the security patch for this problem arrives soon.
For other IE5 security bugs of late, don't miss these bug reports:
- Internet Explorer 5 Rendering Engine Alters HTML Attribute Tags
- IE5 Security Breach: How To Protect Your Passwords
- IE5 Security Hole Makes Users' PCs Vulnerable