X
Business

IE 5.0 security hole exposed

Internet Explorer 5.0's Active Scripting bypasses firewalls to access PCs via Web pages and e-mail.
Written by Peter Deegan, Contributor
Every time you look there's another security breach found in Microsoft Internet Explorer 5.0. Like many of these problems there are no reports of it being used maliciously yet, but now that the details are out, the chances of someone making use of the information grows.

This latest problem can occur through what appears to be a download file link on a Web page, newsgroup message or HTML e-mail message. The bogus download link can open a path to your computer, through which it's possible to read files on your computer. You don't need to click on the link to be affected because it possible to automatically activate the link when you view the Web page or e-mail message.

The problem is in the Active Scripting component of Microsoft (Nasdaq:MSFT) Internet Explorer 5. Working behind a corporate firewall or proxy is no protection from this security hole.

What can you do about it?
There's no patch available for the problem, though Microsoft has issued a security alert and is working on the problem now. In the meantime you can protect yourself by switching off the Active Scripting component. In Internet Explorer 5, select Tools | Internet Options, then click on the Security tab. Select the Internet Zone, then click on the "Custom Level" button. Scroll down to the "Scripting" heading, find the "Active Scripting" entry and change it to "Disable." Click OK.

Keep in mind, this temporary fix may do you more harm than good. Scripting is used by many Web sites, and it's possible that some service on a Web page won't work once you turn scripting off. The best example of this is the Windows Update option in IE5 itself; this is the easiest way to update the browser with security patches and other new features. So if you turn off Scripting in IE5 you won't be able to use the Windows option to get the update to fix Scripting. Catch 22!

You could change the Scripting setting to "Prompt," which means you'll get a warning when you go to a Web page that has a scripting component. The problem with this is that the prompt gives you no indication of what the scripting will do so you're asked to make a decision with no information.

While the risk in the short term of this problem is relatively low, you can switch off scripting if you're concerned -- but keep in mind the consequences. Remember to turn scripting back on when using Tools | Windows Update to check for an update. Let's hope the security patch for this problem arrives soon.

For other IE5 security bugs of late, don't miss these bug reports:


Editorial standards