MS plays down new IE4 bug

Microsoft Corp. officials promise to supply a fix within 24 hours for an executable code bug they describe as "obscure."
Written by Maria Seminerio, Contributor

The bug - a security hole in Internet Explorer 4.0 that allows malicious HTML code to be executed on a victim's PC, potentially running, changing, or deleting files - has not yet affected any users as far as Microsoft knows, said Dave Fester, group product manager for IE 4.0, in Redmond, Wash.

Company officials first heard of the bug, discovered by security group L0pht Heavy Industries, Monday afternoon, Fester said. They began tests to determine its potential impact and concluded the bug can only affect customers running IE 4.0 on Windows 95, he said.

"It's a pretty obscure bug," Fester said. "We needed to take a little bit of time to determine exactly what it was before we announced the fix."

The glitch comes up when a user links to a specific type of Web address, a so-called "res://" address, that is longer than 256 characters. The browser, in storing the extra characters in the Web address, carries out what is called a "buffer overflow," saving the extra characters to the PC's memory. The characters, which could contain malicious commands, can then be executed on the machine.

The fix will be posted by Wednesday at www.microsoft.com/ie/security/, Fester said.

Editorial standards