Security flaw found in IE 4.0
Last June, the Internet community went into an uproar when a Danish computer consultant discovered a security flaw in the first release of Netscape Navigator 4.0. The bug would let clever intruders get access to Web surfers' local files.
Now it's Microsoft's turn.
Yesterday, the German computer magazine C'T reported that Ralf Hueskes, a consultant at a German company called Jabadoo Communications, found a similar security hole in Microsoft Internet Explorer 4.0 when he reviewed the browser for that magazine.
Using Dynamic HTML, an intruder can hide a 1- by 1-pixel IFRAME with a reference to the file he wants to see (the path and the name) in a Web page or a mail message. When the victim reads the page or message, the browser or Outlook Express client loads the referenced file into an invisible window via a small Jscript (or any ActiveScripting) program. An additional hidden IFRAME sends it to the intruder's server. The intruder can't change or delete the file; he can simply read it. Interestingly, the flaw does not seem to appear in Macintosh versions of the browser.
Because the file needs to load into a browser frame, the bug allows access only to text or HTML files. And since a file's exact location in the file system may not be obvious, the potential for mischief isn't necessarily huge.
C'T alerted Microsoft Germany of the problem, and officials said Thursday night that Microsoft would post a fix on its site as early as today. Representatives at Microsoft's U.S. headquarters also confirmed to The San Jose Mercury News that the company would make a patch available, and they pointed out that users can protect themselves by disabling Active Scripting (View/Internet Options/Security/Custom/Settings/Scripting). Note, however, that disabling scripting will make much Web content inaccessible.
Last June, the Internet community went into an uproar when a Danish computer consultant discovered a security flaw in the first release of Netscape Navigator 4.0. The bug would let clever intruders get access to Web surfers' local files.
Now it's Microsoft's turn.
Yesterday, the German computer magazine C'T reported that Ralf Hueskes, a consultant at a German company called Jabadoo Communications, found a similar security hole in Microsoft Internet Explorer 4.0 when he reviewed the browser for that magazine.
Using Dynamic HTML, an intruder can hide a 1- by 1-pixel IFRAME with a reference to the file he wants to see (the path and the name) in a Web page or a mail message. When the victim reads the page or message, the browser or Outlook Express client loads the referenced file into an invisible window via a small Jscript (or any ActiveScripting) program. An additional hidden IFRAME sends it to the intruder's server. The intruder can't change or delete the file; he can simply read it. Interestingly, the flaw does not seem to appear in Macintosh versions of the browser.
Because the file needs to load into a browser frame, the bug allows access only to text or HTML files. And since a file's exact location in the file system may not be obvious, the potential for mischief isn't necessarily huge.
C'T alerted Microsoft Germany of the problem, and officials said Thursday night that Microsoft would post a fix on its site as early as today. Representatives at Microsoft's U.S. headquarters also confirmed to The San Jose Mercury News that the company would make a patch available, and they pointed out that users can protect themselves by disabling Active Scripting (View/Internet Options/Security/Custom/Settings/Scripting). Note, however, that disabling scripting will make much Web content inaccessible.