:   Netscrap(TM)   :   TEMP   :   Netscrap #455   :  

Serious security flaw found in Microsoft

----- Begin NetScrap(TM) -----

Serious security flaw found in Microsoft
from USA today: Serious security flaw found in Microsoft browser SEATTLE - Microsoft Corp. programmers hustled to fix a dangerous security flaw in its Internet Explorer browser that could allow a Web site operator to secretly run programs or destroy files on someone else's personal computer. Although the company said it had received no customer reports of security breaches, a computer security expert said the problem was extremely serious because it bypasses the widely used software's security measures. "It is as if you allowed someone to type on your computer and you go out to lunch," said Simson Garfinkel, an author of Internet security books and columnist for HotWired magazine and the Boston Globe. The flaw could result in all sorts of mischief, such as preventing another person's computer from starting up or sending e-mail from another person's account, Garfinkel said. Microsoft officials said Monday they were testing a solution for the problem and expected to have it quickly posted to the company's site on the World Wide Web. Internet Explorer, Microsoft's key Internet product, is used by millions of people worldwide to access the Web. Microsoft estimates it has a 25% to0% market share, behind Netscape Communications Corp.'s Navigator program. Officials at Netscape, Microsoft's bitter rival, stressed their product does not have the security flaw. "Netscape does not have any similar problem nor have we had any attack so wide in scope with any technology," said Eric Greenberg, senior security product manager for Netscape. "Microsoft is newer to the Internet arena and is encountering some of the problems with trying to catch up," Greenberg said. Paul Balle, a product manager for Microsoft's Internet Explorer team, said Microsoft learned of the flaw Monday after it was discovered last week by a student at Worcester Polytechnic Institute in Worcester, Mass. The student, Paul Greene, and his friends posted information about the flaw on their Web site. "We take this very seriously," Balle said. "The moment we found out about it, we got our developers and program managers on it." Balle said the bug is especially worrisome because it bypasses even the highest levels of Internet Explorer's security systems. On his Web page, Greene noted that "Windows 95 comes with a variety of potentially damaging programs which can easily be executed." As an example, Greene said certain links could create and delete some directories on a Windows 95 machine. Greene said in an interview with InfoWorld Electric, posted to that Web site Monday afternoon, that the problem appears only to affect Internet Explorer. "The ramification for [Internet Explorer] is that any anti-Microsoft jerk can set up their Web site to be destructive to anyone using Internet Explorer and safe for all other browsers," InfoWorld quoted Greene as saying. Although Microsoft was responding quickly, security expert Garfinkel said eradicating the problem would still depend on all existing Internet Explorer users modifying their software. "The reason that it is so serious is that it is very easy to exploit this bug and the knowledge on how to exploit it has been widely disseminated to the public," he said. "There are millions of people using Internet Explorer that would not move quickly to update," he added. Balle said that in the year that Internet Explorer versions.0 and.1 have been available, this was the first time the security problem had been reported to Microsoft. The problem primarily is in those versions of Internet Explorer, but possibly might affect previous versions, he said. The flaw involves basic functions found within Microsoft's Windows 95 and Windows NT operating systems. When a PC user clicks on a hyperlink on a Web page, Balle explained, a Web page creator could have that link connect to a file known as a "shortcut" in Windows 95 and NT. Shortcuts are widely used to start computer programs or functions. If the "Webmaster" for the Web page can guess the precise location and code needed on the user's computer, shortcuts on the Web page could surreptitiously select and start programs on the user's hard drive. "If they can guess it, they can get to it," Balle said. Many widely available programs such as Windows 95 have standard locations or addresses where their components are stored on computers. Unless a PC user custom-installed or otherwise modified a program, the addresses would be simple to guess. More information about the flaw can be found at Microsoft's Internet site (http://www.microsoft.com/ie/default.asp). Greene's site is: http://www.cybersnot.com. InfoWorld's site is: http://www.infoworld.com.
----- End NetScrap(TM) -----
Entered on: 05/19/1998
Send it: Claim it:
Copy and paste this into an email to a friend. We can make it easy for you. Mail it off with the Netscrap(TM) MailTool. Did you do this? Do you own it? Can you prove it? Netscrap.com's mission is to reunite jokes like this with their creators. Take credit for your fine work.

75 Chars Wide
We're testing ads. Send feedback if you have opinions about this.
Original music update daily:

Please visit our sponsor!