Date sent: Tue, 04 Mar 1997 05:07:40 -0800
From: Kent Steadman <phikent@aol.com>
To: iufo@world.std.com
Subject: IUFO: More goop on Gates: Internet Explorer
Serious Security Flaw Discovered in Microsoft Corp.'s Internet Explorer
SEATTLE (AP) -- A serious security flaw has been discovered in Microsoft Corp.'s Internet Explorer browser that could potentially allow the operator of a Web site to secretly run programs stored on someone's personal computer.
Microsoft officials said Monday they were testing a solution for the problem and expected to have it quickly posted to the company's Web site.
The problem could result in all sorts of mischief, such as someone preventing another person's computer from starting up or sending e-mail from another person's account, said Simson Garfinkel, an independent expert on computer security.
``It is as if you allowed someone to type on your computer and you go out to lunch,'' said Garfinkel, an author of Internet security books and columnist for HotWired magazine, the Mercury News and the Boston Globe.
Internet Explorer, Microsoft's software for accessing the Web, is used by millions of people worldwide. Microsoft estimates it has a 25 percent to 30 percent market share, behind Netscape Communications' Navigator program.
Paul Balle, a product manager for Microsoft's Internet Explorer team, said the software bug was discovered last week by a student at Worcester Polytechnic Institute in Worcester, Mass.
The student, Paul Greene, and his friends posted information about the flaw on their Web site Monday. After verifying the problem was legitimate, Microsoft programmers immediately began work to correct it, Balle said.
Balle said the bug is especially worrisome because it bypasses even the highest levels of Internet Explorer's security systems.
``We take this very seriously,'' Balle said. ``The moment we found out about it, we got our developers and program managers on it.''
On his Web page, Greene noted that ``Windows 95 comes with a variety of potentially damaging programs which can easily be executed.''
As an example, Greene said certain links could create and delete some directories on a Windows 95 machine.
Balle said that in the year that Internet Explorer versions 3.0 and 3.1 have been available, this was the first time the security problem had been reported to Microsoft. The problem primarily is in those versions of Internet Explorer, but possibly might affect previous versions, he said.
Greene said in an interview with InfoWorld Electric, that the problem appears only to affect Internet Explorer and not Navigator or other non-Microsoft browsers.
``The ramification for IE is that any anti-Microsoft jerk can set up their web site to be destructive to anyone using Internet Explorer and safe for all other browsers,'' InfoWorld quoted Greene as saying.
The flaw involves basic functions found within Microsoft's Windows 95 and Windows NT operating systems.
When a PC user clicks on a hyperlink on a Web page, Balle explained, the Web page's creator could have that link connect to file known as a ``shortcut'' in Windows 95 and NT. Shortcuts are widely used to start computer programs or functions.
If the ``webmaster'' for the Web page can guess the precise location and code needed on the user's computer, the shortcuts on the web page could surreptitiously ``point to'' and start programs residing on the user's hard drive.
``If they can guess it, they can get to it,'' Balle said.
The problem, Balle said, is many widely available programs such as Windows 95 have standard locations or addresses where their components are stored on computers. Unless a PC user custom-installed or otherwise modified a program, the addresses would be simple to guess.