The company confirmed yesterday that its Internet Explorer 3.0 and 3.01 browsers contain a security hole that could allow hackers to completely bypass the browsers' system for screening unauthorized code. The hole was discovered by a trio of students from the Worcester Polytechnic Institute last week and is not related to widely publicized security problems linked to ActiveX, a technology for running software components within Explorer.
Instead of creating a malicious ActiveX control, the students were able to remotely create and delete folders using malicious Shortcuts, a Windows 95 and Windows NT feature for triggering actions and applications on the operating systems. In order for the hole to be exploited, the user would have to log on to the hacker's Web site and then click on a shortcut disguised as a hyperlink.
Microsoft acknowledged that the security hole could allow a hacker to access a PC while it is logged onto to a given Web site and delete files and folders. The students who discovered the glitch maintain, however, that it could be used to do much more, including reformatting users' hard drives or stealing files from their PCs.
The Worcester students have set up a Web site that demonstrates some of the ways in which the hole can be exploited.
Netscape Communications' Navigator does not have the same problem, according to Geoff Elliott, one of the students who found the hole.
This is not the first time that Explorer's security systems have been shown up in public. In January, a group of German hackers, the Chaos Computer Club, demonstrated an ActiveX control that made unauthorized bank funds transfers from users's bank account. But Microsoft has always vigorously defended the security protections in its browser but it appears to have been caught off guard by the latest breach.
Explorer contains a feature called Authenticode that examines each ActiveX control and Java applet to make sure that they have been digitally signed by a trusted source. If users ignore the Authenticode warnings about unsigned programs, their systems are wide open to attacks. But the students didn't use executable code--that is, a software program--but instead used a feature of the operating system itself.
"For executables, we have great security," said Dave Fester, lead product manager for Internet Explorer. "This is going around that. You download a link, and it points you to a program on your own computer."
Instead of executable code, this new hole involves ".url" and ".lnk" files--also known as Windows 95 and NT Shortcuts. A malicious Web site operator could post a link to an ".url" file that, for example, creates a folder on a user's computer and then deletes it. The Shortcut is able to do that simply by remotely activating a command in Windows 95 rather than sending code over the network.
The fix Microsoft is currently testing for Explorer will prompt users with a warning window before allowing them to download Shortcuts from a Web site, just as Authenticode now warns users of ActiveX controls of unknown origin. If users want to take the risk, they can still download a Shortcut file. "[The fix] will bring ".lnk" and ".url" files into the IE security model," Fester said today.
Although Microsoft was quick to fill the security hole, Fester downplayed the risk posed. He said that a Web site would need to know the precise name of a folder on the PC, such as "MSOffice" for Microsoft's Office applications, in order to delete it. He also said that none of the files or applications in the folder could be deleted if they were open.
One of the Worcester students, Brian Morin, said that the security flaw stemmed from Explorer's close integration with Windows.
"It is interesting to note that everybody is so paranoid about Java and ActiveX [while] nobody bothered to look at the simple and obvious security holes that arise when Internet Explorer is tied so closely to the desktop," he said.
Some observers think this problem will get worse, not better. "I suspect more of these things will start to appear as Microsoft integrates Explorer with Windows," said Ira Machefsky, a senior industry analyst at the Giga Information Group.
Like Sun officials in response to reports of Java security problems, Microsoft representatives stress that while these security problems are real, there is no evidence that anyone has actually hacked anything.
"We are super happy that they proactively brought this to our attention," Fester said. "No customers have been affected by this."
Microsoft has posted information on the security hole on its Web site.