As reported yesterday, the glitch affects users of Internet Explorer 3.x and the platform preview release of Explorer 4.0 who also have PowerPoint loaded onto their computers. The problem could allow a malicious Web site to execute any program on a user's computer without permission, including deleting files and uploading private information.
The fix is available from Microsoft's security Web site.
Many security analysts believe that the problems that have bedeviled Explorer stem from the browser's close integration with older technologies, including the Windows 95 and NT operating systems and its ActiveX software component architecture (formerly known as OLE). The analysts have questioned whether Microsoft may have skimped on security planning in its rush to retrofit those technologies for the Internet.
The latest security glitch adds a new twist since it is caused by the integration of Explorer and PowerPoint, part of Microsoft's extremely popular Office 95 and 97 application suites. There are approximately 60 million Office users, according to the company.
"A number of these bugs or holes we've seen in the last six months failed to result in any major data loss, but the fact they're there is significant," said Stephen Cobb, chief analyst at Cobb Associates. "Microsoft hasn't gone out and rounded them up. I would have thought that when the first of these holes appeared, they would go back and do a serious review of their strategy."
The glitch involves a PowerPoint feature called action settings, which is innocuous when used on a standalone PC. Using action settings, creators of presentations can cause PowerPoint to launch any executable program by clicking on or passing the cursor over any image or text.
On the Internet, though, the feature could be exploited by a hacker to trigger a variety of malicious actions, such as launching an FTP client to upload private documents to a Web site. When an Explorer user clicks a hyperlink on a Web site to a PowerPoint presentation, PowerPoint is automatically launched from the computer, displaying the presentation within the browser frame.
Because the presentation does not contain any executable code itself but instead points to executables already on the user's computer, the user does not receive any warning before downloading the program.
"The problem comes largely from the integration [between Office and Explorer]," said Andrew Smith, a Webmaster for Kaiser Permanente in Latham, New York, who discovered the problem. "I see that the integration is very useful on an intranet. I personally like stuff like that, but I see the potential on the Internet to cause problems."
Smith said he discovered the problem Wednesday and notified Microsoft immediately. He said that he tested a fix Thursday from Microsoft that warns users about potential security risks before they download a PowerPoint presentation and adds that it works. Smith has posted a Web site that demonstrates the glitch.
Kevin Unangst, an Explorer product manager at Microsoft, said that the problem would affect other browsers such as Netscape Communications' Navigator, but admitted that it would be easier to exploit in Explorer because of its integration with PowerPoint.
"This can happen in any browser, but it's a bit easier in Internet Explorer because PowerPoint displays in the frame," he said.
Beth Herrell, an Office 97 product manager at Microsoft, said that Microsoft did not anticipate the implications of the PowerPoint feature when used on the Internet but that the company is loath to remove features. Herrel noted the company would look more closely at Office in the future to evaluate the potential risks of certain features.
"In a lot of cases, there are a lot of features in different products that can be misused in this new paradigm," she added.
Microsoft's PowerPoint team is preparing a separate patch for the bug that will provide users with more detailed information about security risks before they download a presentation off the Internet. That patch should be up next week, a company spokeswoman said today.
For an alternative download site for this security fix, visit DOWNLOAD.COM.