Microsoft and Netscape are facing a swarm of browser bugs with
potentially serious privacy and security implications.
Microsoft in recent weeks has issued a trio of bug patches and is working
on a fourth; Netscape is investigating two browser security problems. Both
companies reiterated their long-standing position that security is a high
priority, and Microsoft added that software bugs are a fact of life that is
not going away.
Microsoft's first patch fixes an Internet Explorer vulnerability that lets a hostile Web site operator snoop on a visitor's files. The "Server-side Page Reference Redirect" vulnerability lies in the way IE checks for security permissions as servers redirect browsers from page to page.
Under some circumstances, a server can redirect
IE to a visitor's file and bypass security restrictions, literally giving
the Web site operator a window onto Web files, such as HTML documents or
JPEG images, located on the visitor's hard drive. The vulnerability does
not allow the attacker to change files, only read them.
prevents those security restrictions from getting lost in the shuffle of
redirects. The patch also includes a patch, first released in September, for
the "ImportExportFavorites" vulnerability.
A second IE patch plugs a hole, dubbed the "WPAD Spoofing" vulnerability,
that lets an attacker change settings for a network's proxy server. IE 5
has a feature called Web Proxy Auto-Discovery (WPAD), which automatically
finds out the proper settings for the proxy server that sits as a portal or
buffer between its network, for instance a corporate intranet, and the
The problem with WPAD is that in searching for the proxy server, the
feature will go in search of it outside the network if it fails to find it
within the network. That could let a malicious hacker feed the browser
settings that would facilitate a broader attack. The browser would fail to
find the proxy server within the network if the server had been
misconfigured, according to Microsoft.
The patch, included in IE
5.01, prevents the browser's search for the proxy server from leaving
the network. Microsoft credited Tim Adam of Open Software Associates for discovering the
Microsoft's third IE patch addresses a problem for users of IE in
conjunction with Microsoft's Windows NT operating system. The "IE Task
Scheduler" vulnerability lets a hostile user within a network gain improper
administrative privileges to change or create files.
The task scheduler lets a network administrator assign authority to certain
users to let them run code on client machines. The vulnerability permits a
user to alter an existing job and have it executed, bypassing restrictions.
The task scheduler, an optional component not installed by default, takes
the place of the Windows NT Schedule Service, also known as the "AT
The patch, also included in IE 5.01, requires that all jobs be digitally
signed when they are created and be verified before execution. Microsoft
credited Arne Vidstrom and Svante Sennmark for discovering the bug.
Microsoft said it was developing a patch for a fourth security hole that
permits a "buffer overrun" attack. In a buffer overrun, thought to be the most common form of computer
security bug, an address field is vulnerable to flooding by an
extremely long string of characters that can crash the computer. Excess
characters can wind up in memory, where they can be executed on restarting.
The IE overrun exploits a Web radio protocol with the address prefix
"vnd.ms.radio:\\" IE users could fall victim to the attack by clicking on a
link on a hostile Web site, or in an HTML-based email.
A description of the bug was posted to the Bugtraq security mailing list by
Microsoft defended its security practices, noting that it investigates
every security alert that comes its way and solicits them through the firstname.lastname@example.org mailbox.
The company also says it has 100,000 subscribers to its mailing
list for notification of security problems and patches. The Windows Update site
analyzes visiting computers and automatically updates browsers with the
"We're never happy to have any kind of a flaw in any of our products, but
security vulnerabilities happen in software, and the important thing here
is that we're eliminating them," said Scott Culp, security products manager
for Microsoft. "We're rolling out patches quickly and broadly. We look into every report we get,
and monitor the security mailing lists and the hacker sites, and whenever
we get a report of a bug we build a patch for it. Because if we can find out
where they are, we can fix them."
For its part, Netscape, an acquired division of America Online, said it was
looking into a report of a buffer overrun issue affecting its Communicator
browser and Composer software for creating Web pages. The issue, reported
to Bugtraq, crashes the applications.
A second Communicator issue concerns the browser's implementation of
like pop-up windows and forms without requiring user interaction. The
problem, as described on the discoverer's Web site, is that a Web site
operator of one site could snoop on potentially sensitive information, like
a bank personal identification number, contained in another page open in a