Microsoft in recent weeks has issued a trio of bug patches and is working on a fourth; Netscape is investigating two browser security problems. Both companies reiterated their long-standing position that security is a high priority, and Microsoft added that software bugs are a fact of life that is not going away.
Microsoft's first patch fixes an Internet Explorer vulnerability that lets a hostile Web site operator snoop on a visitor's files. The "Server-side Page Reference Redirect" vulnerability lies in the way IE checks for security permissions as servers redirect browsers from page to page.
Under some circumstances, a server can redirect IE to a visitor's file and bypass security restrictions, literally giving the Web site operator a window onto Web files, such as HTML documents or JPEG images, located on the visitor's hard drive. The vulnerability does not allow the attacker to change files, only read them.
Microsoft's patch prevents those security restrictions from getting lost in the shuffle of redirects. The patch also includes a patch, first released in September, for the "ImportExportFavorites" vulnerability.
A second IE patch plugs a hole, dubbed the "WPAD Spoofing" vulnerability, that lets an attacker change settings for a network's proxy server. IE 5 has a feature called Web Proxy Auto-Discovery (WPAD), which automatically finds out the proper settings for the proxy server that sits as a portal or buffer between its network, for instance a corporate intranet, and the wider Internet.
The problem with WPAD is that in searching for the proxy server, the feature will go in search of it outside the network if it fails to find it within the network. That could let a malicious hacker feed the browser settings that would facilitate a broader attack. The browser would fail to find the proxy server within the network if the server had been misconfigured, according to Microsoft.
Microsoft's third IE patch addresses a problem for users of IE in conjunction with Microsoft's Windows NT operating system. The "IE Task Scheduler" vulnerability lets a hostile user within a network gain improper administrative privileges to change or create files.
The task scheduler lets a network administrator assign authority to certain users to let them run code on client machines. The vulnerability permits a user to alter an existing job and have it executed, bypassing restrictions. The task scheduler, an optional component not installed by default, takes the place of the Windows NT Schedule Service, also known as the "AT Service."
The patch, also included in IE 5.01, requires that all jobs be digitally signed when they are created and be verified before execution. Microsoft credited Arne Vidstrom and Svante Sennmark for discovering the bug.
Microsoft said it was developing a patch for a fourth security hole that permits a "buffer overrun" attack. In a buffer overrun, thought to be the most common form of computer security bug, an address field is vulnerable to flooding by an extremely long string of characters that can crash the computer. Excess characters can wind up in memory, where they can be executed on restarting.
The IE overrun exploits a Web radio protocol with the address prefix "vnd.ms.radio:\\" IE users could fall victim to the attack by clicking on a link on a hostile Web site, or in an HTML-based email.
A description of the bug was posted to the Bugtraq security mailing list by Jeremy Kothe.
Microsoft defended its security practices, noting that it investigates every security alert that comes its way and solicits them through the email@example.com mailbox. The company also says it has 100,000 subscribers to its mailing list for notification of security problems and patches. The Windows Update site analyzes visiting computers and automatically updates browsers with the latest patches.
"We're never happy to have any kind of a flaw in any of our products, but security vulnerabilities happen in software, and the important thing here is that we're eliminating them," said Scott Culp, security products manager for Microsoft. "We're rolling out patches quickly and broadly. We look into every report we get, and monitor the security mailing lists and the hacker sites, and whenever we get a report of a bug we build a patch for it. Because if we can find out where they are, we can fix them."
For its part, Netscape, an acquired division of America Online, said it was looking into a report of a buffer overrun issue affecting its Communicator browser and Composer software for creating Web pages. The issue, reported to Bugtraq, crashes the applications.