The security hole in Microsoft's Internet Explorer 4 is a familiar problem for the browser. The software giant patched a similar hole last September. Dubbed the "Cross Frame Navigate Vulnerability" by Microsoft, the hole lets a malicious site author run a script that essentially hijacks a second browser window on the victim's computer.
Through that second window, the attacker can view a specified file on the client machine's hard drive. Microsoft's Internet Explorer browser, like others, normally lets the local user find files on the hard drive, as well as Web addresses, through the URL bar.
In addition to file-snatching, the cross-frame vulnerability presents a window-spoofing hazard. In this type of exploit, a malicious Web site operator uses control over the second window to display his or her own content from within a trusted third party's Web page.
Such a ruse could trick victims into handing over passwords, credit card numbers, or other sensitive information.
Microsoft patched a similar problem earlier this month, except that, in that case, the hypothetical exploit was spoofing frames--a type of window-within-a-window used on many Web sites--rather than entire windows.
The new hole was discovered by Bulgarian bug hunter Georgi Guninski, who has a number of bugs from various browser makers within his bounty.
Microsoft said it was working on a patch but did not estimate when it would be ready. Pending a fix, Microsoft recommends using IE's zone security feature to either disable scripting or to have the browser prompt the user before scripts run. A script is a set of commands that normally are executed without any action on the user's part.
Microsoft minimized the importance of two other IE glitches, but promised to fix them nonetheless.
One problem has to do with support for Hypertext Tranfer Protocol 1.0.
HTTP 1.0 doesn't support persistent Internet connections, which means that each time a user hits a Web site a new connection must be negotiated. HTTP 1.1 does support persistent connections, meaning that the connection between server and client is maintained for the duration of the visit.
The problem with IE is that it ignores the 1.0 connection rules if it gets a response from a server supporting HTTP 1.1.
Microsoft said that the HTTP problem at worst wastes some connection resources, and that the problem will be fixed with the upcoming release of IE 4.01 Service Pack 2.
In its second minor glitch, IE is saving URLs in a hidden file even after a user clears the browser cache and history. Microsoft noted that exploiting this glitch would require physical access to the computer (such as in a shared computing environment), and said it is looking into a work-around. The bug is demonstrated on the Web by 17-year-old bug hunter Ward van Wanrooij of the Netherlands.
Microsoft is not the only browser maker with extermination problems this week. Norwegian firm Opera Software also has a privacy problem for users of shared computers.
The problem with Opera is that a browsing history file is displaying user names and passwords for Web-based accounts in plain text.
Opera said the problem only arises when three conditions all are met: the user has not closed the window with the password-protected site, has selected "save windows settings," and another user has access to the computer. Even after the browser is closed and restarted, the password information will be retrievable by a second user.
Passwords to secure sites (those beginning with "HTTPS") are not at risk.
Opera will fix the bug in the next minor release of the browser, Version 3.52.