A new bug that crashes Microsoft's Internet Explorer 4.01 browser is an annoyance but does not seem to pose a security threat.
Because of the flaw, a Web page designer can exploit the HTML "object" tag to make a user's browser crash and most likely force him to restart the system. The bug has been tested and found on IE 4.01 for Windows 95 and NT 4.0 systems.
Microsoft acknowledged the bug but stressed that a mischievous programmer must add a specific block of HTML to his Web site to affect users.
The worst-case risk apparently is loss of any unsaved data and settings when the browser crashes. Neither Microsoft nor Abe Getchell, a system administrator who posted news of the bug to the Bugtraq mailing list yesterday, have found more serious security implications. Microsoft isn't in a hurry to fix the problem.
"Microsoft has no current plans to implement a fix for these issues," a spokeswoman said. She added that Microsoft always works to improve the browser but declined to comment on release dates of future upgrades or "maintenance releases."
Bugs in Internet software draw great attention because of the possibility of network security breaches from the outside. Security flaws in both Microsoft and Netscape Communications' browsers have allowed, at least theoretically, the viewing or pilfering of users' local files. But few if any cases of actual mischief have ever been detected or reported.
"Personally, I think that bugs like these in commercial software are unacceptable, but I can understand why [Microsoft] took the position it did," Getchell wrote in his posting to Bugtraq. He was not immediately available for further comment.
The problem has three variations based on slight changes to the HTML, according to Getchell. All three variations cause the browser to get stuck in a loop and either crash or eat up system memory.