Gopher hole trips up Internet Explorer
A Finnish security company is warning that hackers could exploit an outdated, little-used Internet protocol to seize control of computers running Microsoft's browser.
 | ||||
| | | ||
| Reader Resources Download CatchUp  Check your PC for security flaws | | ||
| ||||
| ||||
But IE still supports the archaic protocol, which can be used to exploit a buffer overflow bug and expose a client computer to a server running malicious code. A hacker could then seize control of the client computer, with full ability to access data, copy files or install programs, among other tasks.
Online Solutions uncovered the new security vulnerability on May 20, according to a posting on the company's Web site. Microsoft has yet to issue a security warning on this issue.
"The Microsoft Security Response Center is thoroughly investigating this issue, just as we do with every report we receive of security vulnerabilities affecting Microsoft products," a Microsoft representative said Wednesday.
The new vulnerability is just one in a recent string of Microsoft security problems, despite an increased emphasis on security following a companywide memo from Chairman Bill Gates in January.
The new exploit is in some ways insidious because the IE user does not have to actively connect to a Gopher server, according to Online Solutions. Code inserted in a Web page or even HTML e-mail could redirect the IE user's computer to a Gopher server. The security company, which reproduced the flaw in IE 5.5 and IE 6.0, warned that a hacker would not even need to run a full Gopher server to take advantage of the security hole.
Online Solutions recommends that until Microsoft releases a patch, IE 5.5 and 6.0 users should disable Gopher by going to the Tools menu and accessing "LAN Settings" under "Connections." They should then open the "Use proxy server for your LAN" box and access the "Advanced Tab." Finally, users should go to the Gopher text field and enter "localhost" and "1" in the port setting box.
The Microsoft representative questioned the sensibility of publishing a fix before the company has thoroughly investigated the matter.
"We are concerned by the way this report has been handled," the representative said. "Publishing the report may put computer users at risk--or at the very least could cause needless confusion and apprehension. Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."
The fix compels IE users to check the proxy server box, which is off by default.
"Yes, the browser is vulnerable by default when the proxy setting is off," Online Solutions Managing Director Jyrki Salmi said. "The browser can be vulnerable also when the proxy setting is on if the proxy passes the hostile code unchanged. We have not investigated any particular proxy servers on this issue."
Salmi warned that Online Solutions' workaround is a quick fix that needs to be addressed by Microsoft.
"We are just instructing users to use the proxy setting to explicitly deny all Gopher connections from the browser because there is no other way to do it to our knowledge," he explained. "We asked for other ways from Microsoft, but they refused to answer our question."
But the Microsoft representative insisted the company was not ignoring the report.
"At this point...we feel strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information," the representative said. "Microsoft is moving forward on the investigation with all due speed, and when it is completed we will take the action that best serves Microsoft's customers."
Other recent Microsoft security problems include a pair of problems affecting how IE handles cookie files, an IE cross-scripting =" 2100-1001-914805.html"="">bug, a buffer overflow exposing MSN Messenger and Windows Messenger to hackers, and a potential breach of MSN Messenger's chat features.