IE 5 bug could let Web hackers see files
Microsoft acknowledges a security problem with its Web browser that could let a malicious Web site operator rifle through visitors' files.
Internet Explorer 5.0 could, under specific circumstances, allow a malicious Web site operator to view "fragments" of certain files on the computer of a visiting user, according to Georgi Guninski, a programmer who first reported this bug. Guninski has reported numerous bugs in browsers from both Microsoft and America Online's Netscape unit. The software giant said it is investigating the issue.
"A skilled hacker would have to maliciously engineer their site to take advantage of this and would need to know the name of the specific file and folder in which it resides," a Microsoft representative said via email.
Microsoft said that only fragments of files, not entire files, can be viewed using the security glitch. In addition, the company said that only HTML and JavaScript files can be viewed. Microsoft Word, executable and text files cannot be displayed, the company said.
The security breach is related to the way IE 5 running on Windows 95 and Windows NT 4.0 handles HTTP links contained in Extensible Markup Language (XML) objects, Guninski said. He said the problem could allow a skilled hacker to read local and remote files.
Microsoft said it has not received any reports of users who have been affected by this security glitch. The company is looking into a way to patch the security hole. It insists the majority of sites are safe and customers should not encounter the problem as part of their normal Web browsing of popular sites.
One security expert said the glitch is just the latest in a string of similar problems plaguing IE 5 that should prompt Microsoft to reevaluate its software development procedures.
"This is a good opportunity to--instead of discussing the details of yet another browser security vulnerability--to focus in what can really be done to stop the never-ending flow of bugs," said Elias Levy, chief technology officer at SecurityFocus.com, a Web site that hosts discussions on security-related topics and maintains a database of security-related information.
"It is obvious that the current approach of releasing code and patching it when a bug is found is not working," he added.