IE bug could leave files exposed
A veteran bug hunter detects a security hole in Microsoft's Web browser that makes it possible for hackers to view local files and in some cases erase files' contents.
Georgi Guninski, a well-known security adviser, posted an alert Saturday warning people that if they visit a Web page using IE 5.5, hackers could read their files, and if the file name is known, those files could be sent to another server. The IE 5.5 bug also affects Microsoft Outlook and Outlook Express e-mail software, according to Guninski, who rated the bug risk "high."
Guninski said the problem appears to be linked to two pieces of ActiveX programming code used within IE 5.5 and has the potential to affect all users of the browser.
"To solve this particular issue, disable Active Scripting," Guninski advised. He recommends against using IE for browsing the Internet if Active Scripting has been enabled, "because this is dangerous" and may lead hackers to execute a user's programs.
Guninski also noted that hackers could gain access to bookmarked Web pages.
Microsoft was not immediately available for comment. Guninski said he informed the company of the security hole last week.
On Friday, Microsoft warned that a security hole in IE 5.01 and 5.5 could cause the browser to automatically open HTML e-mail attachments that could be used by an attacker to execute malicious code. The flaw could result in IE launching an e-mail attachment automatically, which could leave computers vulnerable to an attack.
The Redmond, Wash.-based software giant quickly developed a patch to the bug that can be downloaded from its Web site.
Just days before Microsoft released its security bulletin on IE, Guninski said he discovered another a bug in Microsoft's browser software that could let hackers read the e-mail and computer files of some unsuspecting people.
Some industry observers have said that it has been difficult to figure out all of the vulnerabilities in IE software because the software is so complicated and interoperates with many other applications.
Microsoft has been heavily criticized in the past for security holes detected in its widely used software products. Several vulnerabilities recently have been spotted in IE as well as in other software products.
Microsoft's popular Outlook software, for instance, played a key role in the rapid spread of some destructive viruses, including I Love You and Melissa.