IE patch isn't stitched tight
Microsoft has posted a security patch for all three IE bugs discovered recently, but some browsers are still prone to attack.
Microsoft (MSFT) Sunday night posted a security patch for all three IE bugs discovered recently, but some browsers are still prone to attack.
The patch, available from a Microsoft Web page, fixes English-language versions of IE 3.0 and 3.01 for Windows 95 and NT. It does not cover IE 2.0, nor does it cover international versions. The company said it would have a patch for international versions by Thursday night. IE 2.0 users are advised to upgrade to IE 3.0 and apply the patch.
The patch itself is not perfect, Microsoft admitted today. Instead of completely deleting suspicious files, the patch leaves an opportunity for users to download malicious code by hiding a link to that code in the browser's cache.
The cache problem was brought to light by a CNET reader and confirmed by a Microsoft spokeswoman, who said that malicious links aren't "as readily accessible" as last week's security issues.
"Users have to go into the cache and opt to see hidden files," the spokeswoman explained. Once the hidden files are exposed, the files can be executed, but a user would have to deliberately launch them.
Microsoft is working to have the cache problem fixed by Friday or Monday, the spokeswoman added. To get the patch to work, Microsoft also had to disable IE's "content advisor" feature that uses a ratings system to block certain types of content from appearing in the browser, according to a FAQ sheet on the company's Web site. There is no word as to the nature of the problem or when the content advisor will be reenabled.
Users who have installed the patch might also have trouble downloading certain ".exe" files--legitimate shareware, for example--according to Geoffrey Elliott, one of the three Worcester Polytechnic Institute students who found the first IE 3.0 bug on February 27. If users encounter a problem, they should try right-clicking and choosing the "Save As" feature, Elliott said.
Since the WPI students' discovery, Microsoft has scrambled to fix three holes that allowed miniature programs posted on Web sites to circumvent Explorer's Authenticode security feature and do potential damage to files on users' hard drives. Authenticode acts as a gatekeeper, checking all Internet files before they are downloaded to the hard drive. But in recent days, university students have pounded away at Explorer and found at least three ways to get around Authenticode.
The WPI bug allowed hyperlinked Windows 95 Shortcuts--files that point to and launch executable code--to manipulate data on the desktop. For example, clicking on a seemingly innocent link on a Web page could actually trigger a delete command and erase desktop files.
Microsoft last week posted a patch for the Shortcut problem, but similar holes were soon discovered by students at University of Maryland and Massachusetts Institute of Technology. The bugs do not affect any IE version for Macintosh, Windows 3.0, or Windows 3.1, Microsoft said, nor does it affect users of Netscape Navigator.
Microsoft maintains that no "real-world" instance of hacking or damage has occurred so far, but analysts say that the bugs are already chewing up the time and resources of IT managers who can't afford to run buggy software and are forced to patch or replace their users' browsers.
Hoping to avoid similar scenarios in the future, Microsoft is currently double-checking a beta release on Internet Explorer 4.0, due to be posted March 17. Microsoft has also set up an email address, secure@microsoft.com, for reporting bugs directly to the company.