CNET también está disponible en español.

Ir a español

Don't show this again

HolidayBuyer's Guide
Culture

Microsoft admits browser security hole

Microsoft acknowledges a security problem with its Web browser that could let a malicious Web site operator rifle through visitors' files.

Microsoft today acknowledged a security problem with its Web browser that could let a malicious Web site operator rifle through visitors' files.

Like many browser security problems, this one has to do with scripting technology, which lets a Web site execute actions on a user's computer without the user's interaction. Scripting languages like Netscape Communications' JavaScript or Microsoft's VBScript and JScript give the visiting computer a "script" to follow, instructing it to launch a new window or scroll text across the screen.

For security reasons, browsers typically restrict the kinds of things a Web site can do with scripts. But in this case, Microsoft's Internet Explorer 5.0 browser fails to restrict scripts when they are executed from within smaller windows within a Web site called frames. The command at issue here is the "document.execCommand," according to Microsoft.

In a security alert, Microsoft said it was working on a patch that would implement tighter security checks within frames. The patch is not yet available.

The security hole is typical of the type regularly reported by Bulgarian bug hunter Georgi Guninski. Guninski, who first reported this bug, has reported many others in browsers from both Microsoft and America Online's Netscape unit.

Pending a fix, Microsoft is recommending that users disable Active Scripting in IE 5's Internet Zone, a categorization within the browser's security system that includes most Web sites. Users should add sites they trust not to execute malicious content on their computers to the Trusted Zone, Microsoft said, adding that Microsoft should be among these sites if users want to download the patch when it becomes available.

Microsoft stressed that someone exploiting this attack could only read files, not change or delete them.