CNET también está disponible en español.

Ir a español

Don't show this again

Internet

Microsoft browser bug may access private files

The company is looking into a newly discovered security hole in Internet Explorer that could expose people's private files to malicious Web site operators.

Microsoft is looking into a newly discovered security hole in its browser that could expose people's private files to malicious Web site operators.

The security flaw surfaces as the software giant reels from a series of miscues involving security breaches and software leaks.

The latest bug has to do with the way Microsoft's Internet Explorer browser handles the Java programming language, according to veteran browser-bug hunter Georgi Guninski.

The flaw lets a malicious Web site operator use a script to open a new browser window. That window opens with the computer owner's security safeguards.

Because IE normally lets the local computer user find files on the hard drive as well on the Web, the maliciously scripted window can display any file on a person's computer.

Scripts are lines of computer code that give browsers instructions to execute actions without a person's interaction. Scripts can open pop-up windows, run tickers across a screen, or double-check information entered in online forms.

Internet Explorer comes equipped with a security mechanism that should prevent Web authors from using scripts to peek from one window into another with the minimum security safeguard. But Guninski's exploit takes advantage of what he described as flaws in IE's Java implementation to circumvent those mechanisms.

This isn't the first time Microsoft has grappled with weaknesses in IE's cross-frame security. Microsoft tackled one such problem in January, another in October and a third in September.

The Achilles' heel of cross-frame security in this case is a combination of Microsoft's Java implementation, the JavaScript scripting language, and the document object model (DOM), a specification for transforming each element of a Web page into an independent object that a script can manipulate.

According to Guninski, IE's Java implementation normally restricts the use of JavaScript URLs so they cannot be used to get around cross-frame security. But IE's Java implementation interacts with the DOM in such a way that JavaScript can get away with that trick.

"The Java JSObject allows setting DOM properties from Java and allows setting a hostile JavaScript URL to (a frame's) location," Guninski wrote in a description of the bug posted to the Bugtraq security mailing list. "This leads to circumventing cross-frame security policy."

Guninski posted a demonstration of the exploit and recommended disabling Java or disabling scripting of Java applets pending Microsoft's fix.

Microsoft said it was investigating the problem, which it learned of yesterday morning, and declined to comment further on the security hole pending its investigation.