CNET también está disponible en español.

Ir a español

Don't show this again


Microsoft fights handful of IE holes

The company moves to patch one security hole in its Web browser just as another comes to light.

Microsoft today moved to patch one security hole in its Web browser just as another came to light.

Both problems spring from the browser's implementation of JavaScript, a scripting language created by Netscape Communications. Web sites use scripting technology to take actions on a visitor's computer without his or her input. Typical uses for scripting include launching pop-up windows or scrolling text across a screen.

Scripting has been a boon not just for Web designers but for bug hunters. They have found numerous ways to circumvent security measures to show how malicious Web site operators can use the technology to take inappropriate actions on a visitor's computer.

One bug hunter, Bulgarian security enthusiast Georgi Guninski, has been reporting JavaScript security problems regularly for more than a year. Although Netscape, now a unit of America Online, has had its share of Guninski's scrutiny, Microsoft has been his primary target in recent months.

Last week, Microsoft acknowledged that Internet Explorer 5.0 was vulnerable to a Guninski exploit that let malicious Web site operators view visitors' files. The exploit bypassed Microsoft's security measures by running the script from within a frame--a smaller window in a Web site--where the security checks did not apply.

Microsoft said the exploit only let an attacker view files, not alter or delete them.

Microsoft advised that users of IE 4.01 apply the IE 4.01 service pack 2. IE 5 users can download different patches depending on whether they are on the Intel Platform or the Alpha Platform.

Microsoft had no sooner patched the first Guninski hole than the bug hunter reported a second one. It, too, bypasses the browser's security checks, this time by redirecting a local file to a Web address beginning in "javascript:" In this scenario, JavaScript code runs with the security limitations of that local file, which permits transferring the file to another computer, allowing a Web site operator to steal files.

A Web site operator also can exploit the vulnerability to launch a fraudulent, or "spoofed," window.

Microsoft confirmed Guninski's find and said it was working on a patch. Pending its release, Microsoft recommended that users disable scripting in the "Internet" security zone within IE. That prevents scripts from running on all Web sites except those the user explicitly designates as trustworthy by placing them in the "trusted" zone.

Microsoft defended its security practices in the face of the steady stream of browser vulnerabilities, saying it takes security lapses seriously and has a "security penetration test team" whose job it is to try to break IE security.

"Security is always a journey rather than a destination," said Scott Culp, security product manager for Microsoft. "We're addressing the issues as they arrive and doing our own proactive investigations. We're constantly looking into what we can do to make the product more secure."