Microsoft fixes "redirect" bug
The bug, which affects IE 3.02 and 4.0 for Windows 95 and NT 4.0, makes it possible for a Web site to capture a user's name and password.
What Microsoft calls the "Page Redirect" security bug makes it possible for a Web site to capture a user's authentication information--that is, his name and password. The user must first enter his name and password at another Web site. If that site redirects the user to a second site, that second site will also be able to read the private information.
Authentication information must be unencrypted at the second site to be captured, but the encryption used for basic authentication is not difficult to crack. Microsoft has not received reports of any IE user adversely affected by the bug, said product manager Dave Fester. Two separate companies brought the problem to Microsoft's attention, but he declined to divulge those companies' names.
The bug affects IE 4.0 and 3.02 for Windows 95 and NT 4.0. It also affects the beta version of IE 4.0 for Unix, but Microsoft will fix the hole when the final product ships.
Several international versions of the .2 MB patch are already available.
As with Netscape's 4.0 browser, IE 4.0 has had its share of problems right after launch, but there are no announced plans to post an updated version any time soon.