Because of flaws in Internet Explorer's "Active Setup Download" technology, hackers or malicious Web site operators could potentially crash Internet-connected computers by overwriting files.
Active Setup is a feature of IE designed to speed download times. Rather than transfer an entire collection of files or applications, Active Setup detects which specific files are needed and downloads only those files, according to Microsoft.
The problem highlights a growing security concern, as more PC users download files from sometimes dubious origins, some of which contain viruses or malicious programs that can crash computers. It is fairly rare, however, that files bearing Microsoft's seal of approval are used to crash computers.
Active Setup treats all Microsoft-based files as trusted, which means the browser will automatically download them without asking for permission. A malicious programmer can theoretically access Microsoft-signed files from a Microsoft Web site, where they are freely available, and include these trusted files as part of a download.
From there, the flaw works much as a "denial of service" vulnerability, overwhelming a computer with normally harmless data. The downloading files, which would contain a Microsoft digital signature and thus pass through Active Setup without alerting computer users, could be sent to a specific file path, overwriting existing files and causing a system crash.
"The point of the attack would not necessarily be to try to install the update--it would be simply to overwrite some file on the user's disk," according to Microsoft's bug alert, which went out today. "For instance, if the malicious Web site operator overwrote a crucial file on the disk, he could potentially render the machine inoperable."
The bug does not allow malicious users to access information stored on the computer or do anything but crash the system, according to Microsoft.
Microsoft today issued a patch that updates the Active Setup feature to treat Microsoft files like files from all other origins, asking for a computer user's approval before downloading them.