CNET también está disponible en español.

Ir a español

Don't show this again

HolidayBuyer's Guide
Tech Industry

Microsoft plugs IE security hole

Microsoft posts a software patch for its Internet Explorer Web browser to plug a security hole that allowed hackers access to files on users' PCs.

Microsoft (MSFT) today posted a software patch that plugs the latest security hole in its Internet Explorer Web browser, but warned that email could still be used for future attacks.

Microsoft acknowledged that the security hole, which could allow a hacker to delete files from a user's computer, could also affect email programs such as the Exchange email server, Notes groupware, and others. The company said the patch would also protect users of these programs from this particular security threat. But one Microsoft official added that hackers still haven't fully exploited email's capacity for accessing other people's PCs.

"Email is a very good transport for moving information out in a very targeted way," said Greg Lobdell, group product manager for Exchange Server. "As email becomes more ubiquitous, the potential for more targeted attacks is certainly there. Users need to be more vigilant, particularly if they don't know the source of an email."

Microsoft programmers cranked out the patch for the most recent security problem after learning about the problem earlier this week. A trio of students at the Worcester Polytechnic Institute discovered the security hole in Explorer while working on a school project.

The students were able to remotely create and delete folders on other people's PCs by using .url and .lnk files, also known as the Shortcuts feature of the Windows 95 and Windows NT operating systems. The hole can be exploited when a person logs onto a rogue Web site that plants the Shortcut on its home page or beneath a hyperlink. Because Shortcuts themselves aren't executable code--that is, software programs--they aren't screened by Explorer's built-in Authenticode system, which checks to make sure all downloaded code comes from a trusted source.

A hyperlink to a malicious Shortcut on a Web site could also be embedded in an email message, according to Lobdell. A hacker could, for example, send a link in an email message that would delete a directory on the recipient's hard disk when the user clicked on it. This would let hackers target specific users instead of having to wait for users to stumble upon a Web site.

The patch doesn't actually prevent users from downloading Shortcuts, but rather warns them before they save the files to their hard drives.

Microsoft officials stressed that the company knows of no customers who have been victimized by hackers exploiting the security hole.

The problem is the latest of a series of security problems with Microsoft's Internet Explorer. The company has also had to respond to security problems linked to its ActiveX technology for running software components within Explorer.

The hole only affects Internet Explorer running on Windows, and does not pose a problem to people who run versions of the browser on Apple Computer's Macintosh computers, Microsoft said.

The patch is now available for free download from the company's Web site.

For an alternative IE security patch download site, go to CNET's DOWNLOAD.COM.