Days after Microsoft patched a security hole in Internet Explorer, a group of students from the University of Maryland say they have discovered another hole in the browser that could allow a hacker to remotely retrieve files or trigger programs on a user's computer and install viruses from a Web site, according to a Web posting by the students. This time, it is unclear whether the glitch affects only Windows NT versions of Explorer 3.0 and not Windows 95 versions.
Today, Microsoft representatives said they were aware of the bug, but they have not yet figured out which products it affects and what the potential security risks of the bug are.
"We know about it," said Dave Fester, a lead product manager for Internet Explorer. "We are currently researching it. It has something to do with Iframe." Iframe is the "floating frames" feature of Internet Explorer.
The programmers who discovered the hole are David Ross, Dennis Cheng, and Asher Kobin. Their Web site claims that the hole is different from a glitch discovered recently by a group of Worcester Polytechnic University students that involved ".lnk" and ".url" files, also known as Windows 95 and NT Shortcuts. Microsoft posted a patch for yesterday morning that warns Explorer 3.0 and 3.01 users about this issue before they download Shortcuts.
However, an Israeli security software company today said users are still susceptible to "hostile links" through Microsoft's email and newsgroup readers. EliaShim has found a message on a Usenet group that encourages readers to click on a link and download a demo of Internet Explorer 4.0. The link is instead a shortcut that deletes files on the user's hard drive.
"The last couple of days had to do with links on Web pages," said EliaShim technical support specialist Jerry Huyghe. "What we've found is that the same type of security hole exists in Internet mail and news applications."
A Microsoft spokesman said that the company was aware of the problem, but that the IE patch posted yesterday fixes the newsgroup and mail holes as well. EliaShim offers its own fix, called IE Safe, for free download. It works as a companion application to Windows 95 and prevents the download of executable code from a Web site.
The Shortcut security glitch stems from small files that are able to bypass Explorer's built-in code checking feature to delete or alter files on a user's hard drive.
"Microsoft sometimes goes way strong on the side of ease of use" while sacrificing security features, said John Pescatore, senior security consultant at Trusted Information Systems.
EliaShim's programmers in Israel found the message, which Huyghe labeled a prank, and within 24 hours had posted a solution on the company's Web site, he said. No information is known about the origin of the message other than that it came from the address "firstname.lastname@example.org".