Microsoft today said it is moving to plug a security hole in its Internet Explorer browser that could reveal local files and permit window spoofing.
The bug lets a malicious Web author add a small suffix to a URL in order to
misrepresent its origin. As a result, IE could wind up treating the Web
site as though it were part of the client's local domain, such as within a
corporate intranet, bypassing IE's security zones.
The bug affects versions 4 and 5 of the browser.
One manifestation of the bug lets a Web operator read local files and send
them to another server if he or she knows the name of the file. This
scenario is demonstrated on the Web by
the bug's discoverer, Bulgarian bug hunter Georgi Guninski.
The second scenario lets the Web operator spoof a window of a trusted site,
potentially tricking visitors into yielding private
information such as usernames, passwords, or credit card information.
Microsoft has fended off
similar examples of the bug in
Guninski posted a demonstration of this
exploit as well.
Microsoft pointed out that no users have reported encountering similar
exploits on the Web but said engineers are working on a fix. Concerned
users can disable scripting pending a fix.
In other IE news, Microsoft released a slightly modified version of IE 5 that
fixes some compatibility bugs that cropped up with its new Office 2000
suite. Microsoft is offering that upgrade as the standard IE 5 in order
to maintain consistency.
Microsoft also announced its IE 5 Evaluation and Deployment Kit (EDK), a
CD-ROM with a deployment guide for the browser and instructions on how a
business can switch to IE 5 from AOL's Communicator browser. It also
includes IE 5 and its administration kit. The EDK costs $6.95 and is
available from Microsoft.