Another bug in Explorer
Microsoft's respite from the wave of security bugs that hit Internet Explorer in March is over.
The latest security bug affects users of Internet Explorer 3.x. Also affected are users of the platform preview release of Explorer 4.0 who also have PowerPoint, Microsoft's presentation software, loaded onto their computers. The glitch could allow a malicious Web site to execute any program on a user's computer without permission, including deleting files and uploading private information.
Microsoft said today that it found out about the bug yesterday and will provide a fix on its Web site later today.
Many security analysts believe that the problems that have bedeviled Explorer stem from the browser's close integration with older technologies, including the Windows 95 and NT operating systems and its ActiveX software component architecture (formerly known as OLE). The analysts have questioned whether Microsoft may have skimped on security planning in its rush to retrofit those technologies for the Internet.
The latest security glitch adds a new twist since it is caused by the integration of Explorer and PowerPoint, part of Microsoft's extremely popular Office 95 and 97 application suites. There are approximately 60 million Office users, according to the company.
"A number of these bugs or holes we've seen in the last six months failed to result in any major data loss, but the fact they're there is significant," said Stephen Cobb, chief analyst at Cobb Associates. "Microsoft hasn't gone out and rounded them up. I would have thought that when the first of these holes appeared, they would go back and do a serious review of their strategy."
The glitch involves a PowerPoint feature called action settings that is innocuous when used on a standalone PC. Using action settings, creators of presentations can cause PowerPoint to launch any executable program by clicking on or passing the cursor over any image or text.
On the Internet, though, the feature could be exploited by a hacker to trigger a variety of malicious actions, such as launching an FTP client to upload private documents to a Web site. When an Explorer user clicks a hyperlink on a Web site to a PowerPoint presentation, PowerPoint is automatically launched from their computer, displaying the presentation within the frame of their browser.
Because the presentation does not contain any executable code itself but instead points to executables already on the user's computer, the user does not receive any warning before downloading the program.
"The problem comes largely from the integration [between Office and Explorer]," said Andrew Smith, a Webmaster for Kaiser Permanente in Latham, New York, who discovered the problem. "I see that the integration is very useful on an intranet. I personally like stuff like that, but I see the potential on the Internet to cause problems."
Smith said he discovered the problem yesterday and notified Microsoft immediately. He said that he tested a fix today from Microsoft that warns users about potential security risks before they download a PowerPoint presentation, and that it works. Smith has posted a Web site that demonstrates the glitch.
Today, Kevin Unangst, an Explorer product manager at Microsoft, said that the problem would affect other browsers such as Netscape Communications' Navigator, but admitted that it would be easier to exploit in Explorer because of its integration with PowerPoint.
"This can happen in any browser, but it's a bit easier in Internet Explorer because PowerPoint displays in the frame," he said.
Beth Herrell, an Office 97 product manager at Microsoft, said that Microsoft did not anticipate the implications of the PowerPoint feature when used on the Internet but that the company is loath to remove features. Herrel said the company would look more closely at Office in the future to evaluate the potential risks of certain features.
"In a lot of cases, there are a lot of features in different products that can be misused in this new paradigm," she added.