IE bug opens users' hard drives

Microsoft is moving to patch a browser security hole that could give malicious Web site operators a peek at users' files.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
2 min read
Microsoft is moving to patch a browser security hole that could give malicious Web site operators a peek at files on users' hard drives.

A demonstration of the newly discovered hole, dubbed "Cuartango" after its discoverer, is posted on the Web.

Windows product manager Mike Nichols said Microsoft would post the patch as soon as possible, and recommended that in the meantime users turn off active scripting under Internet Explorer's security zones. Nichols noted that no customers have reported actual incidents of the bug's being exploited.

A Web site operator taking advantage of the hole would have to know both the name and the path of the file he or she wanted to swipe, Nichols said, making the hole an unlikely menace for most users. The hole uses scripting to access the file and send the information back to the hacker.

But Nichols also said the exploit could be executed via HTML-email, such as Microsoft's Outlook Express and Outlook 98. Nichols recommended the same temporary work-around for the email programs.

The Cuartango hole isn't the first IE bug to expose users' files to the prying eyes of Web site operators. Microsoft patched a similar hole last month, and another one last year.

Nichols said that while the end result is similar for users, the underlying causes of the problems were distinct.

"They all have to do with scripting, but take advantage of different commands within IE," Nichols said. The command at issue with the Cuartango hole, "document.ExecCommand," lets developers use menu functionality from IE in their Web pages. In this case, the Cuartango hole puts the contents of the name and path of a desired file into a Web page field, then uses the "document.ExecCommand" command to copy and paste that file to be sent back to the Web site operator.

The security hole affects IE versions 4.0x on Windows 95 and Windows NT4, Windows 98 with integrated IE, and IE 4.0x on Windows 3.1 and NT 3.51. The problem does not affect Macintosh or Unix versions of IE.