Microsoft rushes to close IE security hole

The software giant releases a patch to plug a hole in its Web browser that it says 5.5 and 6.0 users should install immediately.

Feb. 22, 2002 1:49 p.m. PT

2 min read

Microsoft released a security patch to plug a hole in its Web browser that could allow hackers to steal passwords and trick people into downloading virulent files.
Microsoft said customers using Internet Explorer versions 5.5 and 6.0 should install the patch immediately. The patch, released Thursday, can be found on Microsoft's Web site.
The Redmond, Wash.-based software giant, which in recent months has patched a wide range of security holes in its Web browser and Web server software, said the patch eliminates all previously known security problems affecting the two versions of IE and plugs three new holes.
The problems were first reported Nov. 19 to Microsoft by Jouko Pynnonen at Finland-based security firm Oy Online Solutions, according to Pynnonen. By Nov. 27, Pynnonen said he informed the company of more serious flaws. Microsoft then released a patch Dec. 13 and acknowledged Pynnonen in its security bulletin for reporting the security holes.
"Since the attacker could run any program on the victim system, they can do anything a malicious program can do on a system--possibly read or destroy files (including temporary internet files and cookie files), sniff network traffic, find passwords, install backdoors...or viruses," Pynnonen said.
One problem, affecting only IE 6.0, allows an attacker to alter HTML information in a way as to trick IE to open a damaging executable file without asking the person for confirmation.

Gartner analyst John Pescatore says that as 2001 draws to a close the pace of discovery of software vulnerabilities shows no sign of slowing.
see commentary
Two other problems affect both IE 5.5 and 6.0. The first problem is a variation of a previous security glitch that allows a hacker to open two browser windows: one in the Web site's own domain and the other on an unknowing computer user's system. This could allow the hacker to gather personal information from the local system. A hacker could read, but not change, any file on the computer user's system that can be opened in a browser window.
The second security breach can involve a flaw related to how file names are displayed in the "file download" dialogue box. A hacker could misrepresent the name of a file in the dialogue window when a person tries to download a file. The attacker could fool people into accepting tainted files from a trusted Web site.
Left unpatched, computer users could face security breaches that may not become apparent for some time.
"Opening an e-mail attachment or accepting any download isn't required," Pynnonen said. "The victim user doesn't necessarily notice anything out of ordinary when reading a malicious e-mail message or visiting a malicious Web site."