Microsoft has posted a patch for what could be a major security hole in its Internet Explorer 3.0 browser, as well as a separate caching problem.
The security bug, first reported by CNET yesterday, could allow hackers to set up Web pages that run DOS commands on a user's system, allowing them to delete files, insert viruses, or create a "backdoor entrance" to a victim's system, said Edward Felten, an assistant professor of computer science at Princeton University. Microsoft posted a fix on its Web site last night.
For example, malicious hackers could set up a Web page that delivers a Microsoft Word document containing a macro program that is able to execute any DOS command. Normally, Internet Explorer warns users before it's about to download potentially hostile code, but Felten discovered a method of bypassing the warning so Web surfers have no opportunity to prevent the download.
Microsoft officials attempted to downplay the significance of the security hole, calling the risk of hacker break-ins extremely remote. Still, the company said it hopes the patch on its Web site will prevent macro programs from bypassing Internet Explorer's warning window, which will allow users to block nasty code.
The patch will also fix a caching problem in Internet Explorer 3.0 that had affected user logons to Web sites.
"Both of these issues don't exist on the Internet as far as we know," said Bill Koszewski, product manager at Microsoft. "But if you want to be proactive, you can download this patch and it's all taken care of for you."
Felten, who is well known for having discovered several security flaws in Java and Netscape Communications' Navigator browser, has posted information related to the security hole on the comp.risks Usenet newsgroup and on Princeton University's Web site.
Earlier this month, Felten discovered two security bugs in the Java support of both Navigator and Internet Explorer; the companies were able to fix the problems before their final products shipped.
According to Microsoft, this week's security problem in Internet Explorer 3.0 is not related to Java or to ActiveX controls, another form of executable software code that has stirred security concerns.
Microsoft also corrected a separate problem with Internet Explorer that temporarily required a hefty amount of hard disk space, 67MB in all, in order to install the Microsoft Web browser. The company has posted a new version of the browser that requires a more modest amount of hard disk space.