The company yesterday confirmed the existence of what it is calling the buffer-overrun security bug. The bug allows a malicious Web site author to take advantage of IE 4.0's limited capacity for Web addresses of the "res://" type.
Here's how it works: IE 4.0 can only read a res:// hyperlink address of up to 256 characters. Anything longer than that crashes the browser and causes the remaining characters of the address to go into the computer's memory. A malicious Web site author can make trouble simply by writing hostile code from the 257th character of the res:// address.
"This is a very obscure bug," IE 4.0 group product manager David Fester said. "So far, no site has reported any damage, and no user has reported any damage."
Only people using Windows 95 and IE 4.0 are at risk, according to Fester. The fix is posted to the Microsoft IE security page.