Scripting has been a boon not just for Web designers but for bug hunters. They have found numerous ways to circumvent security measures to show how malicious Web site operators can use the technology to take inappropriate actions on a visitor's computer.
Last week, Microsoft acknowledged that Internet Explorer 5.0 was vulnerable to a Guninski exploit that let malicious Web site operators view visitors' files. The exploit bypassed Microsoft's security measures by running the script from within a frame--a smaller window in a Web site--where the security checks did not apply.
Microsoft said the exploit only let an attacker view files, not alter or delete them.
A Web site operator also can exploit the vulnerability to launch a fraudulent, or "spoofed," window.
Microsoft confirmed Guninski's find and said it was working on a patch. Pending its release, Microsoft recommended that users disable scripting in the "Internet" security zone within IE. That prevents scripts from running on all Web sites except those the user explicitly designates as trustworthy by placing them in the "trusted" zone.
Microsoft defended its security practices in the face of the steady stream of browser vulnerabilities, saying it takes security lapses seriously and has a "security penetration test team" whose job it is to try to break IE security.
"Security is always a journey rather than a destination," said Scott Culp, security product manager for Microsoft. "We're addressing the issues as they arrive and doing our own proactive investigations. We're constantly looking into what we can do to make the product more secure."