This time it's MIT university students who have discovered a major security hole in IE 3.0. The students who found the latest glitch say it could allow an unscrupulous hacker to delete files, including all of the contents of a hard disk, from a user's computer.
Like the previous holes, the glitch involves a Windows 95 file that is able to bypass Explorer's built-in security system, Authenticode, for examining program code downloaded off the Net. A malicious Web site could use the file, called ".isp," to trigger resident Windows programs that create or delete directories and files when a user visits the site, according to Christien Rioux, one of the MIT students who found the hole.
The ".isp" files are related to a program that comes with Explorer for automatically signing users up with an Internet service provider.
The MIT students have set up a site that demonstrates the hole.
Microsoft representatives said they learned of the bug this afternoon and are planning to provide a combined fix for it and an earlier bug, which was discovered by students at the University of Maryland, within the next two days.
"This is a minor variation of the Cybersnot issue," said Dave Fester, a lead product manager for Internet Explorer, referring to the Worcester Polytechnic Institute students who discovered the first major Explorer bug earlier this week and dubbed themselves "Cybersnot Industries."
The initial security hole discovery by the WPI trio set off a frenzy of bug-finding by other students this week. The WPI students found a glitch involving Windows 95 and NT ".lnk" and ".url" files, called Shortcuts, that allowed them to bypass Explorer's security checker to manipulate a user's computer. Yesterday, the University of Maryland students revealed a bug related to Explorer's floating frame feature could have similar consequences for users.
Security experts are beginning to question whether the security holes in Explorer are the result of the browser's close integration with the Windows operating system. The bugs do not appear to affect other browsers such as Netscape Communications' Navigator.
"This is a direct problem with Internet Explorer because Microsoft is trying to make the browser do much more than browsers were originally designed to do," said MIT's Rioux.
Microsoft said today that it plans to create a special email address so that programmers can report security bugs in Explorer to the company.