ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




Microsoft addresses IE security hole

October 15, 1998
Web posted at 11:50 AM EDT

by Jeff Walsh


(IDG) -- Microsoft confirmed the existence of a security problem with Internet Explorer on Tuesday and said it will patch the hole as soon as possible, according to a company representative.

The security breach, which works around existing security features in the browser, enables a hacker to develop a script to retrieve a file from a user's desktop system, provided the path and filename are known. In the same manner, a script can also execute a "paste" command to retrieve the user's current clipboard contents.

The security problem was found by Juan Carlos Garcia Cuartango, a Spanish Web developer, who posted information about the bug as well as a test to see it in action, on his Web site.

  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at's personal news page
  Subscribe to's free daily newsletter for IT leaders
  Questions about computers? Let's editors help you
  Search in 12 languages
 News Radio
  Fusion audio primers
  Computerworld Minute

Microsoft pointed out that users would not encounter this problem while browsing popular Web sites.

"A skilled hacker has to purposefully create malicious script on their site in order for a customer to be affected by this," the representative said.

Microsoft pointed out that no customers have been affected by this bug, and said concerned users can protect themselves by disabling Active Scripting in the Internet Zone of Explorer's Security Zones feature.

The actual feature this bug attacks is the capability for a user to enter the filename of a file they are uploading through a Web browser. Microsoft put in measures to prevent any scripts from modifying the filename but did not prevent scripts from using the "copy" and "paste" commands to get the contents of a file on the user's system, according to Cuartango.

Related stories:
Latest Headlines

Today on CNN

Related stories:

Note: Pages will open in a new browser window Related sites:

External sites are not
endorsed by CNN Interactive.

Enter keyword(s)   go    help


Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.