Microsoft's IE5 reeling again after two more bugs discovered
(IDG) -- Microsoft's Internet Explorer 5 (IE5) browser got hit with another one-two punch of coding bugs this week, as reports surfaced of a bug that allows documents to be stolen even through a firewall, and of the altering of HTML tags by the browser's rendering engine.
Security Expert Georgi Guninski, who has posted numerous reports of bugs and security issues with several Microsoft products, is warning users of a bug that would allow malicious hackers to steal and read data off of an IE5 machine, even through a firewall.
"This one is a spoofing attack. It downloads a file, and it downloads it from your computer to your computer. Once it's downloaded the file from itself to itself, that information is downloaded to any IP address," said Steve Anderson, vice president of marketing at BigFix, a bug fixing service in Berkeley, Calif., which is assisting Guninski in warning users.
"It's kind of like a submit button on an HTML. The reason it can get through the security is cause it's downloading to itself. Which it really shouldn't be able to do," Anderson said.
Microsoft is aware of the bug and has issued an alert which recommends that users disable the active scripting aspect of IE if they so desire.
"We're recommending as a work-around that customers who are worried about this vulnerability disable active scripting, while we develop a patch for this," said Scott Culp, security product manager on the security response team at Microsoft.
Culp also stressed that the bug will not allow hackers to steal or alter information; they will only be able to read it.
"The only thing that a Web site can do with this is read selected files from a users machine if they know the name of the file," Culp said.
BigFix's Anderson, however, said Microsoft's advice belies the importance of the bug.
"Microsoft felt heavily enough about this to disable active scripting," Anderson said. "It affects their [Windows] NT servers and all the things that are supposedly bulletproof."
Microsoft is currently working on a patch for the problem.
Also this week, BugNet and its parent company KeyLabs, in Lindon, Utah, have confirmed the existence of a rendering bug with IE5 that could impact web developers.
When using IE5 and Microsoft's underlying MSHTML editing and rendering engine some HTML tags can be corrupted using the default setting of "Web Page, complete," according to the KeyLabs report.
When the MSHTML engine renders documents on the fly, it can delete quotation marks around HTML element attributes. And while the corrupted code may still be viewed over the Internet, it is not compliant with XML (Extensible Markup Language) standards, and therefore will be inaccessible to XML parsers, according to the report.
Microsoft is aware of the issue, and has recommended at least in the interim to use the "Web Page, HTML only" option.
Matthew Nelson is a senior writer for InfoWorld.
Microsoft: Bad security, or bad press?
RELATED IDG.net STORIES:
Security hole in IE 5 reportedly exposes user names, passwords
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.