ad info
   personal technology

 Headline News brief
 news quiz
 daily almanac

 video archive
 multimedia showcase
 more services

Subscribe to one of our news e-mail lists.
Enter your address:
Get a free e-mail account

 message boards

CNN Websites
 En Español
 Em Português


Networks image
 more networks

 ad info



Protection against IE holes may create more problems than solutions


November 23, 1999
Web posted at: 2:24 p.m. EST (1924 GMT)

By D. Ian Hopper
CNN Interactive Technology Editor

(CNN) -- Every couple of weeks Georgi Guninski, a 27-year-old Bulgarian computer security expert, posts another Microsoft Internet Explorer security hole to BugTraq, a mailing list dedicated to computer vulnerabilities.

The majority of Guninski's latest discoveries have involved Internet Explorer 5.0's Active Scripting and ways to scoot malicious code into a user's browser. The tiny programs can do anything from reading text files on a user's hard drive to taking control of their computer. The suggested workaround is always the same: Disable Active Scripting.


That's easy enough to do. It can be flipped off in IE's options under the Security tab. But there's a problem; you probably don't really want to do that.

When Microsoft uses the term Active Scripting, they're talking about both JavaScript and VBScript, which stands for Visual Basic Script. These languages provide interactivity and 'life' to Web sites, without which they would be about as passive as a printed page.

JavaScript isn't just used as a gimmick, either. It's used by almost all major sites -- including CNN Interactive -- for uses such as navigation, pop-up windows and e-commerce. Disabling scripting would seriously cripple the site.

JavaScript isn't confined to Internet Explorer 5, although many of the security holes are only evident in Microsoft's latest browser. It's used in almost all modern browsers as well as across platforms.

The problem occurs because IE5 includes many more features, according to Internet security consultant Richard Smith.

JavaScript can drive other pieces of the browser, and there are more things to interact with in IE than in Netscape.

"These aren't [inherently] JavaScript problems," said Smith, who helped track down the author of the Melissa virus earlier this year.

"They've added a whole lot more features in IE5. This is typical for Microsoft. They add all kinds of features and only then wonder how they might interact."

Microsoft's own ActiveX controls have been a security headache as well, said Smith. Although similar to Java applets, ActiveX controls have full access to the Windows operating system.

On Microsoft's Web site, the company has posted a patch for the "JavaScript redirect" trick, which takes advantage of the hole. Microsoft's security page is updated frequently with notices, workarounds and patches, but cannot possibly keep up with the swift pace that the vulnerabilities are found.

Microsoft representatives were not available for comment.

Guninski said he has no problem with unilaterally disabling Active Scripting.

"My experience shows [that] many sites, almost all sites I visit, may be browsed with disabled Active Scripting. You may lose some features, but they are not important," Guninski said.

Users can take some solace in the belief that Web authors aren't using these holes. But Smith warns that they're becoming common in the repertoire of virus writers. The recent Bubbleboy virus, which propagated itself through e-mail and could be executed simply by appearing in the preview pane in Microsoft Outlook or Outlook Express, took hold only in IE 5 and used a similar security hole.

Smith offers another option. It's possible, though not exactly intuitive, to increase security in Outlook as opposed to IE. A user can disable active scripting in Outlook, only affecting e-mail, and still be able to use all the JavaScript goodies on Web sites.

"JavaScript can run in e-mail messages, and I've always thought that was a bad idea. A good thing to do would be to disable JavaScript, Java and ActiveX," Smith said.

This can be done in the Security tab under Tools, Options. Set the "Secure Content" zone to Restricted Sites, then press Zone Settings. Click the button next to Custom, then click Settings. There you can disable JavaScript, Java and ActiveX individually.

As for fixing Internet Explorer to make it more security-conscious, Smith isn't very hopeful. But he does offer one suggestion to Microsoft that might help a bit.

"One thing they should do is just hire Georgi for IE 6 development."

DVD encryption hacked
November 5, 1999
Another IE 5 security flaw found
October 15, 1999
Microsoft posts IE5 bug fix
October 12, 1999
Downloads to improve your Web experience
October 4, 1999
Microsoft's IE5 reeling again after two more bugs discovered
October 1, 1999
Army Web site ditches NT for security reasons
September 15, 1999

Internet Explorer
Georgi Guninski's home page
Microsoft Security Advisor Program: Current Security Bulletins
How to make Outlook Express safe on the Internet
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.