Protection against IE holes may create more problems than solutions
November 23, 1999
By D. Ian Hopper
(CNN) -- Every couple of weeks Georgi Guninski, a 27-year-old Bulgarian computer security expert, posts another Microsoft Internet Explorer security hole to BugTraq, a mailing list dedicated to computer vulnerabilities.
The majority of Guninski's latest discoveries have involved Internet Explorer 5.0's Active Scripting and ways to scoot malicious code into a user's browser. The tiny programs can do anything from reading text files on a user's hard drive to taking control of their computer. The suggested workaround is always the same: Disable Active Scripting.
That's easy enough to do. It can be flipped off in IE's options under the Security tab. But there's a problem; you probably don't really want to do that.
The problem occurs because IE5 includes many more features, according to Internet security consultant Richard Smith.
"They've added a whole lot more features in IE5. This is typical for Microsoft. They add all kinds of features and only then wonder how they might interact."
Microsoft's own ActiveX controls have been a security headache as well, said Smith. Although similar to Java applets, ActiveX controls have full access to the Windows operating system.
Microsoft representatives were not available for comment.
Guninski said he has no problem with unilaterally disabling Active Scripting.
"My experience shows [that] many sites, almost all sites I visit, may be browsed with disabled Active Scripting. You may lose some features, but they are not important," Guninski said.
Users can take some solace in the belief that Web authors aren't using these holes. But Smith warns that they're becoming common in the repertoire of virus writers. The recent Bubbleboy virus, which propagated itself through e-mail and could be executed simply by appearing in the preview pane in Microsoft Outlook or Outlook Express, took hold only in IE 5 and used a similar security hole.
As for fixing Internet Explorer to make it more security-conscious, Smith isn't very hopeful. But he does offer one suggestion to Microsoft that might help a bit.
"One thing they should do is just hire Georgi for IE 6 development."
DVD encryption hacked
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.