ad info

 
CNN.com  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


New security hole found in Microsoft Internet Explorer

Network World Fusion

(IDG) -- Microsoft's Web browser Internet Explorer has a security vulnerability that could let a malicious Web master take over a user's computer, a security expert said Monday.

Georgi Guninski, a well-known Bulgarian bug hunter, on Monday posted a security advisory on his Web site. Guninski ranks the problem as high risk.

Malicious Web masters can exploit so-called ".chm" files, a compressed help file format, to execute arbitrary programs on a user's computer, Guninski said. The bug also allows viewing of temporary Internet files stored on the user's hard drive.

Guninski said he reported a similar vulnerability to Microsoft "some time ago." The software was fixed by allowing .chm files to run programs only if the .chm was loaded from the local system. Guninski says this is no longer a limitation. He discovered a way Web masters could access temporary Internet files on other users' machines. Explorer saves pages in a folder called "temporary Internet files."

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Network World Fusion home page
  Free Network World Fusion newsletters
  IDG.net's technical development page
  IDG.net's networking page
  Reviews & in-depth info at IDG.net
  E-BusinessWorld
  TechInformer
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for network experts
  Search IDG.net in 12 languages

"It is possible to find the temporary Internet files folder," Guninski said.

Explorer creates several of these folders on a PC using random names. With a special HTML document, a malevolent Web master can reveal the name and location of a temporary Internet files folder.

Once a folder name is known it is possible to cache a .chm file in any folder and execute it, Guninski said.

Until Microsoft has issued a patch for the problem users can protect their computer by disabling active scripting, a browser function that has repeatedly been associated with security issues.

Affected programs are Microsoft's Internet Explorer Versions 5 and higher. Because Explorer is integrated in Microsoft's e-mail clients, Outlook and Outlook Express are also affected. Other versions may also be unsafe, but those have not been tested, Guninski said in his advisory.

Microsoft could not be immediately reached for comment.




RELATED STORIES:
MS, hacker secretive about meeting
Hackers attack Microsoft network
October 27, 2000
Web sites unite to fight denial-of-service war
September 27, 2000
Microsoft security executive promises improvements
July 27, 2000
Denial-of-service threat gets engineering community's attention
July 25, 2000
Microsoft scrambling to fix new Outlook security hole
July 21, 2000
Outlook patch called overkill
May 23, 2000
Microsoft: Bad security, or bad press?
September 28, 1999
CNN In-Depth Specials - Hackers

RELATED IDG.net STORIES:
A challenge to the security software leaders
(NW Fusion)
How to prevent one-click hack attacks
(PC World)
WebShield protects against e-born viruses
(InfoWorld)
In the security realm
(NW Fusion)
EDS to open computer security school
(IDG.net)
Viruses: The next generation
(PC World)
Third time's no charm for Microsoft
(The Industry Standard)
Microsoft urging IIS users to patch serious security hole
(Computerworld)

RELATED SITES:
Microsoft Corp.

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.