- A security hole in the latest version
of Internet Explorer could deliver your private computer files to the wrong
hands, but Microsoft says it has no knowledge of the bug's existence.
-
- A spokeswoman for the company told Wired
News Friday that they were unaware of the problem but would investigate
it and correct it, if necessary.
-
- The bug was uncovered by Juan Carlos
García Cuartango, a Spanish Web developer. It apparently allows
code on a malicious Web page to steal virtually any file off a user's hard
disk. Cuartango posted a description of the problem earlier this week,
which only attracted the attention of browser and email-security gurus
when it hit a mailing list on Thursday evening.
-
- This time, it's Microsoft that takes
the fall. Two recently discovered bugs affected only Netscape's Navigator
browser.
-
- Cuartango could be reached for comment.
-
- "This [security threat] is probably
the worst I've seen because it allows you to upload an arbitrary file,"
said Richard Smith of Phar Lap Software.
-
- Smith tested the bug and found that it
causes Internet Explorer 4.01 to upload a file when a browser visits a
malicious Web site whose pages contain a simple, but potent, set of JavaScript
instructions.
-
- The person writing and posting the script
needs to know the specific location and name of a user's file in order
to retrieve it. But Smith notes that many sensitive files, including a
person's email message repository, are kept in a common location under
a default and widely known filename.
-
- For example, Smith said many email applications
keep users' incoming and outgoing messages in the same disk location. It
would be a simple matter, he said, for a Web site to take the user's entire
inbox.
-
- The Windows registry file, he added,
is also kept in a common location and, if stolen, would reveal information
about the location of other files.
-
- The vulnerability is rooted in extensions
to hypertext markup language and JavaScript that were added as part of
Internet Explorer's latest Dynamic HTML features. The bug doesn't affect
versions of Explorer prior to 4.0, Smith said.
-
- The vulnerable feature allows sites to
include an HTML form on their Web page that will prompt a user to upload
a file from the computer to the Web site.
-
- Cuartango's site said that Microsoft
implemented the feature so that only the user can enter the name of the
file to be uploaded. Microsoft explicitly prevented JavaScripts -- basically
sections of advanced code -- from being able to modify the contents of
the filename field.
-
- However, Microsoft programmers overlooked
a simple workaround, Cuartango says. The information can be entered by
a script by simply using common "copy" and "paste"
commands.
-
- Though a script cannot enter file data,
it is allowed to carry out the pasting function. Therefore, a script can
use the function to simply "paste" in the filename, and thereby
upload the file.
-
- Though Microsoft clearly made an effort
to prevent such an exploit, Smith said that companies need to devote more
effort to assessing all possible vulnerabilities when implementing new
features.
|
