Microsoft is urging users of its Internet Explorer browser to download a patch for a newly discovered buffer-overflow security bug.
The bug takes advantage of the way some versions of the IE browser handle
long strings of JScript code.
JScript is a Microsoft scripting language similar to the JavaScript language created by Netscape Communications. The scripting languages, which are
unrelated to the Java programming language, are used to create things like pop-up windows and forms on Web pages.
The bug patched yesterday resembles another IE buffer overflow problem reported last year.
In both instances, the bug allows a malicious programmer to take advantage
of the way the browser reads a long URL, or, in this case, a long
string of JScript code. After the maximum number
of characters expected on a string is exceeded, the browser crashes, and
the remaining characters--potentially comprising malicious code--go into
memory, where they may be executed.
In the case of the previous buffer overflow problem, URLs of the type "res://"--which linked to local resources rather than remote Web pages--would max out after 256 characters, letting malicious programmers write from the 257th character.
In the case of the JScript buffer overflow bug, Microsoft is not disclosing the character limit.
"We know, but don't want to let that information out," said Karan Khanna, product manager for Windows NT security.
Khanna stressed that the bug could not manifest itself as a matter of chance, and that a victim would have to visit a site where the code was deliberately entered. He also noted that Microsoft is not alone in battling
the buffer overrun menace.
"This happens on many applications and operating systems," he said. "What we're trying to do is to educate developers about safe coding practices, about taking more care in how they handle strings."
Microsoft has recommended that users unable to download the patch disable active scripting in the
"Untrusted" and "Internet" zones under Internet Explorer security preferences.
The problem affects IE 4.0 and 4.01 running on Windows 95, 98, and NT 4.0.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
<a href="http://qtp.blogspot.com">Sachin</a>