Three times isn't a charm, at least when it comes to bugs in Microsoft's(MSFT) Internet Explorer browser.
This time it's MIT university students who have discovered a major security hole in IE 3.0. The students who found the latest glitch say it could allow an unscrupulous hacker to delete files, including all of the contents of a hard disk, from a user's computer.
Like the previous holes, the glitch involves a Windows 95 file that is able to bypass Explorer's built-in security system, Authenticode, for examining program code downloaded off the Net. A malicious Web site could use the file, called ".isp," to trigger resident Windows programs that create or delete directories and files when a user visits the site, according to Christien Rioux, one of the MIT students who found the hole.
The ".isp" files are related to a program that comes with Explorer for automatically signing users up with an Internet service provider.
The MIT students have set up a site that demonstrates the hole.
Microsoft representatives said they learned of the bug this afternoon and are planning to provide a combined fix for it and an earlier bug, which was discovered by students at the University of Maryland, within the next two days.
"This is a minor variation of the Cybersnot issue," said Dave Fester, a lead product manager for Internet Explorer, referring to the Worcester Polytechnic Institute students who discovered the first major Explorer bug earlier this week and dubbed themselves "Cybersnot Industries."
The initial security hole discovery by the WPI trio set off a frenzy of bug-finding by other students this week. The WPI students found a glitch involving Windows 95 and NT ".lnk" and ".url" files, called Shortcuts, that allowed them to bypass Explorer's security checker to manipulate a user's computer. Yesterday, the University of Maryland students revealed a bug related to Explorer's floating frame feature could have similar consequences for users.
Security experts are beginning to question whether the security holes in Explorer are the result of the browser's close integration with the Windows operating system. The bugs do not appear to affect other browsers such as Netscape Communications' Navigator.
"This is a direct problem with Internet Explorer because Microsoft is trying to make the browser do much more than browsers were originally designed to do," said MIT's Rioux.
Microsoft said today that it plans to create a special email address so that programmers can report security bugs in Explorer to the company.
Join the conversation
Comment replyThe posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
A new Apple lawsuit takes aim at Motorola Mobility in the U.S. for breaking a contract both companies have with Qualcomm for the license of one of its wireless patents.
A study by Harlequin--yes, the romantic-book people--says more women are sending naughty texts (shocking) and that 27 percent have sent a nude picture via e-mail or text.
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
In spite of the boom in smartphone sales, there still seems to be a market for dedicated portable media players. Apple's iPod Touch is the leader, but what about some alternatives for the Android fans? CNET surveys the options.
Like the previous holes, the glitch involves a Windows 95 file that is able to bypass Explorer's built-in security system, Authenticode, for examining program code downloaded off the Net. A malicious Web site could use the file, called ".isp," to trigger resident Windows programs that create or delete directories and files when a user visits the site, according to Christien Rioux, one of the MIT students who found the hole. 
The MIT students have set up a site that demonstrates the hole. 
Join the conversation