IE 4 URL bug resurfaces

A glitch in Microsoft's Internet Explorer 4.0 browser, which the company fixed last fall, has cropped up again in a slightly different form.

The original bug stemmed from Explorer's handling of URLs that began with the "res" prefix and ran longer than 256 characters. When the browser visited such an HTML document with more than 256 characters, the extra characters were dumped into system memory. That either crashed the browser or, if a programmer wrote those extra characters as executable code, ran the code on the system unbeknownst to the system's owner.

Microsoft in November posted a fix for the "res" problem, but the author of the first exploit has found another hole that this time affects IE 4.0 and 4.01 on both Windows 95 and NT 4.0, and by the author's admission would be very complicated to enact.

"No users have been affected by this, and we don't want any users affected," said Internet Explorer group product manager David Fester. "Because it's so similar to the 'res' issue, it should be relatively easy to fix."

Microsoft plans to post a patch this week and will investigate whether the fix can be applied to other potential problems with alternate protocols, said Fester.

The new exploit occurs when the browser tries to access URLs that have an "mk" prefix, a protocol normally reserved for compressed HTML resource files that Internet Explorer can extract from the system and read. As with the "res" problem, a programmer must deliberately create a URL with more than 256 characters to cause mischief.

Unlike the "res" problem, a programmer needs to know details about each specific system under fire, according to DilDog, the programmer who discovered and posted the exploit to the L0pht Heavy Industries Web site.

"A bit more knowledge about the target system would have to be known to design a proper exploit, more than just operating system version," DilDog wrote in an email message. "In fact, the bug would have to be adjusted for each system you wished to target. Nothing massively destructive here, but in solitary cases, could be harmful."

IE 4.0's "security zones" feature doesn't prevent the exploit, according to DilDog. A demonstration on the L0pht site crashes IE 4.0, then prompts a Windows advisory that recommends that the user save all open documents and restart the system.

The problem also affects IE 3.02 when it is running the "InfoViewer" component of Microsoft's Visual Studio programming tool.

It does not affect IE for Macintosh, Unix, or Windows 3.1, Fester said.