July 14, 2000 3:25 PM PDT

IE 5.5 bugged in first week

Related Stories

IE 5.5 angers Web standards advocates

July 13, 2000

Microsoft launches latest IE browser

July 12, 2000

A question of safety

February 19, 1998
A newly discovered security bug in Microsoft's Internet Explorer 5.5 browser promises to send the company's engineers back to work on a product released just this week.

The security hole lets an attacker read files on a target's computer, according to Georgi Guninski, the Bulgarian bug hunter who demonstrated the bug.

The problem, as described in a Guninski advisory, lies in an ActiveX control that ships with IE 5.5, released this week, and with earlier versions of the browser. ActiveX is Microsoft's method of letting a Web browser interact with other, more powerful desktop applications. The technology has been the target of security concerns for some time.

The ActiveX control ships with Microsoft's Dynamic HTML (DHTML) editing component (DHTMLED), which normally lets Web authors add automated page editing to their sites.

But through a problem with Microsoft's implementation of the Document Object Model (DOM), a standard way of letting scripts act on individual elements of a Web page, the edit component lets a malicious attacker peek at information on a victim's computer using a combination of frames--smaller windows within the Web page--and the clipboard, where computers temporarily store information when it is being cut or copied.

In his advisory, Guninski hinted that the combination of frames and the edit component could pose further security risks.

A Microsoft representative said the company was investigating Guninski's report but could not offer further comment.

Guninski's advisory--one in a lengthening string of security and privacy issues he has discovered in Microsoft's software--circulated on the Bugtraq mailing list with commentary from a security analyst exasperated with the unchecked pace of newly discovered security flaws.

"Instead of discussing the details of yet another browser security vulnerability, this is a good opportunity to focus on what can really be done to stop the never-ending flow of bugs," wrote SecurityFocus analyst and Bugtraq moderator Elias Levy. "It is obvious that the current approach of releasing code and patching it when a bug is found is not working. The current security technology in consumer operating systems is woefully inadequate for the Internet age."


Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.