July 14, 2000 3:25 PM PDT
IE 5.5 bugged in first week
The security hole lets an attacker read files on a target's computer, according to Georgi Guninski, the Bulgarian bug hunter who demonstrated the bug.
The problem, as described in a Guninski advisory, lies in an ActiveX control that ships with IE 5.5, released this week, and with earlier versions of the browser. ActiveX is Microsoft's method of letting a Web browser interact with other, more powerful desktop applications. The technology has been the target of security concerns for some time.
But through a problem with Microsoft's implementation of the Document Object Model (DOM), a standard way of letting scripts act on individual elements of a Web page, the edit component lets a malicious attacker peek at information on a victim's computer using a combination of frames--smaller windows within the Web page--and the clipboard, where computers temporarily store information when it is being cut or copied.
In his advisory, Guninski hinted that the combination of frames and the edit component could pose further security risks.
A Microsoft representative said the company was investigating Guninski's report but could not offer further comment.
Guninski's advisory--one in a lengthening string of security and privacy issues he has discovered in Microsoft's software--circulated on the Bugtraq mailing list with commentary from a security analyst exasperated with the unchecked pace of newly discovered security flaws.
"Instead of discussing the details of yet another browser security vulnerability, this is a good opportunity to focus on what can really be done to stop the never-ending flow of bugs," wrote SecurityFocus analyst and Bugtraq moderator Elias Levy. "It is obvious that the current approach of releasing code and patching it when a bug is found is not working. The current security technology in consumer operating systems is woefully inadequate for the Internet age."