March 12, 1997 1:15 PM PST
IE patch isn't stitched tight
The patch, available from a Microsoft Web page, fixes Explorer 3.0 and 3.01 for Windows 95 and NT, but does not cover version 2.0. Explorer 2.0 users are advised to upgrade to IE 3.0 and apply the patch.
It also didn't cover international versions until this morning, when the company posted a patch for all but a handful of its international releases.
And the patch itself is not perfect, Microsoft admitted yesterday. Instead of completely deleting suspicious files, the patch leaves an opportunity for users to download malicious code by hiding a link to that code in the browser's cache.
The cache problem was brought to light by a CNET reader and confirmed by a Microsoft spokeswoman, who said that malicious links aren't "as readily accessible" as last week's security issues.
"Users have to go into the cache and opt to see hidden files," the spokeswoman explained. Once the hidden files are exposed, the files can be executed, but a user would have to deliberately launch them.
Microsoft is working to have the cache problem fixed by Friday or Monday, the spokeswoman added.
Users who have installed the patch might also have trouble downloading certain ".exe" files--legitimate shareware, for example--according to Geoffrey Elliott, one of the three Worcester Polytechnic Institute students who found the first IE 3.0 bug on February 27. If users encounter a problem, they should try right-clicking and choosing the "Save As" feature, Elliott said.
Since the WPI students' discovery, Microsoft has scrambled to fix three holes that allowed miniature programs posted on Web sites to circumvent Explorer's Authenticode security feature and do potential damage to files on users' hard drives. Authenticode acts as a gatekeeper, checking all Internet files before they are downloaded to the hard drive. But in recent days, university students have pounded away at Explorer and found at least three ways to get around Authenticode.
The WPI bug allowed hyperlinked Windows 95 Shortcuts--files that point to and launch executable code--to manipulate data on the desktop. For example, clicking on a seemingly innocent link on a Web page could actually trigger a delete command and erase desktop files.
Microsoft last week posted a patch for the Shortcut problem, but similar holes were soon discovered by students at University of Maryland and Massachusetts Institute of Technology. The bugs do not affect any IE version for Macintosh, Windows 3.0, or Windows 3.1, Microsoft said, nor does it affect users of Netscape Navigator.
Microsoft maintains that no "real-world" instance of hacking or damage has occurred so far, but analysts say that the bugs are already chewing up the time and resources of IT managers who can't afford to run buggy software and are forced to patch or replace their users' browsers.
Hoping to avoid similar scenarios in the future, Microsoft is currently double-checking a beta release on Internet Explorer 4.0, due to be posted March 17. Microsoft has also set up an email address, firstname.lastname@example.org, for reporting security bugs directly to the company.
Contrary to a FAQ list posted yesterday on the Microsoft Web site, the latest patch does not disable Explorer's "content advisor" feature, which applies a content rating system to block access to certain sites. The company says it discovered that the content advisor was not the source of the glitches.