MS posts IE bug fixes

Microsoft (MSFT) has posted a software patch that fixes all three security holes found in its browser last week.

The company raced to provide a comprehensive patch for the bugs after it learned of the third hole, discovered last Friday by two students at the Massachusetts Institute of Technology. Users of Internet Explorer 3.0 and 3.01 can download the free patch from Microsoft's site.

The first security hole discovered two weeks ago by a Worcester Polytechnic Institute trio set off a frenzy of bug-finding by other students last week. The WPI students found a glitch involving Windows 95 and NT ".lnk" and ".url" files, called Shortcuts, that allowed them to bypass Explorer's security checker to manipulate a user's computer. Several University of Maryland students also discovered that a bug related to Explorer's floating frame feature could have similar consequences for users.

Security experts are beginning to question whether the security holes in Explorer are the result of the browser's close integration with the Windows operating system. The bugs do not appear to affect other browsers such as Netscape Communications' Navigator.

The MIT students who found the latest glitch said it could allow an unscrupulous hacker to delete files, including all of the contents of a hard disk, from a user's computer. Like the previous holes, the glitch involves a Windows 95 file that is able to bypass Explorer's built-in security system, Authenticode, that examines program code downloaded off the Net.

A malicious Web site could use the file, called ".isp," to trigger resident Windows programs that create or delete directories and files when a user visits the site, according to Christien Rioux, one of the MIT students who found the hole. The ".isp" files are related to a program that comes with Explorer for automatically signing users up with an Internet service provider.

The MIT students set up a site that demonstrates the hole.

"This is a direct problem with Internet Explorer because Microsoft is trying to make the browser do much more than browsers were originally designed to do," said MIT's Rioux.

Microsoft has created an email address--security@microsoft.com--where users can report security bugs in Explorer to the company.

For an alternative IE security patch download site, go to CNET's DOWNLOAD.COM.