March 20, 1997 5:30 PM PST

MS to upgrade browser security

Just before it's scheduled to release a major new version of Explorer, Microsoft (MSFT) has begun testing a minor upgrade to Explorer 3.0 that fixes security holes in the browser.

Earlier this week, the company released Internet Explorer 3.02 to a limited number of beta testers. The browser contains fixes for the three security holes discovered earlier this month by university students. Microsoft also posted early last week a separate patch that fixes the existing 3.0 and 3.01 versions.

It was an unusual move for Microsoft to release a minor "point release" of Explorer 3.0 when it's so close to the scheduled start of beta testing for Explorer 4.0, a major new version of the browser that features greater integration with Windows 95 and NT and "push" capabilities. A "platform preview" of Explorer 4.0 is supposed to begin testing by the end of this month.

But in the meantime, Microsoft wanted to make it easier for new Explorer users to download the browser without having to install a security patch separately. The company also wanted to make it easier for Net access providers, such as AT&T and MCI, to distribute the fixed version of Explorer to their subscribers, according to Dave Fester, lead product manager for Microsoft.

Fester would not say exactly when version 3.02 would be released to the general public nor would he predict whether this would be the last version of the 3.x series of browsers.

"We will do the best we can given the snapshot of current issues," said Fester. "Is it the last release [of Explorer 3.x]? That all depends on what the industry and the Internet have to say."

The Explorer security holes all could have allow skilled hackers to manipulate and delete files from a user's computer without permission. Microsoft says that no real-life users were affected by the glitches.

In addition to the security fixes, Explorer 3.02 contains a feature called auto-proxy. The feature makes it easier for companies to designate new proxy servers for Explorer users rather than having to manually set up a server name on each browser.

Since the first security bug was discovered by students from the Worcester Polytechnic Institute in early March, programmers have been busily trying to uncover more security holes in the browser. Recently, a number of Web sites have posted information on security issues, some of which affect Netscape Communications' Navigator as well as Explorer.

  • On one site, programmers claimed to have discovered a method for intercepting a Windows 95 login password from an Explorer user who logs onto a malicious Web site that then redirects them to Windows NT Server Message Block server. On another site, programmers have posted information about a similar security risk that involves both Navigator and Explorer on Windows NT and Memphis, the next version of Windows 95.

    Today, Microsoft representatives said that there is a remote possibility that a password could be intercepted over the Net using an SMB (server message block protocol) server. But, said Mike Nash, director of marketing for Windows NT Server, users behind corporate firewalls or proxy servers would not be at risk. Most consumers are not at risk because their Internet service providers use proxy servers, Nash said.

  • A site in Singapore demonstrated what it called a "flaw" in Explorer that could allow a hacker to turn off the browser's built-in security settings. Although the site demonstrates a program that turns Explorer's security off, the browser does first warn users that they could be downloading malicious code. Both Navigator and Explorer permit users to download potentially damaging executable code but generally warn users of security risks before they do so.

  •  

    Join the conversation

    Add your comment

    The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

    What's Hot

    Discussions

    Shared

    RSS Feeds

    Add headlines from CNET News to your homepage or feedreader.