Microsoft issues Cuartango patch

Microsoft today issued a patch for a security hole in its Internet Explorer Web browser that exposes users' files to hostile Web site operators and email senders.

The hole, named "Cuartango" after its discoverer, permitted a scripting exploit that allowed someone to swipe files off a victim's hard drive or from their network, either through a maliciously designed Web site they visited or through an HTML-based email received in a program such as Microsoft's Outlook Express or Outlook 98.

For users unable to download the patch, Microsoft recommends the temporary workaround that it offered when the hole surfaced: users can thwart potential attacks by turning off active scripting under Internet Explorer's security zones.

Microsoft Windows product manager Mike Nichols noted that no customers have yet reported actual incidence of a Cuartango exploit. There is, however, a demonstration of it posted on the company's Web site.

Microsoft has had to patch similar file-swiping holes in the past. One surfaced last month, and another last year.

The Cuartango hole affects IE versions 4.01 on Windows 95, Windows NT4, Windows 98 with integrated IE, IE 4.01 on Windows 3.1, and NT 3.51. The problem does not affect Macintosh or Unix versions of IE.

Microsoft refers to the hole as the "untrusted scripted paste" vulnerability, a reference to the way in which the exploit it permits uses scripting to paste a file name into the file upload control--something only the user is supposed to be able to do--and send it to the attacker.

The software giant is warning that all users who have the affected versions of IE on their computers should install the patch--even if they don't use the browser.

Windows 98 users can get the patch through Windows Update. The patch also is posted on Microsoft's Web site.