- Related Stories
-
Microsoft issues Cuartango patch
October 16, 1998 -
Microsoft fixes IE security hole
September 8, 1998 -
Buffer-overflow bug in IE
August 19, 1998 -
IE 4 URL bug resurfaces
January 14, 1998 -
IE hole exposes local files
October 17, 1997
The hole, dubbed "The Son of Cuartango Hole" by its discoverer, could let malicious Web site operators or HTML-based email senders view the contents of IE users' hard drives.
Microsoft issued a patch for the original Cuartango hole last month. But in a demonstration posted to the Web, Spanish bug-hunter Juan Carlos Garcia Cuartango showed that Microsoft's original patch didn't quite do the trick.
IE security holes that expose users' files have dogged Microsoft recently. In addition to the first Cuartango hole, Microsoft patched a similar hole earlier this year, and yet another one last year.
Both Cuartango holes, referred to by Microsoft as "Untrusted Scripted Paste" vulnerabilities, take advantage of the way IE handles scripted cut-and-paste operations. The hole permits an attacker to paste a file name into the file upload control--something only the user is supposed to be able to do--and then send it back to the attacker.
The newly patched portion of the security hole involved a different way of putting the filename into the file upload control.
Microsoft noted that users can work around the problem by leaving the default warning displayed when unencrypted forms are submitted. Another workaround is to turn off Active Scripting for the "Internet" Zone in IE.
As with the previously patched hole, Microsoft is urging all those who have IE installed on their computer to download the patch--even if they don't use IE as their default browser. The reason is that the hole affects software that uses IE functionality, such as HTML-based email programs.
The hole affects IE 4.01 and 4.01 SP1 running on Windows NT 4.0, Windows 95, and 98; as well as IE 4.01 for Windows 3.1 and Windows NT 3.51.
IE 4.0 and prior versions are not affected, nor are IE versions running on the Macintosh or UNIX operating systems.
The 32-bit version of the patch is posted to Microsoft's site. Microsoft is still working on the 16-bit version. Both will be available through Windows Update for Windows 98 customers.
