IP: Microsoft Net Browser Flaw Found

[David Farber <farber () cis upenn edu>]

March 3, 1997


Microsoft Net Browser Flaw Found


Filed at 11:59 p.m. EST


By The Associated Press


SEATTLE (AP) -- A serious security flaw has been discovered in
Microsoft Corp.'s Internet Explorer browser that could potentially
allow the operator of a Web site to secretly run programs stored on
someone's personal computer.


Microsoft officials said Monday they were testing a solution for the
problem and expected to have it quickly posted to the company's site
on the World Wide Web.


...


The flaw involves basic functions found within Microsoft's
Windows 95 and Windows NT operating systems.


When a PC user clicks on a hyperlink on a Web page, Balle
explained, the Web page's creator could have that link connect to file
known as a ``shortcut'' in Windows 95 and NT. Shortcuts are widely
used to start computer programs or functions.


If the ``webmaster'' for the Web page can guess the precise location
and code needed on the user's computer, the shortcuts on the web
page could surreptitiously ``point to'' and start programs residing on
the user's hard drive.


``If they can guess it, they can get to it,'' Balle said.


The problem, Balle said, is many widely available programs such as
Windows 95 have standard locations or addresses where their
components are stored on computers. Unless a PC user
custom-installed or otherwise modified a program, the addresses
would be simple to guess.


------ Eds:


-- Microsoft's Internet site with information on the flaw is:
http://www.microsoft.com/ie/default.asp


-- Greene's site is: http://www.cybersnot.com


-- InfoWorld's site is: http://www.infoworld.com


Copyright 1997 The New York Times Company