Bug hunter finds another hole in Microsoft IE browser

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1005-200-2939733.html?tag=st.ne.1002.bgif.ni

By Patricia Jacobus
Staff Writer, CNET News.com
October 5, 2000, 2:20 p.m. PT

Only a week has passed since the last time Bulgarian security expert
Georgi Guninski exposed a potentially dangerous bug in Microsoft's
software, and already he has stumbled upon another problem.

Guninski's terse "high risk" advisory circulating on the Net this
morning warned people using Microsoft's recently released Internet
Explorer 5.5 of a security hole that could let a hacker enter their
computers and tinker with files.

An intruder "could not only read files but write and execute programs
on a person's computer," said Elias Levy, a SecurityFocus.com analyst
and moderator of Bugtraq, where the advisory was posted. "This hole
allows someone to reach into the whole computer."

The problem lies with the complexity of two subsystems. Guninski found
the latest hole by running Microsoft's ActiveX technology, which
manages the sending and receiving of files. Combined with Java, the
technologies allow a hacker to gain access to a victim's computer,
which wouldn't be possible if the systems were run independently.

A Microsoft representative said that the company's Security Response
Center is investigating the vulnerability. The center, which just
today announced it has hired former SecurityFocus director Eric
Schultze, has received about 5,000 bug notifications since the
beginning of the year. Of those, only 400 required full
investigations, resulting in 70 security patches so far.

Before issuing a report, Guninski usually gives the targeted company
24 hours to fix the problem.

"That's not enough time," the Microsoft representative said. "Our
biggest concern is that in a worst case scenario, it puts the customer
at risk. The information is out there, and the bad guys can get their
hands on it. In the best situation, it's unnecessarily spinning people
up."

Levy has urged a solution to the browser troubles that go beyond
providing patches.

"This is a good opportunity to focus on what can really be done to
stop the never-ending flow of bugs," he wrote in an email posting. "It
is obvious that the current approach of releasing code and patching it
when a bug is found is not working. The security technology in
consumer operating systems is woefully inadequate for the Internet
age."

Last week, Guninski found that hackers could break into a victim's
computer records--including cookies, or digital tags that reveal
valuable information about people--using Microsoft's ActiveX
technology. Microsoft previously has investigated a security
vulnerability in its Internet Explorer browser that threatened to give
attackers free rein in reading known files on targeted computers.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".