Security hole found in Explorer

Microsoft Corp.’s Web browser Internet Explorer has a security vulnerability that could let a malicious webmaster take over a user’s computer, a security expert has noted.

Georgi Guninski, a well-known Bulgarian bug hunter, recently posted a security advisory on his Web site. Guninski ranks the problem as high risk.

Malicious Web masters can exploit so-called “.chm” files, a compressed help file format, to execute arbitrary programs on a user’s computer, Guninski said. The bug also allows viewing of temporary Internet files stored on the user’s hard drive.

Guninski said he reported a similar vulnerability to Microsoft “some time ago.” The software was fixed by allowing .chm files to run programs only if the .chm was loaded from the local system. Guninski said this is no longer a limitation. He discovered a way Web masters could access temporary Internet files on other users’ machines. Explorer saves pages in the folder called Temporary Internet Files.

“It is possible to find the temporary Internet files folder,” Guninski said.

Explorer creates several of these folders on a PC using random names. With a special HTML document, a malevolent webmaster can reveal the name and location of a temporary Internet files folder.

Once a folder name is known it is possible to cache a .chm file in any folder and execute it, Guninski said.

Until Microsoft has issued a patch for the problem users can protect their computer by disabling active scripting, a browser function that has repeatedly been associated with security issues.

Affected programs are Microsoft’s Internet Explorer Versions 5 and higher. Because Explorer is integrated in Microsoft’s e-mail clients Outlook and Outlook Express are also affected. Other versions may also be unsafe, but those have not been tested, Guninski said in his advisory.

As of press time, Microsoft could not be reached for comment.

-IDG News Service

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now