Microsoft addresses IE security hole
October 15, 1998
Web posted at 11:50 AM EDT
by Jeff Walsh
From...
(IDG) -- Microsoft
confirmed the existence of a
security problem with
Internet Explorer on Tuesday
and said it will patch the hole
as soon as possible,
according to a company
representative.
The security breach, which works around existing security
features in the browser, enables a hacker to develop a
script to retrieve a file from a user's desktop system,
provided the path and filename are known. In the same
manner, a script can also execute a "paste" command to
retrieve the user's current clipboard contents.
The security problem was found by Juan Carlos Garcia
Cuartango, a Spanish Web developer, who posted
information about the bug as well as a test to see it in
action, on his Web site.
Microsoft pointed out that users
would not encounter this problem
while browsing popular Web
sites.
"A skilled hacker has to
purposefully create malicious
script on their site in order for a
customer to be affected by this,"
the representative said.
Microsoft pointed out that no
customers have been affected by
this bug, and said concerned
users can protect themselves by
disabling Active Scripting in the
Internet Zone of Explorer's
Security Zones feature.
The actual feature this bug
attacks is the capability for a user
to enter the filename of a file they
are uploading through a Web
browser. Microsoft put in
measures to prevent any scripts
from modifying the filename but did not prevent scripts
from using the "copy" and "paste" commands to get the
contents of a file on the user's system, according to
Cuartango. |
