To: cheryl williamson who wrote (18922 ) 8/28/1999 4:19:00 PM From: Michael F. Donadio Read Replies (2) | Respond to
Hi Cheryl, MSFT giving SUNW another opportunity to shine:dailynews.yahoo.com IE5 Security Hole Makes Users' PCs Vulnerable a treacherous design flaw in Internet Explorer 5.0 -- is perhaps the most serious ever. It allows anyone with a Web page to take over your computer system via a few simple lines of text within the HTML (hypertext markup language) code that comprises the page. If you so much as visit the page, your system may be subject to the exploit. As if this weren't bad enough, hostile HTML code can also be included in an e-mail message. This is possible because many e-mail programs, including Outlook Express, Outlook, Eudora Lite, and Eudora Pro, invoke IE5 "behind the scenes" to display e-mail that contains HTML code. So, even if you are not using IE5 for your usual Web browsing, you may be susceptible. Finally, the exploit can be triggered if you read Internet newsgroups with IE5, because -- as with e-mail -- a public message posted to one of these groups can contain the hostile HTML code that compromises your system. ActiveX-ploit Guninski's discovery involves an ActiveX control, included with IE5, which is designed to create "scriptlets" -- small programs that run on the user's machine when he or she views a Web page or e-mail message. (The control is called "Object for constructing type libraries for scriptlets".) Unfortunately, the ActiveX control has free access to the user's file system, and can easily be made to run amok, overwriting vital system files or planting Trojan Horse programs within the system. Because Windows 95, Windows 98, and Windows NT systems are all susceptible, the hole allows anyone with a Web page to plant malicious programs such as Back Orifice or Back Orifice 2000 on the system, invisibly taking it over. Guninski's explanation of the hole, and the ways in which it can be abused, can be found at nat.bg . ActiveX, a scheme used by Microsoft to create software "components" that can be run by other programs, has been critiqued by computer security experts because it lacks safeguards against abuse by malicious hackers. ...
