PC Week: Analysis: IE 5.0 flaw makes PCs vulnerable

“Some hackers search for security holes in order to exploit
them; others look for them for the sheer intellectual challenge.
The latter is the case with Bulgarian hacker Georgi Guninski, who
has repeatedly exposed dangerous security holes in Microsoft Corp.

Guninski’s latest discovery — a treacherous design flaw in
Internet Explorer 5.0 — is perhaps the most serious ever.
allows anyone with a Web page to take over your computer system via
a few simple lines of text within the HTML code that comprises the
page. If you so much as visit the page, your system may be subject
to the exploit.

As if this weren’t bad enough, hostile HTML code can also be
included in an e-mail message. This is possible because many e-mail
programs, including Outlook Express, Outlook, Eudora Lite and
Eudora Pro, invoke IE 5.0 ‘behind the scenes’ to display e-mail
that contains HTML code. So, even if you are not using IE 5.0
for your usual Web browsing, you may be susceptible.

Finally, the exploit can be triggered if you read Internet
newsgroups with IE 5.0 because — as with e-mail — a public
message posted to one of these groups can contain the hostile HTML
code that compromises your system.”

“Since Microsoft has not posted a patch or even an advisory
about the ActiveX scripting hole Guninski discovered, users must
take steps themselves… A partial solution is to run a different
browser, such as Netscape Navigator or Opera. … However, because
IE 5.0 is very tightly ‘wired’ into Windows 98, and may pop up
unexpectedly or be invoked by third-party programs… it is also
important to take measures to disable the ActiveX feature that
causes the vulnerability.”


Related stories (all from the first week of September,
The Age: The end
of e-innocence
(Sep 05, 1999)
PC Week:
Analysis: Microsoft and the consequences of misplaced trust

(Sep 04, 1999)
Wired: MS Denies
Windows ‘Spy Key’
(Sep 03, 1999)
CNN: Crypto
expert: Microsoft products leave door open to NSA
(Sep 03,
Security expert: Windows has back door
(Sep 03, 1999)
Techweb: NSA
Builds Security Access Into Windows
(Sep 03, 1999)
PC World:
Another Security Flaw for Microsoft [Java Virtual Machine]
03, 1999)
Experts: Hotmail hack easy, office fix flawed
(Sep 02,
Wired: Hits Keep
On Coming Against MS
(Sep 02, 1999)
Hacker victims flame Microsoft over Hotmail leak
(Sep 02,
Security bug hits Microsoft Java virtual machine
(Sep 01,