Another bug in Explorer

Aleph One (aleph1@DFW.NET)
Fri, 09 May 1997 13:44:26 -0500

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.

--Boundary_(ID_aC7P03TjA+nv8imLlteY+w)
Content-id: <Pine.SUN.3.94.970509134206.20903C@dfw.dfw.net>
Content-type: TEXT/PLAIN; CHARSET=us-ascii

http://www.news.com/News/Item/0,4,10487,00.html?nd

Another bug in Explorer
By Alex Lash and Nick Wingfield
May 8, 1997, 11:45 a.m. PT

Microsoft's (MSFT) respite from the wave of
security bugs that hit Internet Explorer in March is
over.

The latest security bug affects users of Internet
Explorer 3.x. Also affected are users of the
platform preview release of Explorer 4.0 who also
have PowerPoint, Microsoft's presentation
software, loaded onto their computers. The glitch
could allow a malicious Web site to execute any
program on a user's computer without permission,
including deleting files and uploading private
information.

Microsoft said today that it found out about the bug
yesterday and will provide a fix on its Web site later
today.

Many security analysts believe that the problems
that have bedeviled Explorer stem from the
browser's close integration with older technologies,
including the Windows 95 and NT operating
systems and its ActiveX software component
architecture (formerly known as OLE). The analysts
have questioned whether Microsoft may have
skimped on security planning in its rush to retrofit
those technologies for the Internet.

The latest security glitch adds a new twist since it is
caused by the integration of Explorer and
PowerPoint, part of Microsoft's extremely popular
Office 95 and 97 application suites. There are
approximately 60 million Office users, according to
the company.

"A number of these bugs or holes we've seen in the
last six months failed to result in any major data
loss, but the fact they're there is significant," said
Stephen Cobb, chief analyst at Cobb Associates.
"Microsoft hasn't gone out and rounded them up. I
would have thought that when the first of these
holes appeared, they would go back and do a
serious review of their strategy."

The glitch involves a PowerPoint feature called
action settings that is innocuous when used on a
standalone PC. Using action settings, creators of
presentations can cause PowerPoint to launch any
executable program by clicking on or passing the
cursor over any image or text.

On the Internet, though, the feature could be
exploited by a hacker to trigger a variety of
malicious actions, such as launching an FTP client to
upload private documents to a Web site. When an
Explorer user clicks a hyperlink on a Web site to a
PowerPoint presentation, PowerPoint is
automatically launched from their computer,
displaying the presentation within the frame of their
browser.

Because the presentation does not contain any
executable code itself but instead points to
executables already on the user's computer, the
user does not receive any warning before
downloading the program.

"The problem comes largely from the integration
[between Office and Explorer]," said Andrew
Smith, a Webmaster for Kaiser Permanente in
Latham, New York, who discovered the problem.
"I see that the integration is very useful on an
intranet. I personally like stuff like that, but I see the
potential on the Internet to cause problems."

Smith said he discovered the problem yesterday
and notified Microsoft immediately. He said that he
tested a fix today from Microsoft that warns users
about potential security risks before they download
a PowerPoint presentation, and that it works. Smith
has posted a Web site that demonstrates the glitch.

Today, Kevin Unangst, an Explorer product
manager at Microsoft, said that the problem would
affect other browsers such as Netscape
Communications' Navigator, but admitted that it
would be easier to exploit in Explorer because of its
integration with PowerPoint.

"This can happen in any browser, but it's a bit easier
in Internet Explorer because PowerPoint displays in
the frame," he said.

Beth Herrell, an Office 97 product manager at
Microsoft, said that Microsoft did not anticipate the
implications of the PowerPoint feature when used
on the Internet but that the company is loath to
remove features. Herrel said the company would
look more closely at Office in the future to evaluate
the potential risks of certain features.

"In a lot of cases, there are a lot of features in
different products that can be misused in this new
paradigm," she added.

--Boundary_(ID_aC7P03TjA+nv8imLlteY+w)--