IE 5 Security Hole Found Doozy of a Security Hole Paul Jones
Bulgarian hacker Georgi Guninski, who claims to search for security holes for the intellectual challenge, has repeatedly exposed dangerous security holes in Microsoft products. And he's found a doozy in Microsoft Internet Explorer (IE) 5.
He found a security hole that allows anyone with a Web page to take over your computer system via a few simple lines of code within the HTML code that makes up the page. Just by visiting the page your machine may be subject to the exploit. And that's not all. Because so many email clients now support HTML-formatted email messages, malignant individuals can also include ill-meaning HTML with their email. Reading newsgroups with IE 5 can also leave your system vulnerable, since newsgroup messages may also include HTML code.
Guninski's discovery makes use of an ActiveX control that is designed to create "scriptlets" that run on a user's machine when he views a Web page or email message. This particular control, called "Object for constructing type libraries for scriptlets", has free run of the user's files and can easily be made to overwrite files, place hostile programs on the hard drive, and generally cause oodles of damage.
Windows 95, Windows 98 and Windows NT systems are all at risk, and the security hole allows anyone with a Web page to plant harmful programs on the system. Many computer security experts have warned that ActiveX lacks safeguards against abuse by destructive hackers.
To put things in perspective, one's chances of coming across an email message or Web page that exploits this hole are quite slim (or were until this story hit the Internet), but the possibility is there. And if you do come across malicious code it could do severe damage.
Typically, Microsoft posts patches for these types of security holes, but the patches themselves have flaws in some instances. If you don't want to wait for a patch, you can do this yourself by following all of these steps:
Change the default security setting for the Active Desktop's "Internet Zone" from "medium" to "high"
Disable the "Script ActiveX controls marked safe for scripting" option
Disable the Active Scripting feature
Disable all ActiveX controls and plugins
Do you plan to fix this yourself or wait for a patch? Vote in the poll below!
