IE 3 security hole discovered; Microsoft responds quickly

Microsoft announced this morning that they are test a patch for a securityhole found in Internet Explorer 3.0 that allows a rogue hyperlink (.LNK)or URL (.URL) shortcut to launch applications on the user's machine from across the Internet. Security settings have absolutely no effect on theshortcuts, which are free to wreak havoc by starting apps, or create and remove directories,

Microsoft promises to provide a fix within 48 hours at:http://www.microsoft.com/ie/security/update.htm

They also mentioned that, despite the widespread use of Internet Explorer,no one has ever complained of this problem. The bug was found by PaulGreene, of Worcester Polytechnic Institute in Massachusetts. He has createda Web site that demonstrates the launching of the Windows calculator program and other feats that should be impossible.

"The ramification for IE is that any anti-Microsoft jerk can set up their Web site to be destructive to anyone using Internet Explorer and safe for all others browsers," Greene said. This security breach can only be causedby someone intending to do it; it will not happen by mistake.

Microsoft has come under increasing pressure lately as more and moresecurity problems are discovered in their products. Last month, for example, German hackers demonstrated how ActiveX controls could gain illegal access to bank accounts. The shortcut bug in IE 3 is not related to ActiveX, it should be noted, and does not affect Netscape Navigator users.

Want more information?
Cybersnot Industries: Internet Explorer Bug