A serious security flaw has been discovered in Microsoft Corp.'s Internet Explorer browser that could potentially allow the operator of a Web site to secretly run programs stored on someone’s personal computer.
Microsoft executives said Monday they were testing a solution for the problem and expected to have it quickly posted to the company’s site on the World Wide Web.
The problem could result in all sorts of mischief, such as someone preventing another person’s computer from starting up or sending e-mail from another person’s account, said Simson Garfinkel, an independent expert on computer security.
“It is as if you allowed someone to type on your computer and you go out to lunch,” said Garfinkel, an author of Internet security books and columnist for HotWired magazine and the Boston Globe.
Internet Explorer, Microsoft’s software for accessing the Web, is used by millions of people worldwide. Microsoft estimates it has a 25% to 30% market share, behind Netscape Communications’ Navigator program.
Paul Balle, a product manager for Microsoft’s Internet Explorer team, said the software bug was discovered last week by a student at Worcester Polytechnic Institute in Worcester, Mass.
The student, Paul Greene, and his friends posted information about the flaw on their Web site Monday. After verifying the problem was legitimate, Microsoft programmers immediately began work to correct it, Balle said.
Balle said the bug is especially worrisome because it bypasses even the highest levels of Internet Explorer’s security systems.
“We take this very seriously,” Balle said. “The moment we found out about it, we got our developers and program managers on it.”
On his Web page, Greene noted that “Windows 95 comes with a variety of potentially damaging programs which can easily be executed.” For example, Greene said certain links could create and delete some directories on a Windows 95 machine.
Balle said that in the year that Internet Explorer versions 3.0 and 3.1 have been available, this was the first time the security problem had been reported to Microsoft. The problem primarily is in those versions of Internet Explorer, but possibly might affect previous versions, he said.
Greene said in an interview with InfoWorld Electric, posted to that Web site Monday afternoon, that the problem appears only to affect Internet Explorer and not Navigator or other non-Microsoft browsers.
“The ramification for IE is that any anti-Microsoft jerk can set up their Web site to be destructive to anyone using Internet Explorer and safe for all other browsers,” InfoWorld quoted Greene as saying.