Microsoft IE5 Allows Websites to Read Private Files
by Dave Murphy
ISSN 1535-3613

Microsoft admits that there's a significant security hole in Internet Explorer 5. The problem is reported in it's Security Bulletin MS99-040. The security vulnerability that could allow a website to read a file on the computer of a user visiting the site. The security hole also extends to reading files on other computers connected to the visitors Local Area Network and intranet. The details of this article are excerpted from Microsoft's security bulletin.

This problem lies in the implementation of a feature in IE5 called "Download Behavior." This feature allows webpages to download files for use in client-side script. By design, these files must reside on the same domain as the webserver providing the pages. This restriction prevents client-side script from accessing files from the client PC or the local intranet to the webpage.

A malicious webmaster could use a server-side redirect to bypass the domain restriction. This would allow the website to copy files from the user's machine or the user's local intranet to the web server and read them.

A script is a program, usually one written in a language like Visual Basic or Javascript. Some software is designed to run on the server, while other software is designed to be run by the web browser, also known as a web client. Client-side script is just software designed to be run by the browser.

A server-side redirect is a mechanism that is normally used by webmasters to navigate web browsers to different pages, similar to a "meta refresh". In the case of this exploit, the server-side redirect tricks the download behavior, causing it to download a page from a domain different from that of the web page. If a malicious webmaster knew or could guess the name of a file and its location, it would be possible for him to read the file from the user's computer or the intranet to which it was connected.

As an immediate step, users who are concerned about this vulnerability can safeguard their computers by disabling Active Scripting. To do this, do the following:

1. In IE5, select Tools | Internet Options, then click on the Security tab.
2. Select the Internet Zone, then click on the "Custom Level" button.
3. Under "Scripting", find the entry labeled "Active Scripting" and set it to "Disable."
4. Click OK twice to return to IE5.

If you visit web sites that rely on Active Scripting, some of their features and functions may not be available. If you need Active Scripting in order to use a site that you trust, you may wish to consider adding the site to the Trusted Zone as follows:

1. In IE5, select Tools | Internet Options, then click on the Security tab.
2. Select the Trusted Sites Zone, then click on the "Sites" button.
3. Type the URL of the site then click on the "Add" button.
4. Click OK twice to return to IE5.

The patch will deliver a new version of Download Behavior that can only download files from the domain that was the source of the web page that requested the download. When the patch is available, we will re-release the bulletin and post it on our Security Advisor site.

What do you think? Have you experienced a security hack using Internet Explorer? Which browser do you think is most secure: IE5, Navigator, Opera, or another? Leave your comments on the message center.

MS Security Bulletin MS99-040
MS Security Advisor
Message Center

Damar Group, Ltd. helps business use technology.

ITINFO is again accepting sponsors. Sponsor messages are included in ITINFO's email newsletter and are permanently posted to DGL's website and online reference areas.

ITINFO is an electronic publication of Damar Group, Ltd., publisher of Training Express computer learning guides. Comments and submissions to info@dgl.com.

Previous issues are on our website at http://dgl.com/itinfo/.

updated September 29, 1999
http://dgl.com/itinfo/1999/it990929.html

Return to DGL homepage
Copyright © 1999, Damar Group, Ltd., All Rights Reserved