http://www.lasvegassun.com/sunbin/stories/tech/2002/jun/04/060408242.html June 04, 2002 REDMOND, Wash. - A security flaw in Microsoft's Internet Explorer browser could allow a hacker to take control of a remote computer if its user clicks a link to an outdated Internet protocol, a computer security firm says. Oy Online Solutions Ltd. of Finland said it notified Microsoft Corp. of the security hole on May 20 but the software giant has yet to produce a software patch to fix the problem, the Toronto Star reported Tuesday. A Microsoft spokesman who refused to be identified said Tuesday that the company is "moving forward on the investigation with all due speed" and will take the action that best serves its customers. The problem concerns Gopher, an Internet protocol that predates the World Wide Web with pages like Web pages except that they are unable to store audio and video content. Although Gopher is considered an outdated format for Internet content, it is still supported by Internet Explorer and most other browsers. According to Oy Online, a hacker could take over a user's computer simply by having the user click on a link to a "hostile Gopher site." That one click would install and run any program the hacker chose on the victim's computer, and the victim might never know. "The program could, for example, delete information from the computer or collect information and send it out from the computer," Oy Online said in a release. "(It) could also install a so-called backdoor (program) that would enable the hostile attacker to access the computer later." All versions of Internet Explorer are believed to be vulnerable, the Star reported. Refusing to confirm the security flaw, the Microsoft spokesman said the company "feel(s) strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information." And the spokesman added, "Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk." After being embarrassed on an almost regular basis by security flaws in its products - including a debilitating problem found in its latest Windows XP operating system just days after its release - Microsoft began a companywide training program on security issues earlier this year. In January, Microsoft Chairman Bill Gates instructed employees to make software security a top priority. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 04:31:34 PDT