IE security hole launches e-mail attachments
March 30, 2001
A security hole in Microsoft's Internet Explorer Web browser can cause the browser to automatically open HTML e-mail attachments that could be used by an attacker to execute malicious code, the company has warned.
The flaw exists in versions 5.01 and 5.5 of the browser and affects how Internet Explorer processes attachments to HTML e-mail encoded with the Multipurpose Internet Mail Extensions (MIME) standard, Microsoft said in a security bulletin posted to its Web site Thursday.
MIME is a widely used Internet standard for encoding binary files as e-mail attachments.
The flaw could result in IE launching an e-mail attachment automatically, which could leave computers vulnerable to malicious attack, Microsoft warned in the bulletin.
Microsoft has developed a patch that can be downloaded from its Web site. The company said Internet Explorer users should download and install the patch immediately. A fix for the MIME problem is also included in IE 5.0 Service Pack 2, so people who have already downloaded the service pack do not have to download a new patch, according to the company.
Microsoft said the problem can also be avoided if file downloads have been disabled in the corresponding "Security Zone" in Internet Explorer. That setting is not a default in Internet Explorer and would have to be selected by the user, Microsoft warned.
The company said the hole could enable attackers to run a program of their choice on the machine of an unsuspecting user.
Such a program would be capable of taking any action on the affected machine, including adding data, changing or deleting it, communicating with Web sites or reformatting a hard drive.
"In order for the attacker to successfully attack the user via this vulnerability, she would need to be able to persuade the user to either browse to a Web site she controlled or open an HTML e-mail that she had sent," Microsoft stated in the bulletin.
The security bulletin comes just one day after bug hunter Georgi Guninski said he had discovered a bug in Internet Explorer that could let malicious hackers read the e-mail and computer files of some unsuspecting people.
A software developer, Juan Carlos Cuartango, reported the latest issue to Microsoft and helped prepare a patch for the security hole, according to the company.
Microsoft has been increasingly criticized in recent years for allegedly valuing interoperability between its products over security. In an effort to provide various pieces of software that interact with each other, some security experts say the company has failed in addressing possible holes that could allow malicious hacker exploits.
Security "is an ongoing issue with Internet Explorer because it is such a complicated software that interoperates with many other applications that it is too difficult to figure out all of these vulnerabilities," said Richard Smith, chief privacy officer at the Denver-based nonprofit group the Privacy Foundation.
For instance, Microsoft's Outlook messaging software, which is used by millions of people, played a key role in the rapid spread of viruses including I Love You and Melissa.
Staff writer Lisa Bowman contributed to this report.
By Erich Luening, Copyright © 1995-2001 CNET Networks, Inc.