IE 5.5 hole lets hackers read files
By Gwendolyn Mariano
Staff Writer, CNET News.com
October 18, 2000

A veteran bug hunter has detected a security hole in Microsoft's Internet Explorer 5.5, Outlook and Outlook Express. Georgi Guninski of Bulgaria published his "high risk" advisory of the exploit Wednesday, warning of a security vulnerability in which a malicious person could read files and URLs after enticing someone to view a Web page or read an HTML message that the malicious person created.

"It's definitely a high risk," said Elias Levy, chief technology officer for SecurityFocus.com. "We assume that the only thing people can do is read files--that's pretty damaging in and of itself, but at least for now people aren't able to write or execute programs through your machine. They can only read files from your machine or read Web pages." Levy added that a hacker could also get into someone's computer system by delivering an email of a Web page to someone who uses Outlook or Outlook Express. Levy said that the problem appears to be in the code that bridges Internet Explorer and Java via the object tag. The object tag is a way to run plug-ins, Java applets or other external programs within a browser.

Microsoft's Security Response Center said it is investigating the reported vulnerability, which the company was notified about Saturday. "We are thoroughly investigating (the vulnerability) just like we do with all these," a Microsoft representative said. "We're very committed to keeping our customers' information safe. As soon as we have more information, we'll be sure to get that out to our customers."

Early this month, Guninski circulated another advisory that warned people using Microsoft's Internet Explorer 5.5 of a security hole that could let a hacker enter their computers and tinker with files.

Back To The Study