Bug Finder Exposes MS Again
by Declan McCullagh
4:45 p.m. 11.Oct.99.PDT
Bugmeister par excellence Georgi Guninski has done it again. The 27-year old Bulgarian bugmeister said Monday he has unearthed another gaping security hole in Internet Explorer.
The bug lets a malcontent read the contents of documents that are on your hard drive. The necessary JavaScript commands can be buried in Web pages, HTML email messages, or newsgroup postings.
Wired News verified the bug using Windows 95 and Internet Explorer 4.0, but Guninski says computers with NT 4.0, IE 5.0, and perhaps Windows 98 are also vulnerable.
A Microsoft spokesman acknowledged the problem and said the company plans to post an article on its Web site by the end of the day recommending that users disable active scripting. Microsoft said it will soon release a new version of IE without the glitch.
Guninski says that the bug probably lets an attacker do "window spoofing" -- opening a window in your browser that appears to be the location of a trusted site. But when you type in your credit card number or other personal information, it's sent to the owner of the malicious Web site.
This isn't the first time Guninski has exposed embarrassing flaws in Microsoft products. He says that so far he's found 12 security holes in Windows and IE, and his Web site lists three that -- like the one he published Monday -- let adversaries browse your hard drive. Microsoft has patched the previous 11 bugs he identified.
"The problem is the combination of IFRAME and document.execCommand. Normally, you cannot use execCommand on an IFRAME from another domain. But if you do 'IFRAME.focus(); document.execCommand' then [the] command will be executed in the IFRAME," he wrote in an email message to Wired News.
"This is not really particular to Microsoft. Netscape is just as bad most of the time. It's extremely difficult to write a secure application the size and complexity of a Web browser," says Elias Levy, CTO of Security Focus and moderator of the BugTraq mailing list.
"That's what people should not miss. People get all caught up in the bug of the week. But they seem to miss the basic reason of why we have all the security problems. It's difficult to write software and it's even more difficult to write secure software," Levy says.