A security flaw discovered in Microsoft 's Internet Explorer 5.0 could allow hackers to create a new file on a user's machine that kicks in the next time it's rebooted.
According to Microsoft, the issue is with an ActiveX control shipping with Explorer 5.0 for Windows 95 or 98.
Hackers can exploit the code, using it to create new files or write over existing ones when users visit a Web site, according to a Microsoft spokesman. Officials pointed out that hackers must know the specific location of files on a specific machine to use the hole.
The flaw can also be launched by e-mail to users of Outlook 98 or 2000 if they allow scripts to run. Outlook 98 or 2000 can check for scripts if users have set up the software to do so, Microsoft said. Users are also susceptible to the hole through HTML if they enabled the scripting function.
Microsoft hadn't heard from customers having problems with the flaw at press time, and a patch is expected to be available by next week on the company's Windows Update site. In the meantime, concerned Explorer 5.0 customers can disable ActiveX controls or plug-ins by going into the browser's Internet Options menu.
A Bulgarian programmer, Georgi Guninski, said he found the problem and informed Microsoft this week.