Microsoft is facing yet another Internet software security problem in what's fast becoming a familiar cycle of user complaints, bug reports and software patches.
The latest scare, revealed last week, concerns a flaw in Internet Information Server (IIS) 3.0 which reportedly allows users to access Active Server Pages, or .ASP files. These are executable files that are supposed to remain invisible to the user because they often contain sensitive information, including SQL Server passwords.
However, a group of users has reported that they trespassed on the .ASP files by replacing the dot in the URL file name with %2e.
The problem comes less than a month after Microsoft posted a patch to keep users from reading the contents of .ASP files by appending the URL with a dot.
Microsoft has also confirmed that it has released the beta version of Internet Explorer 3.02. The release incorporates patches to security gaps in that product.
"Microsoft has become notorious for this kind of stuff," says Jordan Stone, a senior analyst with Infonetics Research in San Jose, California. "Products are often rushed out, and then 24 hours later they have thousands of calls on their bug report line. But this kind of thing is more serious than a bug on a word processor."
Tanya Van Damme, group product manager for IIS, says the problem could be caused by faulty installation of the February 27 hot fix.
Microsoft, in Redmond, Washington, is at http://www.microsoft.com.
Microsoft Security Woes in February 1997:
* ActiveX controls. Hackers used ActiveX to get sensitive information from PC hard drives and to shut down users' PCs
* Internet Explorer. Flaws gave hackers access to remote computers
* Internet Information Server 3.0. Bug allowed users to view the contents of Active Server Pages