Microsoft has issued a fix for most of the Internet Explorer users vulnerable to a security hole discovered this week - those lucky enough to be able to connect with Microsoft's Website, that is.
The software patch fixes a big discovered by a Massachusetts student, Paul Greene, who says he stumbled across the flaw while working on a class project. Potentially, it would allow malicious Web page writers, by using .LNK and .URL files, to covertly run programs on a remote computer, even when the browser is set to its highest security level.
The problem concerns versions of Internet Explorer running on Windows 95 and NT - versions 3.x and, contrary to earlier reports, 2.0. IE 2.0 users will need to upgrade to the later version of the the browser in order to be able to use the fix. Patched copies of the software will show an "a" next to the version number displayed in the About Internet Explorer menu item.
Code to patch English-language copies of IE running on Intel versions of Win95 and NT has been posted, and Microsoft says fixes for international versions of IE, and users running Alpha, PowerPC and MIPs Windows NT platforms will be available within days.
Unfortunately, Microsoft's corporate site, where the code is stored, was almost impossible to connect with yesterday, whether through demand for the fix, or for some other reason. New Zealand customers wanting more information can call 09-357-5576.
Microsoft has been quick to point out that no one has reported being hurt by the bug since Explorer 3.x has been available, and that problems can arise only if someone intentionally uses it to hack another computer - "anti-Microsoft jerks," in Greene's words.
And officials in Redmond say they can't anticipate every nefarious deed up some hacker's sleeve.
"There are just people out there who don't like to see anything good happen, period," says Dave Fester, lead product manager for Explorer. "There are people who love to hack in and hurt people."
Many in the industry echo Fester's sentiments.
"[The bug] does seem kind of obvious, doesn't it? But when you're building products, your mind-set isn't 'Gee, who would want to do damage to somebody with this and how would you do that?'" says Rob Enderle, senior analyst at Giga Information Group.
"Until we learn about all the [security] exposures, those exposures are going to exist," says Enderle. "I guess that's the nature of change. Since we discovered the Internet, there are some exposures that we haven't gotten our arms around yet."
Internet Explorer 4.0, due to be released in beta version in a few days, will serve as an interface for future versions of Windows operating systems. Observers say issues such as the Explorer bug will be around then, too, and may be more consequential.
"As operating environments are becoming ever more complex, the interaction of the various features becomes an important thing to consider," says IDC analyst Dan Kusnetzky. "I am not at all surprised to see unusual interactions between the different components of an operating system."