• silicon.com
• Technology
• Security

By Joey Gardiner, 5 June 2002 13:00

NEWS Another serious security hole has been discovered in Microsoft's Internet Explorer browser which could allow a malicious hacker to take control of a victim's computer or run denial of service attacks. The flaw, found by Finnish security firm Online Solutions, has yet to be confirmed by Microsoft and no patch has as yet been issued. Online Solutions said it was going public with the vulnerability anyway because Microsoft's timetable to get the problem fixed was too slow. The problem is a buffer overflow in part of IE which deals with Gopher web pages. Gopher is an internet protocol which predates the world wide web and has mostly been abandoned since the introduction of the hyper-text transfer protocol (HTTP). However, most browsers support Gopher in order to allow users to view legacy Gopher sites. All a user would have to do would be to go to a malicious Gopher site, and a hacker could use the flaw to run code of his or her choice on a victim's computer. A user could easily be directed to such a site via a hyperlink without the user's knowledge, Jyrki Salmi, MD of Online Solutions, said. He added: "This is very serious. A hostile website could install and execute any program it wants without the user ever realising." The hole is the latest in a long line of security vulnerabilities to be found in Internet Explorer, and follows a publicly stated renewed commitment to security from Microsoft. However, in a statement today Microsoft was critical of Online Solutions for going public before bringing the hole to its attention. The statement said: "We are concerned that this report's publication may put our customers at risk or at the very least cause customers needless confusion and apprehension. "Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk." However, Online Solutions' Salmi defended his decision to publicise the flaw, claiming he had not made public enough information to allow a hacker to exploit the flaw. He said: "We told Microsoft about this two weeks ago - it took them over a week just to acknowledge our filing. Now they are working on a fix but yet again we are disappointed by the timetable to get it delivered, especially when there is such a simple work-around." He said concerned users could just turn off the Gopher client within IE to ensure safety. He added that an earlier IE flaw discovered by Online Solutions had been fixed within three days when the company went public with it, despite Microsoft insisting previously it would take a month to fix. He said: "It seems Microsoft only take security seriously once the media spotlight is on them. We're keen to speed up the process for everyone." Microsoft was unable to provide a spokesperson to comment on the story, but in its statement confirmed it was taking the issue seriously and was moving forward to provide a resolution "with all due speed".