Internet Explorer Does it Again

Security Warning

March 7, 1997 - Yet another security hole has been found in Microsoft's(TM) Internet Explorer v3.01a. This is not the same hole reported by the trio of WPI students a few days ago. This hole allows a malicious web page to automatically run any program on the user's hard drive, which means that users of Internet Explorer could have their hard drives completely deleted, their private information stolen, or their computer infected with a virus merely by looking at a web page.

This bug works on a similar principle as the bug discovered at WPI. However, instead of using .lnk files or .url files, this bug exploits the fact that other files can also be downloaded and automatically executed without prompting the user for permission. This bug is not fixed by the security patch which Microsoft put out for the WPI bug.

This bug has thus far only been verified on the Windows 95 version of Internet Explorer. This bug does not appear to affect Windows NT (any service pack/version), in its usual configuration.

The Exploits

These exploits are harmless and are for demonstration purposes only. However, they could easily have been made very harmful if that had been our intent. These demos require that the "Internet Wizard" be present on your system. It is the Internet Wizard that parses the ".ISP" files. You must also have Win95 located in "C:\WINDOWS". Note that a script to delete a whole hard drive wouldn't care where windows is located, however.

The Truth

There was some confusion in the press when the WPI bug was announced as to the actual severity of the bug. To keep this confusion from occurring again, we would like to set some things straight from the start:

Microsoft's Official Bugfix (3/8/97 2:47pm)

Our Third-Party Bugfix (3/8/97 12:25am)

Contact Us


Microsoft is a trademark of Microsoft Corporation.