IE 5 bug-free? Don't believe it


It was only a matter of time ù one week, to be precise ù before a bug turned up in Microsoft's latest browser. Just seven days after Microsoft released Internet Explorer 5, security researcher Juan Carlos Cuartango announced that the browser has a serious security flaw that could allow Web sites to read the contents of your clipboard while you're interacting with Web pages. Meanwhile, bug sleuth George Guninski discovered three other flaws that could allow Web hackers to access files on your system.

When these vulnerabilities were first reported, a Microsoft employee posting to a Windows NT security mailing list confirmed their existence and said fixes were on the way. Microsoft has acknowledged these issues and advises security-conscious users to change default security configurations to eliminate the weakness. As with most browser security flaws, no attacks exploiting these are known to have occurred. Nevertheless, Microsoft says it is working on an update to prevent Web servers from accessing client clipboard and file data. But now that the cat's out of the bag, you should take steps to protect your system.

To close the security holes in your copy of IE 5, choose Tools-Internet Options-Security, click the Custom Level button, and scroll down to Active scripting and Allow paste operations via script settings. Set both to Disable, and then click OK to finish.

You may encounter yet another problem if you send or receive messages that are digitally signed or encrypted using IE 5's version of the Outlook Express mail and news reader. Before accepting messages, Outlook Express consults a third-party certificate authority to confirm that the digital certificate used in signing and encrypting is still valid. The lists of revoked certificates that these authorities maintain can be as large as 500KB, so the process can seem interminable, and you might mistakenly believe that the program has crashed. Fortunately, you can turn off revocation checking: select Tools-Options-Security, click the Advanced button, and select Never in the Revocation Checking area. Click OK twice to finish.

- Scott Spanbauer


Category:bugs and fixes
Issue: July 1999

These Web pages are produced by Australian PC World © 1999 IDG Communications