October 1, 1999 Web posted at: 12:30 p.m. EDT (1630 GMT) by Matthew Nelson

From...

(IDG) -- Microsoft's Internet Explorer 5 (IE5) browser got hit with another one-two punch of coding bugs this week, as reports surfaced of a bug that allows documents to be stolen even through a firewall, and of the altering of HTML tags by the browser's rendering engine.

Security Expert Georgi Guninski, who has posted numerous reports of bugs and security issues with several Microsoft products, is warning users of a bug that would allow malicious hackers to steal and read data off of an IE5 machine, even through a firewall.

The attack would take the form of HTML JavaScript that would be activated when a user visits an Internet site or through other means. Once activated, the JavaScript would then begin downloading files not out to another computer, which would be detected by a firewall, but rather back to the computer itself.

	MESSAGE BOARD
Microsoft

"This one is a spoofing attack. It downloads a file, and it downloads it from your computer to your computer. Once it's downloaded the file from itself to itself, that information is downloaded to any IP address," said Steve Anderson, vice president of marketing at BigFix, a bug fixing service in Berkeley, Calif., which is assisting Guninski in warning users.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
InfoWorld home page
InfoWorld forums home page
InfoWorld Internet commerce section
Get Media Grok and The Industry Standard Intelligencer delivered for free
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Security hole in IE 5 reportedly exposes user names, passwords
New IE5 flaw: Microsoft advises users to protect themselves
ActiveX security glitch found in IE 5.0
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

"It's kind of like a submit button on an HTML. The reason it can get through the security is cause it's downloading to itself. Which it really shouldn't be able to do," Anderson said.

Microsoft is aware of the bug and has issued an alert which recommends that users disable the active scripting aspect of IE if they so desire.

"We're recommending as a work-around that customers who are worried about this vulnerability disable active scripting, while we develop a patch for this," said Scott Culp, security product manager on the security response team at Microsoft.

Culp also stressed that the bug will not allow hackers to steal or alter information; they will only be able to read it.

"The only thing that a Web site can do with this is read selected files from a users machine if they know the name of the file," Culp said.

BigFix's Anderson, however, said Microsoft's advice belies the importance of the bug.

"Microsoft felt heavily enough about this to disable active scripting," Anderson said. "It affects their [Windows] NT servers and all the things that are supposedly bulletproof."

Microsoft is currently working on a patch for the problem.

Also this week, BugNet and its parent company KeyLabs, in Lindon, Utah, have confirmed the existence of a rendering bug with IE5 that could impact web developers.

When using IE5 and Microsoft's underlying MSHTML editing and rendering engine some HTML tags can be corrupted using the default setting of "Web Page, complete," according to the KeyLabs report.

When the MSHTML engine renders documents on the fly, it can delete quotation marks around HTML element attributes. And while the corrupted code may still be viewed over the Internet, it is not compliant with XML (Extensible Markup Language) standards, and therefore will be inaccessible to XML parsers, according to the report.

Microsoft is aware of the issue, and has recommended at least in the interim to use the "Web Page, HTML only" option.

Matthew Nelson is a senior writer for InfoWorld.