Ditch IE – veteran bug hunter • The Register

Ditch IE – veteran bug hunter

Guninski nails another vulnerability

By John Leyden • Get more from this author

Posted in Security, 4th January 2002 17:09 GMT

Free whitepaper – The starter PKI program

Veteran bug hunter Georgi Guninski is recommending disabling Active Scripting - or ditching Internet Explorer entirely - after he discovered yet another vulnerability with the browser.

IE allows hackers to browse known local files using a specially crafted script due to a bug in the browser's GetObject() JScript function, Guninski reports.

The vulnerability, which is similar to previous directory transversal bugs and relates to how GetObject() interacts with the "htmlfile" ActiveX object, could allow the execution of arbitrary code on a target machine. Internet Explorer version 5.5 and 6.0 are thought to be affected.

Microsoft was informed about the problem on December 11 and has yet to issue any response on the issue; but Guninski has produced test code to validate his warning, the latest in a long line he has made about IE.

This is evident from Guninski's advice that users should not use "IE in hostile environments such as the internet", which pending a surprise mass defection to Opera, is hardly very practical.

Yesterday Microsoft sent out an email to .Net Passport user strongly urging them to review the security of their browsers and apply a cumulative patch it issued in December. Users can check what security upgrades they might need here. Although there's nothing there to protect users from the latest risk, this is still well worth doing. ®

MS releases mother of all IE security patches
Guninski finds new ActiveX security hole in OXP
Lookout for Internet Explorer bugs
MS gets hacked off with bug hunter
Guninski finds another IE 5.5 security hole
MS moves slowly to patch latest IE5.5 hole

Free whitepaper – Securing your Microsoft Internet Information Services (MS IIS) web server