Fun_People Archive
5 Mar
Bug or Feature? Redmond Slow To Respond

Content-Type: text/plain
Mime-Version: 1.0 (NeXT Mail 3.3 v118.2)
From: Peter Langston <psl>
Date: Wed,  5 Mar 97 15:00:53 -0800
To: Fun_People
Subject: Bug or Feature? Redmond Slow To Respond

http://www.wired.com/news/technology/story/2371.html

Bug or Feature? Redmond Slow To Respond
by Kate Farnady

11:55am  4.Mar.97.PST Microsoft is "too busy looking at the big
picture," said Paul Greene, the discoverer of the latest Microsoft
Explorer 3.0 security hole - a bug that Green says has been in the
software since its release on 13 August 1996. "They're missing the
details," he said.

Greene said he happened upon the bug - which can remotely trigger
the execution of files on the user's machine - last week, by
accident. He and his two roommates, Geoff Elliott and Brian Morin,
juniors at Worcester Polytechnic Institute, first notified
Microsoft via email at 4 a.m. last Thursday.

Elliott said Microsoft PR assured him that the bug was not a big
deal. In order for this bug to work, said the email, the
perpetrator must have the aliased program on his hard drive and
know where the file is stored.

Greene responded to Microsoft's ambivalence with a public Web
site, Cybersnot, that demonstrates the bug. The site launched on
Saturday.

Paul Balle, Microsoft product manager for Internet Explorer, said
Microsoft first learned about the bug on Monday.

"As soon as we found out about it, we immediately deployed a team
of project managers and developers to address the issue," said
Balle, who told Wired News that they had a fix for the bug in
testing, and that it would be posted to Microsoft's Web site
within the next 24 hours.

Greene discovered the bug while doing group work, using a Web site
to pass along files. He used the IE option to create a "shortcut,"
or alias to a file stored on his hard disk, and then placed it in
the HTML on his Web site. The three students found that by
embedding a .lnk or .url tag in the HTML, a user can create an
alias which will open a program on the unsuspecting Web surfer's
desktop.

Says Morin, "Everyone is looking at Java and ActiveX, and not
looking closely enough at what happens when the browser is tied so
closely to the desktop." This bug is unrelated to ActiveX.

"There are plenty of programs that come with Windows that can do a
lot of damage," says Elliott. For example, a link could be created
that might automatically open the format utility that MSIE stores
in the Command folder. This could potentially erase the Web
surfer's hard disk. "And that's only one of the many things that
might strike terror in the hearts of PC users," says Paul.

Further, the three students found that IE's cache folder stores
files not in the folder itself, but in a subdirectory. Unlike
Netscape, which scrambles the file names in the cache folder, IE
stores the files, names intact, in a hidden subdirectory.

"We assume Microsoft suspected this might be a security risk,"
says Elliott, "otherwise why would they have created a hidden
folder." With access to the cache subdirectory, a malicious user
could make use of the shortcut bug to place any file on the
unsuspecting surfer's hard disk.

But the bug, and Microsoft's ambivalent response to the student's
email, haven't soured these PC users. "Nobody is handling security
on the Internet very well," says Elliott. "We don't know how to
connect 6 million computers with high security. The Web hasn't had
the 20 years Unix has had [to develop security], and even Unix
isn't secure."

Elliott told Wired News of spending the morning thinking of ways
to use this bug as a browser virus. "But we're bored of that," he
explains. "The sad thing is, this could really be a great
feature," says Greene. "It could be used to help fix things on
your desktop."


Copyright 1993-97 Wired Ventures, Inc. and affiliated companies.
All rights reserved.

© 1997 Peter Langston