Install

Get the latest updates as we post them — right on your browser

. Last Updated: 07/27/2016

Big Firms Battle Web Browser Bug




SAN FRANCISCO -- Three giants of the computer industry - Microsoft, Hewlett-Packard and Compaq Computer have found themselves scrambling to address a rash of serious security vulnerabilities in software designed to interact with Microsoft's Internet Explorer web browser.


The flaws, first made public last week, are particularly insidious because they allow intruders to plant malicious programs on a computer merely by sending an e-mail message or by luring a victim to a malicious web page that automatically plants a file on the visitor's hard drive.


In either case, the victim would receive no warning of a potential security violation, because the flaws enable intruders to bypass the security controls of Internet Explorer and pass undetected throughtraps set by anti-virus software.


Tom Noonan, president of Internet Security Systems in Atlanta, said Monday that several of his client corporations had expressed concern that "now that this information is in the wild, their systems are exposed.''


"They worry that they are building their network on top of a vulnerable system,'' he said.


Unlike the Melissa virus or the Explore.exe worm, programs that exploit these newly discovered security bugs do not require that the victim take any action; rather, such programs can be activated if a user merely reads a malicious piece of e-mail while online.


As of Monday evening, there had been no reports of intruders having exploited the flaws.


Currently, if Internet Explorer encounters online documents created by one of the Microsoft Office suite of programs - Word, Excel or Powerpoint - it assumes that they are "safe'' and loads them on the user's computer without warning.


The problem is that these are very powerful documents capable of launching executable code. Microsoft said future operating systems would not trust such documents.


Andrew Dixon, the Microsoft Office product manager, said the company was developing an applet, or small Java program, that would issue a warning before opening Office documents.


The immediate problem with Office is that Word or Excel documents can relay arbitrary commands to a computer through a flawed database component that was shipped with all but the last boxes of Office 97.


The Office team worked over the weekend to develop and test a solution to this, Dixon said. But by Monday evening they still did not feel confident enough to release a patch for the problem to the 50 million registered users of Office 97. When a patch is available, it will be posted on the World Wide Web at http://officeupdate.microsoft.com/ Articles/MDACtyp.htm


In addition to the Office flaws, security holes were found last week in software shipped with Hewlett-Packard's Pavilion models and Compaq's Presarios. Both models were designed to offer customers remote support via the Internet, using Microsoft's browser.


Hewlett-Packard planned to have a patch available soon, said a company spokesman, Ray Aldrich. He said the fix would be posted on the web at http://www.hp.com/support/hppavilion.html


Hedy Baker, the public relations manager for Compaq's consumer product division, said the company planned to issue an advisory to Compaq support centers and expected to send out a software update to owners of the affected Presarios by the end of next week.