RealTime IT News

Gopher Hole Found in Microsoft IE

A Finnish computer security company said it uncovered a security flaw in Microsoft Corp.'s Internet Explorer browser that could allow an attacker to take control of a user's computer.

According to a security advisory posted by Online Solutions Oy, IE is vulnerable to attack through its built-in gopher client . The attacker could exploit a buffer overflow bug to run arbitrary code on various IE versions, including 5.5 and 6.0. The attack could then be launched through a Web page or an HTML mail message, redirecting a user to a malicious gopher server.

At that point, according to the advisory, "the exploiter could do anything that a regular user could do on the system: retrieve, install, or remove files, upload and run programs, etc."

A Microsoft spokesperson said the company was investigating the report but would not comment on specifics.

"At this point in the investigation we feel strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers' information," the spokesperson said. "Microsoft is moving forward on the investigation with all due speed and, when it is completed, we will take the action that best serves Microsoft's customers."

Online Solutions said it contacted Microsoft about the flaw on May 20. The Microsoft spokesperson took issue with Online Solutions' decision to publicize the flaw.

"Publishing the report may put computer users at risk -- or at the very least could cause needless confusion and apprehension," the spokesperson said. "Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."

The easiest way to work around the flaw, the advisory stated, is to disable the gopher protocol, which is unlikely to affect a user since few gopher servers are still in existence.

The full advisory, including instructions for disabling gopher, can be found here.

Microsoft has had its share of security headaches. Notably, the software giant's Window XP operating system, billed as the most secure it ever produced, had a serious flaw that left it open to a potential malicious attack. The company issued a patch in December 2001 for all XP users. In April, another computer security firm warned that Microsoft's Office Web Components HTML tool kit was vulnerable to attack.