Gopher Hole Found in Microsoft IE

A Finnish computer security company said it uncovered a security flaw in
Microsoft Corp.’s Internet Explorer browser that could
allow an attacker to take control of a user’s computer.

According to a security advisory posted by Online Solutions Oy, IE is
vulnerable to attack through its built-in gopher client . The
attacker could exploit a buffer overflow bug to run arbitrary code on
various IE versions, including 5.5 and 6.0. The attack could then be
launched through a Web page or an HTML mail message, redirecting a user to a
malicious gopher server.

At that point, according to the advisory, “the exploiter could do anything
that a regular user could do on the system: retrieve, install, or remove
files, upload and run programs, etc.”

A Microsoft spokesperson said the company was investigating the report but would not comment on specifics.

“At this point in the investigation we feel strongly that speculating on the issue while the investigation is in progress would be irresponsible and counterproductive to our goal of protecting our customers’ information,” the spokesperson said. “Microsoft is moving forward on the investigation with all due speed and, when it is completed, we will take the action that best serves Microsoft’s customers.”

Online Solutions said it contacted Microsoft about the flaw on May 20. The Microsoft spokesperson took issue with Online Solutions’ decision to publicize the flaw.

“Publishing the report may put computer users at risk — or at the very least could cause needless confusion and apprehension,” the spokesperson said. “Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk.”

The easiest way to work around the flaw, the advisory stated, is to disable
the gopher protocol, which is unlikely to affect a user since few gopher
servers are still in existence.

The full advisory, including instructions for disabling gopher, can be found
here.

Microsoft has had its share of security headaches. Notably, the software
giant’s Window XP operating system, billed as the most secure it ever
produced, had a serious
flaw
that left it open to a potential malicious attack. The company
issued a patch in December 2001 for all XP users. In April, another
computer security firm warned
that Microsoft’s Office Web Components
HTML tool kit was vulnerable to attack.

News Around the Web