New : Update 05-14-97

New : Update 04-05-97

New : Update 03-11-97

NEW : UpDate 03-05-97

This pertains to all of you who are using Microsofts Internet Explorer 3.0 as your Browser. If you are using Netscape,, you are not affected.

NOTE : From Bill Sanders,, I  believe that Microsoft Internet Explorer 3.1 has corrected this flaw with Version 3.1 . I believe that only version 3.0 is affected and that this mainly concerns the patch to correct 3.0 .

IF you are using Microsoft's Internet Explorer software, you should be aware of the problem described below, and obtain and apply the recommended patch. Note that Computing Services recommends and supports Netscape Navigator, not Internet Explorer, for Internet Web access. If you are using Netscapes Navigator rather than Microsoft's Internet Explorer, this problem need not concern you.

Windows 95/Internet Explorer 3.0 Security Alert

Two researchers at Princeton University have discovered a serious security flaw in Internet Explorer 3.0. Here's the text of their discovery.

"We have discovered a security flaw in version 3.0 of Microsoft's Internet Explorer browser running under Windows 95. An attacker could exploit the flaw to run any DOS command on the machine of an Explorer user who visits the attacker's page.

For example, the attacker could read, modify, or delete the victim's files, or insert a virus or a back door entrance into the victim's machine. We have verified our discovery by creating a Web page that deletes a file on the machine of any Explorer user who visits the page.

The problem was reported to Microsoft and a patch was recently released to solve the problem. You can find the patch at :

http://www.microsoft.com/msdownload/iepatch.htm

Thanks to Scott Moore for alerting all of us to this potential problem.

Computing Services

University of Michigan Business School

Update 5-597

MIcrosoft says it has a fix for its browser's security flaw

Copyright © 1997 Nando.net Copyright © 1997 The Associated Press

Microsoft's Internet site with information on the flaw

Student gives Microsoft a lesson in bug-catching

SEATTLE (Mar 5, 1997 02:31 a.m. EST) -- Microsoft Corp. said late Tuesday it has come up with a fix to a flaw in its Internet Explorer browser which could allow a Web site operator to secretly run programs or ruin files in someone else's personal computer.

A "software patch" to correct the problem is immediately available free to users at Microsoft's World Wide Web site, the company said.

"This update is an immediate response to ensure that Microsoft customers continue to have a safe Internet experience with Microsoft Internet Explorer," the company said in a news release.

Though Microsoft said it had no reports from customers of security breaches, company officials said the flaw was a serious problem because it potentially could allow an electronic attacker to bypass the browser's security system.

Microsoft, which made the problem public Monday after it was discovered late last week by a university student, immediately assigned a team of programmers to come up with a fix, said Paul Balle, a product manager for Microsoft's Internet Explorer team.

Balle said late Monday that Microsoft hoped to have a fix posted to the company's site on the World Wide Web within hours, but company officials later backed off that time frame. Programmers worked around the clock and came up with a fix Tuesday night that Internet Explorer users could download from the web site.

Internet Explorer is used by millions of people worldwide to access the Web. The program, which has been offered free by Microsoft, is the company's key Internet product and is designed to work with a wide variety of Microsoft's business and consumer software programs.

Microsoft estimates it has a 25 percent to 30 percent share of the browser market, behind Netscape Communications Corp.'s Navigator program.

Officials at Netscape, Microsoft's bitter rival, said their product did not have the security flaw.

Balle said the flaw is only found in Internet Explorer versions 3.0 and 3.01 for the Windows 95 and Windows NT 4.0 operating systems. It does not affect users of Internet Explorer 3.0 or 3.0a for Windows 3.1 or Internet Explorer for Apple Macintosh versions 2.1, 3.0 or 3.0a.

The flaw involves basic functions found within Microsoft's Windows operating systems.

When a PC user clicks on a hyperlink on a Web page, Balle explained, a Web page creator could have that link connect to a file known as a "shortcut" in Windows 95 and NT. Shortcuts are widely used to start computer programs or functions.

If the "webmaster" for the Web page can guess the precise location and code needed on the user's computer, shortcuts could surreptitiously select and start programs on the user's hard drive.

Someone could prevent another person's computer from starting up or send e-mail from another person's account, among other things, computer security expert Simson Garfinkel said.

Many widely available programs such as Windows 95 have standard locations or addresses where their components are stored on computers. Unless a PC user custom-installed or otherwise modified a program, the addresses could be simple to guess.

Although Microsoft responded quickly, the flaw demonstrates "that the industry itself has to pay more attention to security issues," said David Sobel, legal counsel at the Electronic Privacy Information Center in Washington, D.C.

"As we move more and more business, personal and financial information online, security problems are going to become a much bigger issue for the public at large," Sobel said.

Even with a quick fix from Microsoft, Garfinkel said eradicating the problem would still depend on all existing Internet Explorer users modifying or upgrading their software.

"The reason that it is so serious is that it is very easy to exploit this bug and the knowledge on how to exploit it has been widely disseminated to the public," he said.

The news didn't really affect Microsoft's stock, which closed down 37 1/2 cents at $99.12 1/2 a share Tuesday on the Nasdaq Stock Market.

Another bug found in Explorer By Michael Fitzgerald March 8, 1997 11:18 AM EST

For More Information and Patches Go To : Microsofts Security Page

Microsoft Corp. is in Redmond, Wash., not ancient Egypt, but a plague nonetheless seems to have descended upon its house. For the third time in a week, a bug was found in Microsoft's browser, Internet Explorer.

According the discovers of the bug, two students at the Massachusetts Institute of Technology, it's a serious variant of the so-called Cybersnot bug that Microsoft patched earlier this week. The bug plays off a script program that automatically executes a downloaded file, designed to help users sign up for Internet service.

But the script can also allow a hacker to erase the hard drive of Explorer users. According to the Web page put up by the students, any user with Internet Explorer and Windows 95 could set hard-drive eradication in motion simply by looking at a booby-trapped Web page.

The students put a fix for the hole on their page. Microsoft is expected to post a patch at its Web site by the end of Saturday, according to a report in the Boston Globe. The patch was not available at 11 a.m. EST.

All three of the bugs in Internet Explorer were found by university students.

.

Here is another MSIE Alert on an old Virus that is making the rounds again.

It is a European Variation but still working. April Update 04-05-97