Hacker Reveals Serious Security Hole in IE4

by Brian McWilliams, PC World News Radio
November 12, 1997

Last night Microsoft posted a patch to a serious security bug in Internet Explorer 4.

The patch for the Buffer Overrun bug closes a hole discovered by a Massachusetts college student and hacker who goes by the online handle of DilDog.

He found that he could launch a serious attack on a Windows 95 PC running IE4 by feeding it a long URL using the res:// prefix. If the URL contained more than 265 characters, it would cause IE4's HTML interpreter to crash from what's called a buffer overflow.

DilDog told News Radio today that executable binary code can be added to the end of that long URL, and Windows 95 obediently runs the executable after IE4's HTML engine crashes, producing a severe browser-based security threat to Windows 95 users.

"It's not just the Web browser that's affected," DilDog says. "It's also the newsreader and the e-mail reader."

To prove his discovery, DilDog posted a demo at a Web site maintained by a group of hackers called the L0pht, although he says he's not a member of the group. The demo, which only works for IE4 users running Windows 95 version A, adds an innocuous line to the victim's autoexec.bat file. But DilDog says the exploit could be used for much more harmful purposes.

"I'm almost certain that there are people out there who, upon getting wind of this, sat down and wrote out something nasty for it. There are people out there who go looking for these kinds of bugs to build malicious versions of them--for whatever lame intent."

Microsoft product manager Dave Fester said the company moved quickly to fix the flaw, posting the patch less than 24 hours after it learned of the bug.

Fester said Microsoft didn't submit the patch to DilDog for testing because the company couldn't reach him, but DilDog today told News Radio that the patch appears to effectively close the hole. He's just surprised that Microsoft didn't catch it six months ago.

"This is the kind of bug a Unix programmer who's dealt with security would [catch] immediately," DilDog says. "I've played with this since it was in beta. Preview Release 1 had this bug and it went through [Microsoft's] 10,000-person beta test and nobody found it for six months. That's absolutely inexcusable."

Fester says the company always welcomes feedback on the security of its products, and points out that DilDog did not contact Microsoft directly at any time to report the buffer overrun bug.

Copyright © 1998 PC World Communications. All Rights Reserved. Use of this service is subject to the PC World Online Terms of Service Agreement.

PC World Online Privacy Policy

PC World Online complies with the ASME Guidelines with IDG Extensions for new media.