Posted at 5:00 PM PT, Jan 14, 1998

Microsoft is working on a patch for a "buffer overrun" security bug in Internet Explorer, similar to one the company fixed last November, that allows malicious programmers to crash a remote system.

The bug is triggered by URLs that use the prefix MK, which are used for compressed HTML files that Internet Explorer extracts from a system and interprets. Since Internet Explorer can only read hyperlinks as long as 256 characters, the system-crashing URL must contain at least 257.

The flaw is a variation of the "RES" buffer overrun bug that was discovered last fall, which hinged on URLs with that prefix. That bug was considered unusual, and the new one is even more so because the malicious programmer would have to know details about the targeted machine.

The bug could affect users of Internet Explorer 4.x on Windows 95 or Windows NT 4.0. On those operating systems, Internet Explorer 3.x also is vulnerable if the user is using the InfoViewer included with Visual Studio, said Internet Explorer product manager Dave Fester.

The problem was discovered by a programmer who goes by the name DilDog and works for L0pht Heavy Industries, and who also discovered the RES bug.

"They created a fix for the RES bug [in November], but they didn't put in a global fix that could have fixed all bugs of that nature," DilDog said.

Microsoft should make a fix available within a week, Fester said.

"We are looking into how to prepare a fix that handles any of those types of protocols to make sure that all users are covered," Fester said.

Microsoft Corp., in Redmond, Wash., is at http://www.microsoft.com/. L0pht Heavy Industries, in Boston, is at http://l0pht.com/.