http://abcnews.go.com/sections/tech/DailyNews/iehole990315.html
New Web Browser Feature May
Put Private Info At Risk
Internet Explorer 5.0 users might be vulnerable to
hackers if they enter credit cards and other
information using the browser's AutoComplete
feature. (A.Shepherd/ABCNEWS.com)
By Michael J. Martinez
March 15
A new feature in the latest edition of Microsoft's Internet Explorer Web browser
could make personal information available to other people accessing your computer,
either in person or online.
Security experts say the "AutoComplete" feature in Internet Explorer 5.0, which
records and reproduces the information a user enters into online forms (such as
an e-commerce order form or a contest entry), could potentially be accessed by
hackers posing as the computer's primary user.
"If someone does indeed gain remote access to your computer, you might indeed run
into a vulnerability there," acknowledges Mike Nichols, program manager for
Internet Explorer at Microsoft.
Nichols stresses, however, that no such attacks on IE 5.0 have been documented.
The AutoComplete feature can be disabled by the user.
Convenience vs. Security
The new feature in IE5, which will be formally launched Thursday, is an extension
of the AutoComplete feature from past browsers. In previous versions of IE, typing
out the first few letters of a previously accessed URL brings the entire address
up. This feature has been extended to online forms.
So, for example, if a user buys a book at an online bookstore, entering the first
few letters of his or her name prompts the browser to enter the complete name. The
same goes for other information, including passwords, phone numbers and credit
card numbers.
Such information is encrypted and stored in the Windows Protected Store, a file
that is part of the Windows operating system. Each user on a workstation or
personal computer has his or her own encrypted storage area, tied to his or her
password.
"This is a secure environment," Nichols says. "If you're not logged in, nobody
can access it."
Breaking and Entering
Remote access is another matter. There are a number of so-called "exploits" -
downloadable programs that serve as hacking tools - that allow remote users to
gain control of a computer as if the remote user was actually sitting at the
computer and logged in. The exploit called "Back Orifice," introduced by the
hacker group Cult of the Dead Cow last summer, is one of many different tools
that can take a variety of forms.
"If the user can type a few characters and have the rest filled in for him, a
program can be written to simulate a user doing the same thing," says DilDog, a
hacker with L0pht Heavy Industries, a hacking and security consulting group in
Boston. "It's a useful little widget, but it suffers greatly if it is used to
store sensitive information."
DilDog, who discovered and publicized a number of security flaws in IE4, says
the AutoComplete issue would probably be the least of a users' worries if
someone gains remote access to their computer. Nevertheless, he calls it a
"bad idea" to access sensitive information through the browser.
Protecting Yourself
Users who feel their computers might still be vulnerable are often encouraged
to keep personal information - financial files, correspondence, etc. - on a
floppy disk to avoid having someone rifle through them.
The AutoComplete hole could allow a remote hacker to check the browser for
sensitive information.
"This could very well be a new problem," says Peter Tippett, president of
ICSA, Inc., a computer security consulting business. "When someone accesses your
computer without you knowing it, a lot of things could go wrong."
Safe Computing Practices
Use anti-virus software and a screen saver.
Don't open programs (usually with .exe extensions) sent via e-mail from unknown
sources.
Don't download anything from unfamiliar Web sites.
Make sure to update your software with security patches. Those are commonly
available online through the software vendor.