http://abcnews.go.com/sections/tech/DailyNews/iehole990315.html

New Web Browser Feature May
Put Private Info At Risk 

Internet Explorer 5.0 users might be vulnerable to
hackers if they enter credit cards and other
information using the browser's AutoComplete
feature. (A.Shepherd/ABCNEWS.com)

By Michael J. Martinez
March 15
A new feature in the latest edition of Microsoft's Internet Explorer Web browser 
could make personal information available to other people accessing your computer, 
either in person or online.

Security experts say the "AutoComplete" feature in Internet Explorer 5.0, which 
records and reproduces the information a user enters into online forms (such as 
an e-commerce order form or a contest entry), could potentially be accessed by 
hackers posing as the computer's primary user.

"If someone does indeed gain remote access to your computer, you might indeed run 
into a vulnerability there," acknowledges Mike Nichols, program manager for 
Internet Explorer at Microsoft. 

Nichols stresses, however, that no such attacks on IE 5.0 have been documented. 
The AutoComplete feature can be disabled by the user.

Convenience vs. Security
The new feature in IE5, which will be formally launched Thursday, is an extension 
of the AutoComplete feature from past browsers. In previous versions of IE, typing 
out the first few letters of a previously accessed URL brings the entire address 
up. This feature has been extended to online forms. 

So, for example, if a user buys a book at an online bookstore, entering the first 
few letters of his or her name prompts the browser to enter the complete name. The 
same goes for other information, including passwords, phone numbers and credit 
card numbers.

Such information is encrypted and stored in the Windows Protected Store, a file 
that is part of the Windows operating system. Each user on a workstation or 
personal computer has his or her own encrypted storage area, tied to his or her 
password.

"This is a secure environment," Nichols says. "If you're not logged in, nobody 
can access it."

Breaking and Entering
Remote access is another matter. There are a number of so-called "exploits" - 
downloadable programs that serve as hacking tools - that allow remote users to 
gain control of a computer as if the remote user was actually sitting at the 
computer and logged in. The exploit called "Back Orifice," introduced by the 
hacker group Cult of the Dead Cow last summer, is one of many different tools 
that can take a variety of forms.

"If the user can type a few characters and have the rest filled in for him, a 
program can be written to simulate a user doing the same thing," says DilDog, a 
hacker with L0pht Heavy Industries, a hacking and security consulting group in 
Boston. "It's a useful little widget, but it suffers greatly if it is used to 
store sensitive information."

DilDog, who discovered and publicized a number of security flaws in IE4, says 
the AutoComplete issue would probably be the least of a users' worries if 
someone gains remote access to their computer. Nevertheless, he calls it a 
"bad idea" to access sensitive information through the browser.

Protecting Yourself
Users who feel their computers might still be vulnerable are often encouraged 
to keep personal information - financial files, correspondence, etc. - on a 
floppy disk to avoid having someone rifle through them. 

The AutoComplete hole could allow a remote hacker to check the browser for 
sensitive information. 

"This could very well be a new problem," says Peter Tippett, president of 
ICSA, Inc., a computer security consulting business. "When someone accesses your 
computer without you knowing it, a lot of things could go wrong." 

Safe Computing Practices
 
Use anti-virus software and a screen saver.
Don't open programs (usually with .exe extensions) sent via e-mail from unknown 
     sources. 
Don't download anything from unfamiliar Web sites.
Make sure to update your software with security patches. Those are commonly 
     available online through the software vendor.