We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Gopher gaffe leaves PCs vulnerable

New IE gopher flaw enables remote PC attacks

A security flaw within Internet Explorer 5.5 and 6.0 could give remote users access to your PC, according to Finnish security company Oy Online Solutions.

The attack exploits IE's built-in gopher client. Gopher is a nearly obsolete protocol for accessing remote directories and files and has been largely superseded by the web and HTTP (hypertext transfer protocol).

The part of code in IE which parses gopher replies contains an exploitable buffer overflow bug. A malicious server may be used to run arbitrary code on an IE user's system.

The attack can be launched via a web page or an HTML (hypertext markup language) email which, when viewed, redirects the user to a malicious gopher server. This would allow the remote user to do anything the authorised user can do on the system — retrieve, install or remove files, upload and run programs.

IE users can protect themselves from the flaw by disabling the gopher protocol and, since few gopher servers still exist on the internet today, this is unlikely to cause operational problems.

Oy Online Solutions said it informed Microsoft of the vulnerability on May 20. Microsoft has indicated it is working on a patch but, as we write, the latest security update was added on 15 May.

Until a patch is released, the company suggests that users follow a simple way to disable processing and displaying gopher pages by defining a non-functional gopher proxy in IE's Internet Options.

Users should: select Tools, Internet options, Connections then click on LAN settings and check 'Use a proxy server for your LAN'. Next click Advanced and, in this area where users can define proxy servers to be used with different protocols, go to the Gopher text field and enter 'localhost', and '1' in the port text field.

This will stop Internet Explorer from fetching any gopher documents.

IDG UK Sites

Microsoft smartwatch release date, price and specs rumours: Launching within a few weeks

IDG UK Sites

Why you shouldn't buy the iPad mini 3: No wonder Apple gave it 10 seconds of stage time

IDG UK Sites

Halloween Photoshop tutorials: 13 masterclasses for horrifying art, designs and type

IDG UK Sites

Should I upgrade from Mavericks to OS X 10.10 Yosemite? What you need to know before updating to...