We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Another security hole in Internet Explorer

Big Bill's baby besmirched by Bulgarian bug-hunter

Microsoft's web browser Internet Explorer has a security vulnerability that could let a malicious webmaster take over a person's PC, a security expert said Monday.

Georgi Guninski, a well-known Bulgarian bug-hunter, posted a security advisory on his website on Monday. Guninski ranks the problem as 'high risk'.

Malicious webmasters can exploit .chm files, a compressed help file, to execute arbitrary programs on a user's computer, Guninski said. The bug also allows viewing of temporary internet files stored on the user's hard drive.

Affected programs are Microsoft's Internet Explorer versions 5 and higher. Because Internet Explorer is integrated into Microsoft's email clients, Outlook and Outlook Express are also affected. Other versions may also be unsafe, but those have not been tested, Guninski said in his advisory.

Microsoft could not be immediately reached for comment. Until Microsoft has issued a patch for the problem users can protect their computer by disabling active scripting, a browser function that has repeatedly been associated with security issues.

Guninski said he reported a similar vulnerability to Microsoft "some time ago". The software was fixed by allowing .chm files to run programs only if the file was loaded from the local system. Guninski says this is no longer a limitation. He discovered a way webmasters could access temporary internet files on other users' machines. Internet Explorer saves pages in a folder called 'temporary internet files'.

"It is possible to find the temporary internet files folder," Guninski said.

Internet Explorer creates several of these folders on a PC using random names. With a special HTML document, a malevolent webmaster can reveal the name and location of a temporary internet files folder.

Once a folder name is known it is possible to cache a .chm file in any folder and execute it, Guninski said.


IDG UK Sites

iPad mini 3 vs iPad mini 2 comparison: New iPad mini 3 isn't worth £80 more

IDG UK Sites

Why you shouldn't buy the iPad mini 3: No wonder Apple gave it 10 seconds of stage time

IDG UK Sites

Halloween Photoshop tutorials: 13 masterclasses for horrifying art, designs and type

IDG UK Sites

Should I upgrade from Mavericks to OS X 10.10 Yosemite? What you need to know before updating to...