"Download Behavior" bug found in Internet Explorer 5.0! (9/29/99)
This question was answered on September 30, 1999. Much of the information contained herein may have changed since posting.
According to CNET (www.cnet.com), the latest security issue involves an IE 5 feature called "download behavior" that allows a Web page to download files for use in client-side scripting
As a result of the problem, text files from the user's disk, or local Web server, may be read and then sent to an arbitrary server on the Internet, allowing the user's files to be "stolen," according to Bulgarian programmer Georgi Guninski, who has been credited with discovering numerous security holes in Microsoft and America Online's Web browsers
"This vulnerability would chiefly affect workstations that are connected to the Internet," Microsoft said in a security alert released yesterday
The company said it is working on a patch for the problem "As an immediate measure, customers can prevent the download behavior function from operating by disabling ActiveScripting," according to the security bulletin
TO DISABLE THE ACTIVE SCRIPTING do the following:
Click on the Tools menu, then on Internet Options, then click on the Security tab Select the Internet Zone, then click on the "Custom Level" button Under "Scripting", find the entry labeled "Active Scripting" and set it to "Disable." Click OK twice to return to IE
ARE THERE ANY DISADVANTAGES TO DISABLING ACTIVE SCRIPTING?
If you visit web sites that rely on Active Scripting, some of their features and functions may not be available If you need Active Scripting in order to use a site that you trust, you may wish to consider adding the site to the Trusted Zone as follows:
In IE, select Tools | Internet Options, then click on the Security tab Select the Trusted Sites Zone, then click on the "Sites" button Type the URL (web address) of the site then click on the "Add" button Click OK twice to return to IE
As soon as Microsoft posts a fix for this bug we will let you know!
About the author
Posted by Ken Colburn of Data Doctors on September 30, 1999