Junior Finds Security Flaw In Microsoft Internet ExplorerBy Stuart Jackson
Christien R. Rioux '98, a junior majoring in computer science, discovered a bug in Microsoft's Internet Explorer World Wide Web browser Friday, the third major flaw in the program found that week.
Rioux made the discovery Friday morning, following the announcement of similar problems last Monday by students at Worchester Polytechnic Institute and Thursday by students at the University of Maryland.
The flaw "allows a malicious Web page to automatically run any program on the user's hard drive, which means that users of Internet Explorer could have their hard drives completely deleted, merely by looking at a Web page," Rioux said.
The bug was "pretty serious ... it can't get much worse," Rioux said.
This bug is of a "similar genre to the WPI bug," Rioux said. It exploits a feature of Internet Explorer that allows users to change Internet service providers easily, he said.
This feature uses scripts that are parsed by the "Internet Wizard," a Windows 95 program that helps configure Internet settings. These scripts have "undocumented options to execute programs" and can do "anything imaginable you can execute from a DOSprompt," Rioux said.
To correct the security flaws, Microsoft posted a patch on its Web page that, when installed, causes Internet Explorer to prompt the user before running scripts.
Rioux has also posted a third-party bug fix on his Web site, located at http://web.mit.edu/crioux/ www/ie/index.html.
Bug the result of poor design
When the WPI group announced the first flaw, Rioux realized that Internet Explorer had the potential for other problems because of its size and wide-ranging capabilities, he said. "Internet Explorer is quickly turning into an [operating system]."
The WPI bug "was one instance of a particular type of bug, and Microsoft seemed only to patch that particular instance," Rioux said. "If I found it in half an hour, I'm sure that someone else would have and not done the right thing with it."
He said, however, that "you can't expect to catch any more fish with" this bug after the publicity associated with it.
Rioux expressed dissatisfaction with Microsoft's "careless attitude" when releasing new software, citing problems in MIcrosoft Word, Excel, and Internet Explorer, he said. Microsoft should do a better job of figuring out how programs can be misused before releasing them, he said. "Sometimes I think that the people at Microsoft should take 6.033 [Computer Systems Engineering] again."
Since the discovery, Rioux's story has been reported by the Boston Globe, CNN, CNET, and other electronic media. "I might survive all of this [publicity], but I don't know if my inbox will."
Frank Dabek contributed to the reporting of this story.