Microsoft announced this morning that they are test a patch for a security hole found in Internet Explorer 3.0 that allows a rogue hyperlink (.LNK) or URL (.URL) shortcut to launch applications on the user's machine from across the Internet. Security settings have absolutely no effect on the shortcuts, which are free to wreak havoc by starting apps, or create and remove directories,
Microsoft promises to provide a fix within 48 hours at: http://www.microsoft.com/ie/security/update.htm
They also mentioned that, despite the widespread use of Internet Explorer, no one has ever complained of this problem. The bug was found by Paul Greene, of Worcester Polytechnic Institute in Massachusetts. He has created a Web site that demonstrates the launching of the Windows calculator program and other feats that should be impossible.
"The ramification for IE is that any anti-Microsoft jerk can set up their Web site to be destructive to anyone using Internet Explorer and safe for all others browsers," Greene said. This security breach can only be caused by someone intending to do it; it will not happen by mistake.
Microsoft has come under increasing pressure lately as more and more security problems are discovered in their products. Last month, for example, German hackers demonstrated how ActiveX controls could gain illegal access to bank accounts. The shortcut bug in IE 3 is not related to ActiveX, it should be noted, and does not affect Netscape Navigator users.
Want more information?
Cybersnot Industries: Internet Explorer Bug