Yet Another Huge IE Security Bug

Thursday August 26th, 1999

IE's hit with another security bug, this one called worse than Melissa by the team that discovered it. The bug comes from security flaws in IE's Java Virtual Machine. If you open an email message with malicious Java code using Outlook, Outlook Express, or Eudora (which uses IE's MS's HTML rendering code), you're infected. The bug only affects Windows 98 users and some Windows 95 users. To read more on this new vulnerability, check out the article at Wired News.

As an interesting side note, Edward Felten, known best for his testimony in the Microsoft Antitrust trial, is on the team that discovered the bug.

#1 Felten RULES

by Kovu

Thursday August 26th, 1999 10:52 PM

He wrote a program that, in front of the court, removed IE from Win98 and replaced it with NS. I heard there was a 20% speed increase over IE, though that's not confirmable.

#2 Felten RULES

by Anon

Friday August 27th, 1999 2:22 PM

I don't know what Felten removing IE and replacing it with NS is supposed to prove though. Just because you "replace" Windows with WINE in Linux doesn't mean that Windows isn't an operating system.

#3 It Proves

by Anon

Friday August 27th, 1999 3:14 PM

It proves IE isn't intergrated into Windows adn that removing it will have not effect Windows one damn bit. Of course most of the help files have been rewritten to use IE. Be is similar in that regardds except its basically gear only for help files and basic web surfing. Be want Mozilla and Opera to replace Net+ for day to day surfing.

#4 help files

by arielb

Friday August 27th, 1999 4:38 PM

BeOS help files are in standard html format. That is not the case with MS which uses its own non-standard proprietary 'html' which only IE can view. If MS gets its way the whole web would use this format.

#5 Too true

by Tekhir

Friday August 27th, 1999 8:00 PM

I agree with you 100%. This also reminds me of Money 99 and Encarta. Both have Web Like interfaces, hell I could write a web page in mozilla that looks exactly like them, which are in MSHTML. Or the Word 2000 file formats which use MSXML. MS has helped develop XML and a little HTML you would think they could at least follow the stuff they help write.

Oh well, I think I'll though an online party when M11 is release seeing as its the first beta.

BTW I was the anon poster, keep forgetting to login

#6 I'm amuzed.

by Waldo

Monday August 30th, 1999 12:05 PM

Ok, this is days later from the announcement above, but msnbc's technology page contains the following headlines:

Hotmail Accounts Compromised IE5 Flaw leaves PCs Vulnerable

Gotta love MS W

#7 Okay, so how's Mozilla different?

by Anon

Monday August 30th, 1999 6:52 PM

Can someone explain what the Mozilla security model will be? Navigator had several holes of its own, either standalone or in conjunction with other software. Exactly how will Mozilla be different?

If half of the XPIDL and XPCOM promise comes true without a good and *robust* security model, you might as well just paste "Mozilla" where you see "IE" in these news articles - you'll see the same stories soon enough.

#8 It's because of ActiveX's horrid security model.

by Anon

Tuesday August 31st, 1999 10:07 AM

Why is this such a big surprise to everyone?

It is a well known fact that any object which exists on the client can be created with a snippet of 'set myobj = creatobject("msword.document")' in vb script. Then, to manipulate something like msword to create a plain-text document requires no though at all. I'm surprised this dumbass just found what he's calling a bug. This is a very obvious use of these tools.

The main complaint that he should have is that vb script has a horrible security model. It requires that the user know when a page is safe to allow the ActiveX controls on it to be run. This is utterly rediculous.

At any rate, I'm glad I found this because I was looking for an object that would let me execute a shell command from vbs. (didn't particularly want to write it myself)