A rendering bug

Microsoft_s Internet Explorer 5 (IE5) browser got hit with another one-two punch of coding bugs this week, as reports surfaced of a bug that allows documents to be stolen even through a firewall, and of the altering of HTML tags by the browser_s rendering engine. Security Expert Georgi Guninski, who has posted numerous reports of bugs and security issues with several Microsoft products, is warning users of a bug that would allow malicious hackers to steal and read data off of an IE5 machine, even through a firewall. The attack would take the form of HTML JavaScript that would be activated when a user visits an Internet site or through other means. Once activated, the JavaScript would then begin downloading files not out to another computer, which would be detected by a firewall, but rather back to the computer itself. This one is a spoofing attack. It downloads a file, and it downloads it from your computer to your computer. Once it_s downloaded the file from itself to itself, that information is downloaded to any IP address," said Steve Anderson, vice president of marketing at BigFix, a bug fixing service in Berkeley, Calif., which is assisting Guninski in warning users. "It_s kind of like a submit button on an HTML. The reason it can get through the security is cause it_s downloading to itself. Which it really shouldn_t be able to do," Anderson said. Microsoft is aware of the bug and has issued an alert at www.microsoft.com/security/bulletins/MS99-040faq.asp, which recommends that users disable the active scripting aspect of IE if they so desire. "We_re recommending as a work-around that customers who are worried about this vulnerability disable active scripting, while we develop a patch for this," said Scott Culp, security product manager on the security response team at Microsoft. Culp also stressed that the bug will not allow hackers to steal or alter information; they will only be able to read it. "The only thing that a Web site can do with this is read selected files from a users machine if they know the name of the file," Culp said. BigFix_s Anderson, however, said Microsoft_s advice belies the importance of the bug. Microsoft is currently working on a patch for the problem. Also this week, BugNet and its parent company KeyLabs, in Lindon, Utah, have confirmed the existence of a rendering bug with IE5 that could impact web developers.