Just three weeks before the expected release of Internet Explorer 4.0, a new security hole has been discovered that allows malicious Web sites to corrupt files on the PC of the user visiting the site. The bug was discovered by Tim Macinta, CTO of a small company called Endware.
"A malicious page could overwrite, say, your autoexec.bat file, or any of your system files," he said. "You do need to know the name of the file for it to be overwritten, but system files are in a pretty standard place in almost every Windows box. So a malicious Web page could take out most users' \[important system\] files."
Macinta was able to take advantage of this problem using the DirectX interfaces for Java that Microsoft recently released. A demo of his Java program at the "Internet Explorer File Corruption Bug" page. He won't release any source code but claims the flaw in Microsoft's DirectX SDK should be obvious to other programmers.
Internet Explorer Product Manager Kevin Unangst clams that Microsoft had already discovered the hole in DirectX during a standard security audit of IE 4 earlier this month. He says the final version of the browser, due September 30, won't be susceptible to this problem.
"We take it seriously, but it only happens with the beta \[version\]," Unangst says. "We were already aware of the problem and it was a very specific set of circumstances to take advantage of it. Since it's already been fixed, we want to reassure users that when they download the IE4 product on the 30th, it will contain this updated DirectX component that fixes and blocks that hole."
Unangst also takes offense to claims from Macinta that Microsoft's Windows extensions to Java are designed to splinter Java.
"This has nothing to do with any kind of splintering of Java," Unangst retorted. "We support, and have been supporters of, the existing Java models and Java far beyond what I think anyone expects. The functionality that our Java implementation will offer is what makes Java attractive to developers on Windows.