Microsoft Internet Explorer
Microsoft is well known for its ability to create attractive, eye-pleasing applications. Moreover, such products are designed for easy use to allow even the most intimidated individual to grasp the basic concepts within a few hours. In this respect, Microsoft has evolved much in the same way as Apple Computer. Consider, for example, the incredible standardization of design that is imposed on products for use in the Microsoft environment. In the Microsoft world, menus must be at least somewhat consistent with general Windows design. Thus, almost any application designed for Microsoft Windows will have a list of menus that can across the top of the program. Three menu choices that you will invariably see are File, Edit and Help (other menu choices that are still very popular but appear less frequently include View, Tools, Format, and so forth). In other words, if you know one Microsoft program, you know them all.
Microsoft has thus created its own standards in a market. Microsoft has revolutionized the PC computing world. Furthermore, because Microsoft products are so popular worldwide, programmers rush to complete applications for use on the Microsoft platform. Moreover, Microsoft has put much effort in to application integration and interoperability. That means an Excel spreadsheet will drop into a Word document, an Access database will interface with a Visual basic program, and so on. All Microsoft products work in an integrated fashion. Microsoft designed its products with components that meet certain criteria. Each of these applications contain building blocks that are recognizable by the remaining applications. Each can call its sister applications through a language that is common to them all. This system gives the user an enormous amount of power.
Unfortunately, however, it also makes for poor security.Internet Explorer was designed with this interoperability in mind. For example, Internet Explorer was more integrated with the Windows operating system than, say, Netscape’s Navigator. Mr. Gates undoubtedly envisioned a browser that would bring the Internet to the user’s desktop in the same manner as it would a local application. In other words, Internet Explorer was designed to bring the Internet to the user in a form that is easy to understand, navigate, control.
In a period of less than two weeks in early 1997, Internet Explorer was discovered to have three serious security bugs:
Students at a university in Maryland found that they could embed an icon on a Web page that would launch programs on the client user’s computer. Microsoft posted a public advisory on its WWW site. In it, the company explained: If a hacker took advantage of this security problem, you could see an icon or a graphic in a Web page, which is, in fact, within a regular Window 95 folder of the Web site server or your computer. The hacker could shrink the frame around the icon or graphic so that you would think it was harmless, when in fact it allows you or anyone else to open, copy, or delete the file, or run a program that could, if the author has malicious intent, damage your computer. You can launch the program because the folder bypasses the Internet Explorer security mechanism.
Several sources determined that one could launch programs on the client’s machine by pointing to either a URL or an LNK file.
Folks at A.L. Digital, a London-based firm, determined that Microsoft’s Internet Explorer contained a bug that would allow a malicious Java applet to steal, corrupt, or otherwise alter files on the client’s machine.
Dirk Balfanz and Edward Felten of Princeton University wrote in August 1996: “We have discovered a security flaw in Microsoft’s Internet Explorer browser running under Windows 95. An attacker could exploit the flaw to run any DOS command on the machine of an Explorer user who visits the attacker’s page. For example, the attacker could read, modify, or delete the victim’s files, or insert a virus or backdoor entrance into the victim’s machine”.
The risk represented here is tremendous.
It is clear that, for the moment, Microsoft Internet Explorer is still cutting its teeth in terms of Internet security. What makes the problem especially serious that only those users who are truly security aware receive such information as breaking news. The majority receive such information from third parties, long after holes have been discovered. This is of major concern because nearly all of the holes found in Internet Explorer have been Class A.