All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
Yet another Microsoft Windows security hole that works around the company's patch for a past exploit has been made public today. The bug makes it possible to execute arbitrary software code on a networked machine that uses Internet Explorer.
"We are going to produce a patch that should be up within a week," said Microsoft's David Fester, group product manager for Internet Explorer. "We'll put up that patch as quick as we can."
Until it arrives, there is no workaround other than not using Internet Explorer. However, Microsoft has received no reports of abuse, and the bug itself is not easily exploited by would-be crackers.
Fester confirmed that the bug is a variation of November's res:// bug, which was discovered by DilDog, an associate of l0pht Heavy Industries, a Boston-area hacker collective. For the second time in a week, a software patch for the bug was quickly issued by Microsoft, but apparently did not fix the entire class of bug - only that one particular instance of it.
"This was sort of a natural extension of [the res:// bug]," said DilDog. "It's a problem where they only fixed one little instance of the bug, instead of taking a look to see where else it could be applied. You could probably wipe out all bugs of this type pretty easily with a few checks, but apparently this is not being done," he said.
The bug operates on Microsoft's mk:// protocol, a scheme similar to the res:// protocol, which is used internally by programs to extract information from compressed files. The bug works by adding extra characters to the system call, which then gets executed as program code.
"You can stuff a bunch of characters into it, overrun the buffer, and anything that goes past it can get executed," said Fester.
Fester said that the bug affects users of Windows 95 and Windows NT running Internet Explorer 4.0 or 4.01, and Internet Explorer 3.02 users who have Visual Studio installed.
"There's no reason for panic about it, but there is reason for people to start watching the Internet Explorer security page," said DilDog.
Fester agrees that it is not an easily exploited bug, but that the company is taking it seriously. "[An attacker] would have to work at it," he said. "Any potential security risk is serious. In relation to who is affected by it, it's lower. But it's a security risk, therefore it's serious."
