COMMAND
Internet Explorer
SYSTEMS AFFECTED
Win '95, NT
PROBLEM
This info is based on the following document:
http://www.news.com/News/Item/0,4,10487,00.html?nd
The latest security bug discovered in IE affects users of Internet
Explorer 3.x. Also affected are users of the platform preview
release of Explorer 4.0 who also have PowerPoint, Microsoft's
presentation software, loaded onto their computers. The glitch
could allow a malicious Web site to execute any program on a
user's computer without permission, including deleting files and
uploading private information. Credit goes to Andrew Smith.
The latest security glitch adds a new twist since it is caused by
the integration of Explorer and PowerPoint, part of Microsoft's
extremely popular Office 95 and 97 application suites. The glitch
involves a PowerPoint feature called action settings that is
innocuous when used on a standalone PC. Using action settings,
creators of presentations can cause PowerPoint to launch any
executable program by clicking on or passing the cursor over any
image or text.
On the Internet, though, the feature could be exploited by a
hacker to trigger a variety of malicious actions, such as
launching an FTP client to upload private documents to a Web
site. When an Explorer user clicks a hyperlink on a Web site to
a PowerPoint presentation, PowerPoint is automatically launched
from their computer, displaying the presentation within the frame
of their browser.
Because the presentation does not contain any executable code
itself but instead points to executables already on the user's
computer, the user does not receive any warning before downloading
the program.
SOLUTION
Fix for this can obtained from Microsoft's site. Microsoft's fix
warns users about potential security risks before they download
a PowerPoint presentation.