A programmer in Singapore has uncovered a flaw in Microsoft Corp’s Internet security policy, with potentially disastrous results. The programmer, named Tea Vui Huang, has shown how a downloadable program can alter registry settings, completely disabling Internet Explorer’s automatic security checks. Internet Explorer has three security modes: ‘high’, ‘medium’, and ‘none’. The default mode is high security, in which the browser protects inexpert users by refusing to run ActiveX content that has not been digitally signed using Microsoft’s Authenticode technology. However, this refusal does not currently extend to downloadable programs – executable content that runs outside of the browser’s control – of which people should be rightly suspicious. Huang’s program exploits this loophole to automatically alter the browser’s security setting from ‘high’ to ‘none’, removing all further protection for users unwary enough to run this one program. The process is not entirely invisible to the user, but inexperienced Web users would be unlikely to detect anything unusual. Huang’s site, at http://www.scv.com. sg/~entea/security/reggap.htm, displays an innocuous icon offering to make the current page the user’s home page. If the user clicks on this item, Internet Explorer first displays its standard security warning saying that the browser is about to download a potentially unsafe program – a warning often seen when downloading items such as plug-ins. If the user chooses to accept the program there is no further warning that the security of the browser is about to be breached. A dialog box then gives a cryptic message informing the user that information from a program in the browser’s cache has been successfully entered into the registry – a wording unlikely to alert an inexperienced user to any danger. No specific mention is made that the browser is then operating in a totally insecure mode. It’s necessary to delve through several layers of menu options to discover the fact. The process is not prevented by the latest security patch available from Microsoft’s Web site. Microsoft has yet to post a response on its security related Web site, http://www.microsoft.com/security.
