View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
March 24, 1997updated 05 Sep 2016 12:58pm

PROGRAMMER FINDS ANOTHER SECURITY FLAW IN EXPLORER

By CBR Staff Writer

A programmer in Singapore has uncovered a flaw in Microsoft Corp’s Internet security policy, with potentially disastrous results. The programmer, named Tea Vui Huang, has shown how a downloadable program can alter registry settings, completely disabling Internet Explorer’s automatic security checks. Internet Explorer has three security modes: ‘high’, ‘medium’, and ‘none’. The default mode is high security, in which the browser protects inexpert users by refusing to run ActiveX content that has not been digitally signed using Microsoft’s Authenticode technology. However, this refusal does not currently extend to downloadable programs – executable content that runs outside of the browser’s control – of which people should be rightly suspicious. Huang’s program exploits this loophole to automatically alter the browser’s security setting from ‘high’ to ‘none’, removing all further protection for users unwary enough to run this one program. The process is not entirely invisible to the user, but inexperienced Web users would be unlikely to detect anything unusual. Huang’s site, at https://www.scv.com. sg/~entea/security/reggap.htm, displays an innocuous icon offering to make the current page the user’s home page. If the user clicks on this item, Internet Explorer first displays its standard security warning saying that the browser is about to download a potentially unsafe program – a warning often seen when downloading items such as plug-ins. If the user chooses to accept the program there is no further warning that the security of the browser is about to be breached. A dialog box then gives a cryptic message informing the user that information from a program in the browser’s cache has been successfully entered into the registry – a wording unlikely to alert an inexperienced user to any danger. No specific mention is made that the browser is then operating in a totally insecure mode. It’s necessary to delve through several layers of menu options to discover the fact. The process is not prevented by the latest security patch available from Microsoft’s Web site. Microsoft has yet to post a response on its security related Web site, https://www.microsoft.com/security.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU