Web-user hit by computer virus may feel some chills up the spine Because of program flaws, crafty hackers can delete files on your hard drive

Your computer

March 16, 1997|By MIKE HIMOWITZ

IN LAST week's episode, I described my efforts to repel an attack by the Microsoft Word Concept virus, which was passed to me on an almost-new computer. This week, instead of sitting )) back and waiting for trouble to find me, I went out looking for it.

I discovered it on a World Wide Web page titled www.cybersnot.com, the work of three students at Worcester Polytechnic Institute whose discovery of a bug in Microsoft's Internet Explorer sent the world's biggest software company scrambling for cover and apologizing to 20 million or 30 million customers.

The first test came when I clicked on a cybersnot link and saw my Windows 95 calculator pop up on the screen.

Now this might not seem particularly heinous, but it's enough to send shivers up the spine of anyone who's worried about security on the Web. That's because I didn't launch my calculator program -- a Web page 400 miles away did it for me.

In technical terms, this is a big no-no.

Then I clicked on another link, which created a new directory called HaHaHa on my hard disk. A third link deleted the new directory. That link just as easily could have deleted something important on my disk.

But the lads who set it up weren't out to create mischief. They were demonstrating that life on the Web is fraught with peril.

The WPI students, along with hackers at the Massachusetts Institute of Technology and the University of Maryland, have so far identified three instances of what Microsoft calls "security issues" in its Web browser.

I'd call them holes -- holes big enough to drive a truck through.

A truck towing a Boeing 747.

The flaws allow mischievous Web page designers to create links that effectively launch programs on your computer or take actions that can delete files on your hard drive. The links can be so cleverly designed that you won't know what happened until it's too late.

They all take advantage of Microsoft's otherwise admirable desire to make its operating system and applications Web-friendly.

Unfortunately, it's a little too friendly.

Unlike viruses -- malicious programs that masquerade as part of your operating system or application software -- these Web links don't require much in the way of programming genius once you know the basic trick.

And now that the secret is out, more than a few nasty folks will undoubtedly be experimenting with the technique.

So, if you use Internet Explorer, your very next stop should be Microsoft's Web page, where you can download a temporary fix that will catch these bugs before they can bite.

The security flaws affect versions of Internet Explorer that run under the Windows 95 and Windows NT 4.0 operating systems. They don't affect Explorer versions designed for the older Windows 3.1 or NT 3.51 operating systems, or versions that run on Apple Macintosh computers.

Nor do they threaten Netscape Navigator and other non-Microsoft browsers, which ignore poisoned Web links or handle them as though they were files to be downloaded.

Even so, there are plenty of people at risk. Explorer is not only gaining rapidly on Netscape Navigator in the race for most popular Web browser, it's also the Web browser packaged with many new computers.

That's likely to make this little problem an object lesson in computer security.

For most users, security is based on the premise that your computer won't run any programs that you don't put there, and that the programs you do run will do no harm.

Viruses breach that security by sneaking into your computer -- usually through floppy disks but sometimes over networks -- and infecting your operating system or trusted programs.

Web browsers, once limited to displaying text and graphics and downloading files, have created an entirely new element of risk. That's because the latest versions actually allow programs to be downloaded from remote computers and run on your machine without your intervention.

Netscape Navigator was the first browser to take advantage of this technology through a programming language called Java, which creates most of the cute little animations you see on fancy Web pages. Those animations are actually mini-programs being run by your browser.

When you surf to a new Web page, you have no idea ahead of time whether it contains a Java program. If it does, the program runs automatically when the page is displayed on your computer.

Obviously, that's not very secure.

To deal with that issue, Java was deliberately crippled as a programming language. While it can entertain or annoy you with flashy graphics, process an order form and do all kinds of cool stuff, one of the things it's not supposed to be able to do is play games with your hard disk.

Most browsers also allow you to turn off Java reception completely, eliminating any threat that a well-intentioned but buggy Java script will accidentally crash your computer.

While hackers will undoubtedly do their best to penetrate Java as time goes by, the Internet Explorer problem poses a more serious threat in the short run because so many users are exposed to it.

If you're feeling adventurous, check out the cybersnot Web page to see what can happen. (The demonstrations are harmless). Then point your version of Explorer to http: //www.microsoft.com and download the latest fix.

That will keep you safe until the next wise guy comes up with something even nastier.

Pub Date: 3/16/97

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.