On the eve of the release of its much-delayed Windows 2000, Microsoft issued a patch for a security vulnerability in the Internet browser that is bundled with the new operating system.
The bug, which Microsoft calls the Image Source Redirect vulnerability, makes it possible for a malicious Web site operator to read certain types of files on the computers of visitors using Internet Explorer (IE) Versions 4.0, 4.01, 5.0 and 5.01.
This means that the iteration of IE which is distributed with Windows 2000, Version 5, also is affected by the bug.
When a Web server sends a new page to an IE browser window which comes from a different domain to the one currently being viewed, IE checks the server's permissions on the new page. The vulnerability makes it possible for a Web server to open a browser window to a file stored on the IE user's computer, and then switch to a page in the server's domain, gaining access to the contents of the user's files in the process, Microsoft says.
Any data that can be seen is only accessible for a short period of time, and the Web site operator would need to know, or guess, the names and locations of files. The operator would also only be able to view file types that can be opened in a browser window, including .txt files, Microsoft says.
Microsoft also came under fire this week for a leaked internal memo claiming the operating system has over 63,000 bugs in it.
RELATED LINKS
More information about the vulnerability, including patches, can be found here.
See our Research page dedicated toWindows 2000
Early Windows 2000 users cite total cost of ownership benefits
Computerworld, 02/16/00.
Recent security exploits in Microsoft software
IDG News Service, 09/27/99.
Microsoft issues fixes for Win 2000 security holes
IDG News Service, 01/31/2000.
Talking about Windows 2000
PC World, 02/15/00.
Windows 2000 launch: Moment of truth arrives
InfoWorld, 02/14/00.
