A hacker who has made something of a career finding and analyzing security flaws in Microsoft products has apparently found a big one - if someone so chooses - means anyone could take your computer over by your doing nothing more complicated than landing on a page while surfing the Internet.
At least, that's what Georgi Guninski may have found in Microsoft Internet Explorer 5. According to ZDNet News, a design flaw in the new Explorer means anyone with a Web page can take your computer over merely by way of a few simple text lines within the HTML code comprising the page. And all you have to do is just visit that page to leave your system vulnerable.
And it gets worse, says ZDNet. The same IE5 design flaw makes it possible, apparently, to send the hostile HTML code in e-mail since many e-mail programs - Microsoft's own Outlook Express, Eudora Lite, Eudora Pro, and others - use Internet Explorer 5 "behind the scenes," as ZDNet puts it, to show e-mail containing HTML code. That would make you vulnerable even if you're not using IE5 for Web surfing explicitly.
What Guninski discovered, says ZDNet, involves an ActiveX control, included with IE5, which creates small programs called scriptlets which run on the user's machine while viewing a Web site or e-mail message.
The kicker: ActiveX has free access to the user's file system. And, thus, it can be made to run wild rather easily, overwriting vital system files, or planting Trojan Horses such as Back Orifice or Back Orifice 2000 on the system - taking it over without major trouble.
ActiveX has been under near-consistent criticism as it is, with critics saying it lacks safeguards against malicious computer hackers. And, since Microsoft "has not posted a patch or even an advisory about the ActiveX scripting hole," says ZDNet, users themselves have to take their own steps for protection.
One is to run a different brower - Netscape Navigator, Opera, etc. The other is to disable ActiveX - since IE5 is wired so tightly into Windows that it could show up without warning or be brought up by various third-party programs.
How do you disable ActiveX, then? Says ZDNet:
Change the default security for the Active Desktop's Internet Zone from "medium" to "high". \nDisable this option: "Script ActiveX controls marked safe for scripting." \nDisable Internet Explorer's Active Scripting feature. \nDisable all ActiveX controls and plugins.
