Microsoft is warning users about a security hole in Internet Explorer that could be used to force the Web browser to automatically open HTML e-mail attachments, potentially enabling attacks in which malicious hackers could delete data from PCs or cause other types of damage.
In an advisory posted on its Web site recently, Microsoft said the flaw could allow an attacker to run a program that "would be capable of taking any action that the user himself could take on his machine, including adding, changing or deleting data, communicating with Web sites or reformatting the hard drive."
Microsoft also released a software patch that's supposed to plug the hole, which is known to affect Internet Explorer 5.01 and 5.5. The company said it's not sure whether other versions of the browser are also at risk, adding that earlier releases weren't tested because they're no longer supported.
The hole, which causes Internet Explorer to incorrectly handle some types of MIME headers included in messages, creates a potential danger if an attacker can convince a user to open an HTML e-mail containing an executable attachment containing malicious code. It also could be exploited if a user visits a Web site controlled by the attacker, Microsoft said.
Russ Cooper, an analyst at security consulting firm TruSecure, said attackers would most likely try to make use of the hole through the latter route, by setting up a Web site that tempts users to inadvertently download a file or virus. "The message is, don't go and take free stuff off the Web," he said.
But the biggest fear is that code exploiting the security hole "gets incorporated into a virus or worm technology," Cooper added. Virus writers "are always looking for a new mechanism to create infections," he said.
One potential problem is there are so many patches and software updates being released that not all users have time to keep up with them, said Mylissa Tsai, an analyst at Aberdeen Group. It would be much better, Tsai added, if vendors such as Microsoft made more of an effort to catch security flaws before they release software. Security can be "an afterthought, which puts users at risk," she said.
In its advisory, Microsoft said the flaw in Internet Explorer - which is used by e-mail clients to process and display HTML messages - causes attachments with the incorrect MIME headers to be executed without displaying a warning dialogue for users. The Service Pack 2 update for Internet Explorer 5.01 isn't affected by the vulnerability, the company noted.
