Internet Explorer Bug

Microsoft Internet Explorer Security Hole

The original article can be found at www.wopr.com
21 January 1999

GAPING SECURITY HOLE IN IE/OUTLOOK AND OFFICE ~~~~~~~~~~~~~~~

Listen up, people. This is serious. Probably the most important article that's ever appeared in Woody's Office Watch. WOWser DavidF wrote to me last week with a masterful, amazing hack that exploits the largest Office security hole I've ever seen. No, I'm not going to tell you the details of how the security hole works (Microsoft will give some broad info) - and I sure as hell hope nobody else drops enough hints to teach some %$#@! idiot malware writer how to do it. But I will tell you what it does. If you have Office installed, and you use Internet Explorer to view an infected Web page, that page - without your knowledge, or any action on your part - can wreak havoc on your system. It can drop a virus, delete a folder, scramble data, send your tax files to Timbuktu... anything. Similarly, if you use Outlook 98 or later to view an infected HTML message, that message - with no action on your part - can do anything to your system.

Anti-virus legend Dr. Vesselin Bontchev confirmed DavidF's report by showing me an HTML file that exploits the security hole. It's... scary. It's way too easy to exploit, unlike some more obscure security problems you don't have to be a 'rocket scientist' to spread trouble. For that reason, WOW has decided to be quick about warning our readers to get the protective patch before examples of this spread 'in the wild'.

DavidF told me, "I'm a bit surprised this isn't more widely known. I notified the IE team of it long ago..." As in the past WOW has been able to bypass Microsoft's bureaucracy and quickly get the details to the people who matter. Once we passed along David's news to the right levels inside Microsoft, the offal hit the impellers, a team has been working day and night for the last few days to find a fix. Microsoft will be posting that fix in the next few hours. That's why we held off on sending WOW to you this week - to make sure the fix was ready and that it works. It does.

Let me make this really clear. Every single Office user who also uses Internet Explorer or Outlook 98 or later, MUST INSTALL THIS PATCH. It's only a matter of time before some %$#@! cretin figures out how to exploit this hole. You - and everyone you know - needs protection NOW.

There's actually TWO security patches out today. We're particularly concerned with the Word 97 Template patch, but you should get the Forms 2.0 patch as well. More info on both problems below.

WORD 97 TEMPLATE PATCH
Microsoft Security Bulletin: http://www.microsoft.com/security/bulletins/ms99-002.asp
Office Update Download Page: http://officeupdate.microsoft.com/downloaddetails/wd97sp.htm

FORMS 2.0 CONTROL PATCH
Office Update Download Page: http://officeupdate.microsoft.com/downloaddetails/fm2paste.htm
Microsoft Security Bulletin: http://www.microsoft.com/security/bulletins/ms99-001.asp

Please. Take a few seconds to forward this article to everyone you know who doesn't subscribe to WOW. Urge them in no uncertain terms to get the patches, and apply them immediately. All I ask is that you keep this article intact - don't change it - and that you send it in its entirety. If there are any updates, we'll post them to http://www.wopr.com/ immediately.