Bug circumvents IE 5 passwords
- — 10 May, 1999 21:49
Microsoft has confirmed the existence of a "complicated and less effective" security bug in Internet Explorer 5 that permits access to the passwords of shared machines.
The bug occurs when one user accesses a site that does not employ standards-based HTTP cache controls to remove files from the cache.
Another user on the same machine can then view a particular kind of password-protected site that has been visited by another user and cached on the PC without entering the original user's user name and password, according to Microsoft.
The password itself would not be viewed by the second user.
Some users believe the bug has the possibility of being an annoying problem.
"If the [local] cache is compromised in such a way as to allow secure data to be accessed without using proper credentials -- or in this case, without any credentials at all -- then you have a big problem," said Scott Schnoll, a US-based Windows developer.
Schnoll said work-around solutions exist for the bug, such as manually emptying the local cache or configuring IE 5 to automatically purge the cache when it is closed.
"The best solution would be in the form of a patch from Microsoft," Schnoll said. "It would be nice if IE 5 users were able to take advantage of the benefits of a local Web cache without having to worry about security breaches such as this."
Microsoft is currently investigating ways to address this issue in a future release.
More information on the security bug can be found at http://www.nwnetworks.com/iesf.html .