Gopher digs holes in security

Security experts have warned that a security flaw in a long abandoned protocol may still pose a threat today.

Vulnerabilities associated with the Gopher protocol could allow an attacker to take control of a remote machine.

Gopher was used between 1990 and 1992. Gopher servers offered hierarchically organised directories and files accessible through a hypertext link structure.

'Gopherspace' was effectively the predecessor to the World Wide Web, but the protocol was abandoned for HTTP when the web gained in popularity.

But most web browsers of today, including Internet Explorer (IE) and Netscape, still have a Gopher client built in which can access pages starting gopher://.

An advisory from Finnish security firm Online Solutions reveals that the part of code in IE which parses gopher replies contains an exploitable buffer overflow bug, through which a malicious server could be used to run arbitrary code on a user's system.

Attacks can be launched via a web page or HTML email message. A fully operational gopher server isn't necessary in order to carry out the attack.

The exploiter could do anything that a regular user could do on the system, such as retrieve, install or remove files, upload and run programs, etc.

Microsoft was contacted by Online Solutions in mid-May and has since started designing a fix for IE. It has not yet given any indication of when the code will be released.