Another bug got the better of Microsoft last week, days after a patch was posted on its site to deal with the Cybersnot issue. This time students from the University of Maryland announced that a bug was present in IE3.0 that could be activated simply by double clicking on an icon in a web page.
The Maryland bug is similar to the Cybersnot variation in that it allows a hacker to launch applications without warning. The Maryland trio also claim that files on a hard drive are at risk of being modified or deleted without warning.
Microsoft's official line is that the two bugs are the same, but are executed in different ways. Andrew Lee's Director of Desktop and Internet at Microsoft said: "The information I have from the US is that these are one and the same. We take this very seriously and there is a fix at Microsoft.com." But the Maryland hackers disagree with Lees and in a statement on their web site they say "This is not the same as the ".LNK and .URL" bug discovered recently." David Ross, one of the hackers said: "The cybersnot bug uses .LNK and .URL files to access a computer but this bug exploits the fact that ".isp" script files may be downloaded and executed by Internet Explorer.
You need a different patch to deal with this bug."
Despite Lees insistence that the two bugs are the same, a different patch was posted within 24 hours to deal with the Maryland bug.
Microsoft has acted swiftly to counter "overzealous reporting" of the bug issues by setting up an email alias called [email protected] The mail will monitored by Microsoft's security experts and is designed to allay any fears users of IE3.0 might have about the recent spate of security flaws.
In a statement Chris Rioux, the discoverer of the Maryland IE bug warned that Microsoft needs to be more rigorous in its testing of Internet products.
He said: "Microsoft code needs to be more rigorously tested before it is released. Bear in mind that it only took me about two hours of hunting to find this bug."
Sam Sethi was a little more scathing. He said: "In its attempt to catch up with us they're rushing code out - Netscape has never had a bug with Navigator, this is purely a Microsoft issue."
To see how the Maryland students hacked into IE go to http://www.dec.dorm.umd.edu/.
A smartphone maker fiddling its benchmarking scores? That's unusual, isn't it?
'We are making good progress on 10nm,' claims Intel
Engineer calculates that Chengdu's plan to replace streetlights with artificial moonlight would cost $100bn
Research could also apply to other 'space weather' events involving hot, fast-moving plasma