Bulgarian bug hunter strikes again

Web surfers using the Internet Explorer 5 (IE5) Web browser are being warned by Microsoft about a possible security breach that could let an attacker take the your computer “hostage”. Microsoft says the flaw can let a “malicious” Web site operator run executable code on your computer after you’ve visited their website.

The vulnerability is in IE 5’s “Import-Export-Favorites” feature, which lets users import and export lists of commonly accessed Web addresses. In a security alert, Microsoft warns that “the net result is that a malicious Web site operator potentially could take any action on the computer that the user would be capable of taking.”

Scary stuff, when you consider that this means that a hacker could get into your computer and erase files, change them, format your hard drive… anything you can do, they can do worse.

The now-famous “Bulgarian bug hunter” Georgi Guninski is credited by Microsoft with discovering the security hole in IE5. Mr. Guninski has found numerous security holes in both Microsoft and America Online Web browsers. Many of the holes exploit the “unintended” effects of Web scripting capabilities in the programs. Mr. Guninski reported a simil “hole” in IE two weeks ago, and Microsoft patched yet another hole in the program the same week.

Until a patch is developed, Microsoft advises IE 5 users to disable Active Scripting to protect themselves from hackers. Scripting lets Web authors run mini applications, or “scripts,” on a visitor’s computer that operate without your interaction. Scripting is usually used on Web sites for functions like launching pop-up windows or scrolling text across the screen.