Quantcast
PCWorld.com is upgrading some back-end systems. Some site features, such as user registration, may be temporarily unavailable.
Subscribe to magazine

IE5 Bug Circumvents Passwords

Security hole may threaten those who share PCs.

Matthew Nelson and Bob Trott, InfoWorld Electric

  • 0 Yes
  • 0 No
Microsoft has confirmed the existence of a "complicated and less effective" security bug in Internet Explorer 5.0, which, when users share machines, allows access to password-protected sites without proper authentication.

The bug occurs when one user accesses a Web site that does not employ standards-based HTTP cache controls, thereby enabling another user on the same machine to view the same password-protected site visited by the first user and cached on the PC--without entering the original user's log-in and password.

The password itself would not be viewed.

Some users believe the bug has the possibility of being an annoying problem.

"If the [local] cache is compromised in such a way as to allow secure data to be accessed without using proper credentials--or in this case, without any credentials at all--then you have a big problem," said Scott Schnoll, a Portland, Oregon-based Windows developer.

Manual Work-Arounds

Schnoll said work-arounds exist for the bug, such as manually emptying the local cache, or configuring IE5 to automatically purge the cache when it is closed.

"The best solution would be in the form of a patch from Microsoft," Schnoll said. "It would be nice if IE5 users were able to take advantage of the benefits of a local Web cache without having to worry about security breaches such as this."

Microsoft is investigating ways to address this issue in a future release, the company said.

For more IT analysis and commentary on emerging technologies, visit InfoWorld.com. Story copyright © 2007 InfoWorld Media Group. All rights reserved.

  • Recommend this story?
  • 0 Yes
    0 No

People who read this also read:

Sponsored Links