Web developers pick holes in browser security

Microsoft's Internet Explorer (IE) browser has become the latest victim in a series of security scares designed to draw attention to privacy holes in Web software.

Juan Carlos Garcia Cuartango, a Spanish Web developer, discovered the hole in IE4 after he noticed the browser could be prompted to upload files from his computer through a simple HTML instruction. Although Microsoft's programmers had attempted to secure the feature, Cuartango found a simple workaround which allowed him access to the contents of any surfer's hard disk.

Cuartango also posted an example of how easy it would be for a malicious programmer to hide an ActiveX or Visual Basic Script warning in the IE4 browser. If the warning is ignored the script can gain "full control" of a user's system - installing viruses, reading and deleting files.

According to Cuartango, Microsoft is "already working hard" to fix the problem. He believes a patch should be ready in the next few days - or even hours. Microsoft is advising users to turn off IE4's active scripting option until the fix is ready. According to the software company, there have been no complaints of actual security incidents.

Cuartango is not the first independent developer to draw attention to browser weaknesses. Two weeks ago Dan Brumleve posted a Java script on his Web site which allowed access to a user's Web cache via Netscape Navigator.

Brumleve and Cuartango claim their actions are intended to improve product security rather than simply embarrass large firms, but their attentions are not always welcomed. Last week Netscape posted a second fix after it was forced to admit that the original fix it posted for Brumleve's 'Cache-Cow' Java script didn't work.

Cuartango told Silicon.com he will now be checking for security holes in Netscape's browsers. "Companies do not devote enough resources to security," he warned, "protect yourself."