A security flaw in Microsoft's Internet Explorer browser could allow a hacker to take control of a remote computer if its user clicks a link to an outdated Internet protocol, a computer security firm says.
Oy Online said it notified Microsoft Corp. of the security hole relating to the Gopher protocol on May 20 but the software giant has yet to produce a software patch to fix the problem.
Although Gopher is considered an outdated format for Internet content, it is still supported by Internet Explorer and most other browsers
A Microsoft spokesman who refused to be identified said Tuesday that the company is "moving forward on the investigation with all due speed" and will take the action that best serves its customers.
According to Oy Online, a hacker could take over a user's computer simply by having the user click on a link to a "hostile Gopher site." That one click would install and run any program the hacker chose on the victim's computer, and the victim might never know.
Oy Online have not released the full details of the exploit to prevent exploitation, but some details have been published on their site. The attack can be launched via a web page or an HTML mail message which redirect the user to a malicious gopher server when the victim views them. The server can be very minimal, ie. a program that can listen on a TCP port and write a block of data; a fully operational gopher server isn't necessary in order to carry out the attack.
A partial workaround has been documented :-
- An easy way to disable processing and displaying gopher pages is to define a non-functional gopher proxy in Internet Options. Select Tools -> Internet options -> Connections. Click on "LAN settings". Check "Use a proxy server for your LAN". Click on "Advanced...". Here you can define proxy servers to be used with different protocols. Go to the Gopher text field and enter "localhost", and "1" in the port text field. This will stop Internet Explorer from fetching any gopher documents.
After installing the patch from Microsoft you can remove these gopher proxy settings (or restore them to values they had before).