Advertise with InfoWorld

Posted at 1:44 PM PT, May 5, 1999
Microsoft has confirmed the existence of a "complicated and less effective" security bug in Internet Explorer, Version 5, which permits access to passwords off of shared machines.

The bug occurs when one user accesses a Web site that does not employ standards-based HTTP cache controls, thereby enabling another user on the same machine to view the same password-protected site visited by the first user and cached on the PC -- without entering the original user's username and password, according to the company.

The password itself would not be viewed.

Some users believe the bug has the possibility of being an annoying problem.

"If the [local] cache is compromised in such a way as to allow secure data to be accessed without using proper credentials -- or in this case, without any credentials at all -- then you have a big problem," said Scott Schnoll, a Portland, Ore.-based Windows developer.

Schnoll said work-arounds exist for the bug, such as manually emptying the local cache, or configuring Explorer to automatically purge the cache when it is closed. More information on the security bug can be found at www.nwnetworks.com/iesf.html.

"The best solution would be in the form of a patch from Microsoft," Schnoll said. "It would be nice if IE 5 users were able to take advantage of the benefits of a local Web cache without having to worry about security breaches such as this."

Microsoft is currently investigating ways to address this issue in a future release, the company said.

Microsoft Corp., in Redmond, Wash., is at www.microsoft.com.

Matthew Nelson is an InfoWorld senior writer. Bob Trott is InfoWorld's Seattle bureau chief.