Software giant Microsoft Corp. is encouraging school districts and other customers to install a patch for a newly discovered security hole in several versions of its Internet Explorer (IE) web browser.

The company warned its customers that IE has a flaw that could allow attackers to run programs on another user’s computer. The glitch reportedly causes IE to open specially coded attachments in eMail messages automatically, Microsoft said March 29.

Attackers potentially could attach a program or a virus to such an eMail message, which then would cause problems to a victim’s computer files.

“Such a program would be capable of taking any action that the user himself could take on his machine—including adding, changing, or deleting data, communicating with web sites, or reformatting the hard drive,” explained a Microsoft security official.

For attackers to make use of the program’s vulnerability, they’d simply have to persuade the victim to click on a web site they controlled or open an eMail message they had sent.

According to Marc Liebman, superintendent of the Marysville Joint Unified School District in California, the hole could have a number of serious consequences for schools.

“These include the loss of access to confidential employee and—more importantly—student records; neutralizing our screening programs for inappropriate internet sites; and getting into attendance and grading programs and making changes,” he said.

This type of problem is a lot more common than users know, Liebman said.

A patch to fix the problem has been developed and can be downloaded at no cost from Microsoft’s web site. Internet Explorer versions 5.01 and 5.5 that do not have IE 5.01 Service Pack 2 are affected.

Scott Culp, Microsoft’s security program manager, said the flaw exists only with a few out of several hundred Multipurpose Internet Mail Extensions (MIMEs), which are used to encode files as eMail attachments.

According to the company’s security update, a MIME is “a widely used internet standard for encoding binary files as eMail attachments. When an eMail contains a binary attachment, it must specify what type of file the attachment is, so the mail program can interpret it correctly.”

In the case of this vulnerability, IE does not correctly handle certain types of fairly unusual MIME types, Microsoft officials said. If an attacker created an eMail message containing an executable attachment and specified that it was one of these MIME types, IE would execute the attachment rather than prompting the user.

Attackers would not be able to harm users who set their computer not to allow files to be downloaded from web pages.

Marysville’s technology director, Rick Corl, issued a directive to school officials recommending that they install the patch in district computers and provided direction on how to handle any problems until the patch was installed.

So far, no district computers have reported problems related to the IE hole, Corl said.

Microsoft’s Culp said the problem is a typical software error, and it was discovered before any viruses could be spread.

“That’s the best situation we can hope for, short of perfect software,” he said, adding that Microsoft is working to install checks for the glitch on virus scanners.

Juan Carlos Cuartango, a security researcher for the Spansih company, notified Microsoft of the flaw. The programmer had found previous security gaps in Microsoft’s Internet Explorer and Netscape Navigator.

Chris Rouland, director of the Atlanta-based Internet Security Systems’ X-Force, called the glitch a “theoretical vulnerability.”

“This is an example of the fact we see individuals and hackers are always looking for flaws and bugs,” he said, adding that users who don’t use antivirus software are at the highest risk.

And that goes for schools, too.

According to Liebman, not enough districts have policies and dedicated technology employees to deal with security issues like this one. But there are several things that schools and districts can do to protect themselves, he said.

“Schools need to articulate policies and procedures that define appropriate and inappropriate use … and hire tech staff who truly understand security issues,” he said. “They also need to install programs and general applications to regularly monitor and update safety procedures, software, and practices.”


Microsoft Security

Download locations for this patch

Marysville Joint Unified School District