Security Problem Emerges with Internet Explorer 5

The steps Microsoft Corp. takes in the download process for Internet Explorer 5 has led to security and administration issues with Windows NT Server and Workstation that is alarming some users.

The steps Microsoft Corp. takes in the download process for Internet Explorer 5, probably to manage the increases in traffic at its Web site (www.microsoft.com), has led to security and administration issues with Windows NT Server and Workstation that is alarming some users.

Microsoft’s Web site sustained record traffic from March 18 to March 22 as users flocked to download the upgrade to its Web browser, according to the company. There were more than 1 million downloads of Internet Explorer 5 over the period. Usage at the site had been running at 140 percent of normal traffic for the week following the availability of Internet Explorer 5. On March 18 alone, the site handled 4 million visitors, requesting 44 million Web pages.

During the week, messages began appearing on the NTBugtraq mailing list (www.ntbugtraq.com), which follows security and administration issues in Windows NT. To download Internet Explorer 5 on Windows NT Server and Windows NT Workstation, Microsoft disabled screen saver passwords and the Task Scheduler Service. The password protection and scheduler resume once the download completes, but no warning pops up to alert users that password protection or task performance will be interrupted.

"There’s just no excuse for doing this, other than to download the file as quickly as possible," says Russ Cooper, moderator of NTBugtraq in Ontario. "There should be a warning dialogue that says, ‘This is what I’m going to do.’"

Problems could arise at companies with security policies that mandate that users employ password protection with their screensavers. The biggest danger is that a user would leave a terminal unattended during the download, fully expecting the password prompt to still be active. Instead, anyone could access files from that terminal. Additionally, monitoring software used by administrators to enforce a password policy could fill an administrator’s time with violation alerts that users would be unable to explain.

Another potential problem area would be an instance where an administrator or user decides to download the browser at the end of the day, and install it the following day. Without any prompt that the download will interrupt the Task Scheduler Service, a backup scheduled to begin at the same time could be skipped.

There is a credible argument that Internet Explorer does not belong on a Windows NT Server in the first place, Cooper acknowledges. Moreover, Microsoft provides an Internet Explorer Administrators Kit that allows administrators to configure and install the browser any way they want across the enterprise. Microsoft officials did not return calls for comment.

Still, Cooper argues, less experienced administrators may not realize they have those options, and there’s little reason corporate users shouldn’t have the option to download browsers from the Web. "Microsoft is taking the feedback that they’re getting from Windows 98 and home users that they don’t want to have a billion options, and giving server users the same set of options" for Internet downloads, Cooper says.