Copyright 1997 The Associated Press. All rights reserved. The information contained in this news report may not be published, broadcast or otherwise distributed without the prior written authority of the Associated Press.

By GEORGE TIBBITS
AP Business Writer

SEATTLE (AP) -- Microsoft Corp. scrambled to fix a security flaw in the company's Internet Explorer browser that could allow a Web site operator to secretly run programs stored on someone's personal computer.

Although the company said it had no customer reports of security breaches, a computer security expert said the problem was "extremely serious."

"It is as if you allowed someone to type on your computer and you go out to lunch," said Simson Garfinkel, an author of Internet security books and columnist for HotWired magazine and the Boston Globe.

The flaw could result in all sorts of mischief, such as preventing another person's computer from starting up or sending e-mail from another person's account, Garfinkel said.

Microsoft officials said Monday they were testing a solution for the problem and expected to have it quickly posted to the company's site on the World Wide Web.

Internet Explorer, Microsoft's keystone product in its Internet strategy, is used by millions of people worldwide to access the Web. Microsoft estimates it has a 25 percent to 30 percent market share, behind Netscape Communications' Navigator program.

Paul Balle, a product manager for Microsoft's Internet Explorer team, said Microsoft learned of the flaw Monday after it was discovered last week by a student at Worcester Polytechnic Institute in Worcester, Mass. The student, Paul Greene, and his friends posted information about the flaw on their Web site.

"We take this very seriously," Balle said. "The moment we found out about it, we got our developers and program managers on it."

Greene said in an interview with InfoWorld Electric, posted to that Web site Monday afternoon, that the problem appears only to affect Internet Explorer and not Navigator or other non-Microsoft browsers.

The flaw involves basic functions found within Microsoft's Windows 95 and Windows NT operating systems.

When a PC user clicks on a hyperlink on a Web page, Balle explained, a malicious Web page creator could have that link connect to file known as a "shortcut" in Windows 95 and NT. Shortcuts are widely used to start computer programs or functions.

If the "webmaster" for the Web page can guess the precise location and code needed on the user's computer, shortcuts on the Web page could surreptitiously "point to" and start programs residing on the user's hard drive.

"If they can guess it, they can get to it," Balle said.

Many widely available programs such as Windows 95 have standard locations or addresses where their components are stored on computers. Unless a PC user custom-installed or otherwise modified a program, the addresses would be simple to guess.

Internet Explorer's extensive security systems are based on a Microsoft technology called Active-X. The shortcuts, however, "totally bypass that," Balle said.

Eds:

• Microsoft's Internet site with information on the flaw is: http://www.microsoft.com/ie/default.asp
• Greene's site is: http://www.cybersnot.com
• InfoWorld's site is: http://www.infoworld.com