Clicker Beware

SEATTLE: Careful where you click. A security flaw has been discovered in Microsoft's Internet Explorer browser that could allow a Web site to log onto you. The software bug, discovered last week by Paul Greene, a student at Worcester Polytechnic Institute, allows a Web page designer to turn hyperlinks into a direct pathway to the computer of any person who uses them. Greene posted information about the problem on his web site Monday. By utilizing an operating system's "shortcuts," used to access and start programs stored on the hard drive, nefariously designed links could bypass the browser's security systems and automatically access programs, from e-mail to files and basic functions, that reside on the user's hard drive. All the site's designer would need to know is the location and code of a program on the drive. Such locations, unfortunately, are commonly standardized with operating systems' installation, and thus easily deduced. The bug could be a dose of publicity poison for Microsoft, by focusing computer users' fears about security onto both Internet Explorer and the operating systems the browser is so relentlessly paired with: Windows 95 and Windows NT. Microsoft officials said they were testing a solution for the problem and expected to have it quickly posted to the company's site on the World Wide Web. There have been no customer reports of security breaches so far. But now that the flaw has been discovered, the company's developers and program managers could be in a race with Microsoft-hating webmasters, who could theoretically rig their sites to damage any computers who use the Internet Explorer browser to access them.