November 17, 1997
More Explorer 4.0 bugs affect images, text, and font files
I wrote in October about various problems with Microsoft's Internet Explorer 4.0 and their work-arounds. (See "Tools on the Web respond to new Internet Explorer," Oct. 13, and "Readers respond on Explorer 4.0, Excel, cookies, and more," Oct. 20.) This week, some new problems have surfaced that I'd like to clue you in on.
The most serious problem affects Explorer 4.0 for both Windows 95 and Windows NT. It allow a Web site to copy images, text files, and HTML files off your hard drive -- while you're viewing the site with Explorer 4.0 -- without your knowledge.
This trick is accomplished with the use of Dynamic HTML. A file of yours that is referred to by the rogue Web site is loaded to an invisible window, from which it is sent to the rogue site.
Microsoft has acknowledged this problem and has a work-around. The company suggests clicking View, Options, Security in Explorer 4.0, then selecting the Restricted Web Sites zone. Choose Custom, then disable the Active Scripting option. Microsoft notes on its Web site: "Users can add any unfamiliar Web sites to this zone."
If you don't feel like adding every site you might ever visit to your list of Restricted Web Sites, I recommend a simpler fix. Download a patch file for Explorer 4.0. Set your browser to http://www.microsoft.com/ie/ and click the link entitled "Fix Now Available for `Freiburg' Text-Viewing Issue." (This problem was originally diagnosed by a consultant in Freiburg, Germany.) You download a 946KB executable.
A bug causing another serious concern is called the Explorer 4.0 Font Security Hole. This bug allows users of Explorer 4.0 to copy specialized font files from Web sites and install the fonts on their own systems.
When Microsoft developed the TrueType outline font format for Windows 3.1, it invented the concept of embedded fonts. A font can be made part of a document so the reader can view and print the document with the same look as the original -- even if the font is not installed on the user's machine.
This is a great benefit for users. Special fonts take much less time to download than graphics inserted into a Web site. So that font designers would not have their fonts stolen, Microsoft allowed font distributors to set different levels of embedding. No Embedding is the strictest level; Print and Preview Only is supposed to allow use of the font without letting users steal it.
Explorer 4.0, however, enables any user with font-creation software to pull down a copyrighted font while viewing a Web site containing it. Font vendors are upset because they were assured by Microsoft that its products would always respect fonts that identified themselves as Print and Preview Only.
Microsoft Typography spokesman Simon Earnshaw issued a statement saying, "The possibility of extracting embedded font data in the manner identified is a consequence of the operating system architecture, rather than of the embedding services code." Microsoft doesn't plan a fix until NT 5.0.
Users benefit from having a large selection of fonts available to Web designers. Microsoft should immediately fix this hole so font creators don't have to pull their fonts.
Daniel Will-Harris has written extensively about this problem at http://news.i-us.com/wire/wire.htm. For excellent free, shareware, and commercial fonts, see the Internet Type Foundry Index at http://www.typeindex.com.
Brian Livingston is the co-author of several best-selling Windows books, including the most recent Windows 95 Secrets (IDG Books). Send comments to brian_livingston@infoworld.com. Unfortunately, he cannot answer individual questions.
Missed a column? Go back for more.
Copyright © 1997 InfoWorld Publishing Company