More Bugs Attack Internet Explorer (03/06/97; 9:00 p.m. EST) By Clare Haney, TechWire Microsoft had scarcely drawn breath after rushing out a bug fix for its web browser, Internet Explorer, when a second trio of college students announced Thursday that they had uncovered another breach in IE's security mechanism. David Ross and other students at the University of Maryland said they had come across another hole in some versions of Internet Explorer 3.0. Microsoft managed to deliver a patch for an earlier security gap discovered by Worcester Polytechnic students late last week. The new bug is not related to the one found by the self-named "Cybersnots" of Worcester, which could enable malicious individuals to misuse .LNK and .URL files to access a victim's computer remotely, but has much the same effect on hapless victims; it could wreck their computer. The new bug is related to IE's floating frames feature. Ross and his colleagues at the University of Maryland say on their site, "The only similarities between the discovery of this bug and the discovery of the other bug is that I go to a college and live in a dorm." The new bug comes as Microsoft is putting the finishing touches on version 4.0 of Internet Explorer, which aims to transform the Microsoft Windows desktop environment into an Explorer-like environment. IE 4.0 is due to ship March 17. Microsoft has not revealed whether both NT and Win 95 versions of its browser are affected by the Maryland bug. On his web page, Ross said the Microsoft patch for the first bug won't work for the newly discovered infestation. The new bug was discovered as Microsoft continues to patch up the first hole. Microsoft's Paul Balle, product manager for IE, assured TechWire on Tuesday that only Internet Explorer 3.0 and 3.01 for Win 95 and NT were affected by the earlier bug. However, come Thursday, Microsoft contradicted its earlier statement and announced on its website that all versions of Internet Explorer 2.0 were affected. The company isn't coming out with a fix for IE 2.0 -- instead, it is telling users they must upgrade to version 3.01 and then download the security fix. The fix is not completely closed off, because only "some" international versions of the code fix are downloadable from the Microsoft site. Fixes for the first bug have not been released for users running Internet Explorer on Digital Equipment's DEC Alpha, PowerPC and Million Instructions Per Second (MIPS) Win NT platforms, but Microsoft said it expects to post them "shortly." Additionally, the Redmond, Wash., company pointed out that the bug affects America Online users, who may not be aware that their web browser is, in fact, Internet Explorer. Microsoft said AOL users should also download the appropriate bug fix for their iteration of the software. TechWire was contacted by a worried AOL user who was concerned that other AOL users were unaware they were at risk. He said he had tested the Microsoft fix for the Win 95 version of IE 3.0, the web browser in AOL 3.0, and that it appeared to correct the problem. The Cybersnot crowd is also applauding Microsoft's fix for the bug they found. The Worcester students said Microsoft had let them test out the solution before posting it on the Microsoft security page. Still, a software consultant in New Zealand wrote TechWire to say he was not happy about the way Microsoft's fix installed. He said he had to reinstall IE 3.01 from scratch after downloading Microsoft's patch.