In stumbling upon one of the biggest software bugs in recent memory, Paul Greene '98 just may have won himself a place in the hacker hall of fame. Here's how he found a flaw in Microsoft's Internet Explorer.
At 10:10 p.m. on Thursday, Feb. 27, 1997, WPI student Paul Greene clicked his mouse and catapulted himself into Microsoft- and computer-history. "All I wanted to do was connect to my Web page," says Greene, a 28-year-old senior majoring in electrical engineering. "Instead, I discovered a bug in Microsoft's Internet Explorer software that could allow anyone to build a booby trap into a Web page."
What Greene discovered was a flaw that created a serious security breech in one of the most widely used Web browsers - software applications that enable computer users to harvest the vast bounty of information and multimedia content available through the World Wide Web. The bug could enable unethical Web designers to reach into your computer from across the miles and retrieve information, delete files and generally wreak havoc - all without your being aware, until it was too late. It was like giving potential burglars a key to your front door.
Greene never expected his discovery to become big news. But within four days, he and his roommates had been profiled by countless newspapers and trade journals in the U.S. and Canada, had been interviewed on national television news programs, and had seen their own site on the World Wide Web accessed over 100,000 times (that number would grow more than sevenfold within two months).
Things began innocently enough. "I was working on my IQP," Greene says. "It was an evaluation of the freshman orientation program that WPI developed for the Class of 2000. There were four of us on the project team, all working on different parts of our report. Sharing a floppy disk wasn't practical, and since we'd all had experience developing Web pages, we decided to create a page where we could post our files for everyone to see and edit."
"What I did was something anyone could do inadvertently. The difference is that I recognized it as a major security threat." - Paul Greene '98
Greene had stored his files in a directory [or folder] on his computer. Rather than copying the whole folder onto the Web page he was sharing with his project team, he created a shortcut to the folder and posted that. "A shortcut is a convenient feature in Microsoft's Windows 95," Greene says. "It's just a tiny file that points to a big one. They're simple to make, and you can put them anywhere on your system where you can access a file."
Greene's shortcut was not to a file, but to a directory full of files. Ordinarily, if you create a shortcut to a folder and then click on it, Windows 95 will launch the program Windows Explorer, which will then open the folder and display its contents. But Web pages are not supposed to be able to run programs on your computer, at least not without first securing your permission. When he clicked on the shortcut he'd placed on the Web page using his browser, Microsoft's Internet Explorer, Greene fully expected the browser to warn him that the Web page was about to take undue liberties with his computer. But it didn't. "When I clicked on it, much to my surprise, Windows Explorer started, and listed all the files I'd put there.
"I began experimenting. I made a shortcut to the Solitaire card game that comes with Windows, put the shortcut on my Web page, clicked on it, and, sure enough, the Solitaire game actually started. At this point, I knew I'd found something unusual. I'd never heard of anything like this. My first thought was, 'Could I possibly be the only one in the world to have discovered this flaw?'"
It turns out he was. "I still can't believe it,"
he says. "Companies run their products through rigorous tests before they are marketed. I think that the reason this flaw was not caught is that Microsoft never checked it out at this basic level. What I did was something anyone could do inadvertently. The difference is that I recognized it as a major security threat."
What Greene had discovered was a flaw in Microsoft's browser, which works with the Windows 95 and Windows NT operating systems. It is also the browser used by millions of subscribers to America Online. The bug could allow a Web site operator to secretly run programs, delete files, copy passwords and software - even transfer money - on someone else's computer, and damage software stored on a hard drive.
To accomplish all this, the site operator would make use of standard programs that come packaged with Windows, including programs that can create, edit and delete information, files that contain information your computer needs to operate properly, and directories where popular programs like Microsoft Word store documents you create. By using a Windows Internet shortcut file (known as a "url file") rather than a standard shortcut file (a "lnk file"), a Web page designer wouldn't even have to know the exact location of those programs and files, since a .url file can hunt them down. To make matters worse, designers can use a programming language called Java and a Web publishing tool known as the META refresh tag in combination with shortcuts to execute a sequence of commands and to launch a shortcut without the user having to do anything.
"I called in my roommates, who are both computer science majors. They were amazed. I could have run programs on the computer of anyone who visited my web page."
The bug represented a serious security risk. It affected only users of the Microsoft browser designed for Windows 95 and NT. Users of other versions of Windows or other browsers, such as Netscape Communications Corp's Navigator, were not affected. Still, with 45 million users of the affected versions of Internet Explorer, the flaw had the potential to cause problems on a large scale.
The moment he realized what he'd found, Greene began searching security Web sites to see if anyone else had discovered the flaw. "By 10:30, when I wasn't able to find anything that even resembled what I had discovered, I was on pins and needles," he says. "I called in my roommates, who are both computer science majors."
Paul Greene, center, with roommates Brian Morin, left, and Geoffrey Elliot not long after the news of the Internet Explorer bug hit the national media.
Geoffrey Elliott, 22, of Vernon, Vt., is vice president and chief technology developer for Harvest Webmasters Inc., a Worcester-based Internet service company. Brian Morin, 20, of Nashua, N.H., writes Web server software in his spare time - just for the fun of it. "They were amazed," Greene says. "We began brainstorming about what could be done with this bug. I could have run programs on the computer of anyone who visited my Web page."
The students stayed up until 4 a.m. talking about the discovery. Later that day they constructed a Web page with nondestructive demonstrations to prove to Microsoft that Greene had indeed discovered a flaw in the browser. They put it on a Web site they maintain called Cybersnot Industries (the flaw has since come to be known as the "Cybersnot Bug").
The page they created included dramatic (though safe) demonstrations of the kinds of breeches the bug made possible. For example, clicking on one link would cause the calendar program to start running on a user's computer. Another link created and deleted a directory, and then copied a batch file (a file containing a set of instructions) onto the user's computer and ran it. Among other actions, the file opened the computer's autoexec.bat and config.sys files (which contain instructions that help the computer start up and run normally).
Having proved their case, they alerted Microsoft with an e-mail message and waited. It was now Friday afternoon. "We never heard from Microsoft," Greene says. "Either it fell through the cracks or they didn't believe I'd found anything. By Sunday, we realized that this was huge and that we could no longer keep quiet about it. We decided to go public and tell everyone about the flaw. This way, we figured, people could be careful until Microsoft created a fix. Up to this point, only the three of us, Microsoft, and a couple of other WPI students knew what we had."
The students released the information to a couple of trade journals and individuals. Although they didn't know it at the time, they had just unleashed the first snowflakes of what would become an avalanche of publicity.
On Sunday evening, Bob Trout, a reporter for the weekly magazine InfoWorld, e-mailed Greene, Morin and Elliott a series of questions. The students also gave Trout permission to quote them. "Being completely naive," says Greene, "we figured that Trout would write the story, contact Microsoft and that would be the end of it. We thought only the trade journals would be interested. We never thought it would be this big."
InfoWorld put the story on its Web page and the Associated Press picked it up and put it out on the national news wire. Almost immediately, the bug began making headlines everywhere. The storm of publicity started with an on-air interview with a Los Angeles radio station on Sunday night. "We were so unprepared for all of this," Greene says. "The requests for interviews began coming in and we said, 'Sure, we'll talk.'"
The pressure escalated as the evening wore on. NBC called to ask the three to go on the air live the following morning on MSNBC, the network's cable news service. The request surprised Greene because the network is partially owned by Microsoft, whose oversight they were exposing. "We were on Cloud 9," Greene says, "in the midst of a natural high. We didn't sleep at all that night."
Greene managed to get to his 9 a.m. class on Monday before a limousine whisked the trio to Watertown, Mass. Word about the discovery began to get out to the campus community after Greene asked his professor for an extension for his project and the professor announced it to the class.
The team spent more than 12 hours on Monday giving interviews from a studio in Watertown. As a result, the discovery was discussed on CNN's Moneyline, the Boston affiliates of CBS and NBC news, the Canadian Broadcasting Company, and CNBC. Stories also ran in The Boston Globe, The New York Times, USA Today, Mass High Tech and other major newspapers and magazines. WPI President Edward Parrish read the news in a local edition of USA Today while on a business trip in Egypt.
Greene took a break from the media frenzy to alert his parents, William and Collette Stowell of Tiverton, R.I., that their son was about to become front-page news. "My parents both work, so all I could do was leave a message on their answering machine," says Greene. "I said, 'Hi, this is Paul. I'm going to be famous.' My mother had no idea how to reach me and she always assumes the worst. She didn't relax until she saw me on the evening news."
Back at WPI, the News Service was swamped with requests for interviews, the students' phones didn't stop ringing, and the page the students had created to announce the bug was absorbing thousands of "hits." And through all this frenzy, the students still hadn't heard from Microsoft. "We figured that since MSNBC was partially owned by Microsoft, the company would sent a representative to talk to us, but they didn't."
It turns out that just as they were settling in before the cameras and microphones in Watertown, Microsoft was trying to contact them by phone and e-mail. The company had finally recognized the seriousness of the flaw and was busy trying to create a fix for the problem. The first version of a patch for Internet Explorer appeared in Microsoft's Web site the next day. Before it was released, Microsoft asked Greene, Elliott and Morin to try it out. More recently, Microsoft released newer versions of the program that has this and other bug fixes built in (see box, this page).
After the commotion subsided, the trio was invited to visit Microsoft headquarters in Redmond, Wash., to discuss the possibility of doing internships for the company. Elliot and Morin worked for the company this summer, while Greene accepted a summer internship at Lockheed-Martin in Nashua, N.H.
A native of Fall River, Mass., Greene took a few detours on the road to WPI. After graduating from high school, he attended the University of Massachusetts, Amherst, for a semester before joining the Navy. Five years on an aircraft carrier, including a tour during the Gulf War, convinced him to return to school, and he enrolled at Bristol Community College in 1994. His chemistry professor, Cynthia Hahn, encouraged him to pursue a four-year degree, and so he applied to WPI, where he was accepted in 1996 as a computer engineering major in the Electrical and Computer Engineering Department. His interests are in computer hardware and software design.
After experiencing the isolation, close quarters and regimentation of life on an aircraft carrier, in a potentially life-threatening assignment, there's not much that overwhelms Greene. He says he's managed to keep the hoopla over his discovery of the Internet Explorer bug in perspective. And yet, he says he still finds himself shaking his head from time to time over how the news media went wild over his story. "During that same weekend, there was a flood in Kentucky and Al Gore was having campaign problems," he says. "And we were front page news!"
See also Corollary: Anatomy of a Bug
email@example.com Last Modified: Thu June 10 11:52:04 EDT 1999