The Wire @ WPI Online
VOLUME 11, NO. 1     MAY 1997

Eagle-eyed students find security flaw
(and international recognition)
in Microsoft's Internet Explorer

From left, Morin, Greene and Elliott

The headlines from around the world said it all: "WPI students net a big bug"; "Student gives Microsoft a lesson in bug-catching"; "WPI students log on to Microsoft flaw"; "Computer whiz zings Microsoft."

When junior Paul Greene was working on a student project one Friday morning in early March, he had no idea that what he was about to discover would make him known around the world -- along with his two roommates, juniors Brian Morin and Geoffrey Elliott. Greene found a serious security flaw in Microsoft Corp.s Internet Explorer browser used by millions worldwide. The flaw could allow a user to surreptitiously run programs -- even delete files -- on a user's computer with the shortcut technology built into Windows 95 software.

"I immediately saw that this was something that shouldn't be happening and I called my roommates over to look,"said Greene, an electrical engineering major. The two roommates, both computer science majors, immediately recognized the seriousness of the flaw. "It was something that had been there for more than a year,"said Elliott. "I couldn't believe my eyes. We spent several hours seeing what the bug could do and notified Microsoft of the problem."

The company did not respond. "We even sent an e-mail to Bill Gates without success,"said Morin. The students then went public with an announcement on Cybersnot Industries (, their Web site (see accompanying story, page 4), where they included nondestructive examples of how the flaw worked.

By Monday, Microsoft announced that it would begin work immediately on a fix for the problem. By then, the media had descended on the trio. Internet reporters were the first to carry the story on TechWire and Reuters Financial Service, and the Associated Press was not far behind, along with Dow Jones and CBS, which carried the story early Tuesday morning.

Greene, Elliott and Morin were besieged with phone calls from the media; hundreds of e-mail messages stacked up on their accounts. By late Tuesday morning there had been more than 100,000 hits on their Web site. MSNBC called and offered to have a limo pick them up and Web browser flaw drive them into Boston for a network interview. Operating from a studio in Watertown, CNN's Moneyline with Lou Dobbs carried the story worldwide -- with WPI sweatshirts prominently displayed. The Canadian Broadcasting Company and CNBC carried additional TV coverage. The Associated Press sent a photographer to take a photo that ultimately went worldwide. The Boston Globe, The New York Times, Mass High Tech, and the Boston Herald conducted interviews, as did Boston's CBS and NBC TV affiliates, and calls for interviews came in from each of the student's hometown papers. After a photo session and interview at the (Worcester) Telegram & Gazette, the exhausted students were finally dropped off at 8 p.m. at their apartment, where a day's worth of e-mail awaited them, including messages from Microsoft, which gave them the opportunity to test the patch that would correct the problem before releasing it to the public.

What about the aftermath? Greene has been offered an internship; Elliott and Morin have received several potential job offers. "The worst part about the entire episode was that this was finals week at WPI,"say the roommates. "Needless to say we were tired as dogs by the end of the week."

Related Articles

[WPI] [Back] [Top]
Last modified: Tue May 27 11:38:53 EDT 1997