Microsoft and Compaq Admit Vulnerability to Security Flawsgreenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread
In the fog of Y2K, who's going to be able to tell which problems are caused by the Y2K bug, which by viruses, which by security breaches, and which by random nutrinos landing in the wrong place?
Microsoft and Compaq Admit Vulnerability to Security Flaws
July 31, 1999
Microsoft and Compaq Admit Vulnerability to Security Flaws
By JOHN MARKOFF and SARA ROBINSON
Microsoft Corp. and Compaq Computer Corp. on Friday confirmed the existence of several significant software security flaws that could enable intruders to gain access to the computers of millions of customers and to damage their data via e-mail or through commands sent from a malicious Web site.
Certain Hewlett-Packard computers are also said by one expert to be vulnerable, but a spokesman for the company said Friday that the company would not confirm the security vulnerability.
The vulnerabilities, which affect computers running Microsoft's Windows operating system and Internet Explorer browser in combination with other programs, are invisible to antivirus programs, illustrating the risks inherent in the growing complexity of today's personal computer software.
Consumers who are at the greatest risk are those running programs shipped as part of Microsoft's Office 97 suite of productivity programs -- Word 97 or Excel 97 -- and owners of certain newer models of computers made by Compaq and Hewlett-Packard that automatically upgrade the manufacturers' own software over the Internet.
A Microsoft official said the company was at work creating a fix for the the newly discovered security holes.
"We take security issues very seriously," said Andrew Dixon, group product manager for Office at Microsoft. "Right now, we are working on testing a solution and steps for customers to take."
The new flaws also raise troubling questions about Microsoft's decision to integrate its Explorer web browser directly into the Windows operating system. That decision is a key issue in the company's antitrust battle with the U.S. Justice Department.
Microsoft has passionately defended the browser integration, asserting that it offers significant consumer benefits.
But a number of computer security experts who are familiar with the newly discovered flaws said that by tightly integrating Web browsing software with its personal computer operating system, Microsoft has greatly complicated the challenge of ensuring that Windows is secure.
"A single operating system and single provider of tools dominates the market," said Doug Tygar, a professor of computer science at the University of California at Berkeley who specializes in computer security. "Because Microsoft is linking all these aspects of computing, all the walls that usually prevent such attacks aren't there."
Reports of flaws were posted on NTbugtraq, a computer security mailing list, over the past two days. There is no evidence that the flaws have been exploited, according to the manufacturers involved.
The flaws involve two separate interactions of programs with the Internet Explorer browser.
The first involves a vulnerability in one version of a "dynamic link library," or DLL file that is part of Microsoft's Office 97 suite. The flaw is believed not to exist in the newly released version, Office 2000.
The office software component, known as JET version 3.5, creates a security vulnerability because Microsoft has configured its Internet Explorer program to "trust" Office programs, including Word, Excel and Powerpoint. These programs can create documents that are themselves powerful programs and that can act as a Trojan Horse, carrying malicious code into a personal computer.
The Jet flaw was first reported by Juan Carlos G. Cuartango, a programmer who has previously discovered several security holes in two browsers -- Microsoft's Internet Explorer and Netscape Navigator.
Although the flawed version of Jet was replaced with a newer version in the last boxes of Office 97 shipped, the original still resides on the hard drives of millions of personal computers.
The new flaw does not involve the small programs call "macros" that have caused Microsoft security headaches in the past. Rather Jet sends queries to various data bases when the Office programs request data. The queries can be used to trigger low-level operating system commands -- including commands that erase files or -------------------------------------------------------------------------------- entire hard drives.
Because of the extensive integration between Office applications and Windows, such a query can be sent on behalf of a cell in a spreadsheet, a field in a word document or other interactive portions of an Office application.
What makes the new flaw especially serious is that anti-virus software does not monitor such queries and therefore would not be effective against an attack.
Microsoft's Dixon said Friday that the company was considering giving users a new alert mechanism that would warn them about data base queries before they were executed.
The second security flaw has to do with the way software shipped with computers from Compaq and Hewlett-Packard -- and possibly other manufacturers -- is designed to interact with the Internet Explorer Web browser. The manufacturers' software, designed to work with the security controls in Internet Explorer 4.0, would enable an intruder to execute arbitrary commands on a computer remotely.
The Compaq security flaw appears particularly serious since it can be spread to other brands of computers. Compaq's Presario computers, which are consumer models, are shipped with a tiny Java program, known as an applet, that has been "digitally signed" a term that means it has been authenticated by Compaq.
This applet is designed to enable Compaq to update programs on a computer over the Internet or other computer networks. But it also has the power to execute programs -- and can be directed to do so by a Web page. The applet can also be sent to other computers via e-mail.
While the existence of this program was posted to a European security mailing list a year ago, a recent bug that exacerbates the problem was discovered by Richard Smith, the president of Pharlap Software, in Cambridge, Mass.
Adding to the problem, Microsoft's integrated Web browser will run any program digitally signed by Compaq, in some cases without warning the user.
While the vulnerable program will run without any warnings only on certain Compaq Presarios in their default configurations, it can also be sent to and temporarily stored on any computer running Windows 95, 98 or NT, according to Smith.
In this case, the browser will pop open a box saying that the browser wants to run a program digitally signed by Compaq Corp. If the user responds by allowing the program to run, it will execute commands on the computer.
| Copyright 1999 The New York Times Company |
-- Alexi (Alexi@not-in-the-dark.com), July 31, 1999
I didn't realize I turned on underlining. How do I turn it off?
-- Alexi (Alexi@not-in-the-dark.com), July 31, 1999.
Consider that the major software companies (Microsoft, Netscape, etc.) make COOKIES possible. Cookies are data sent from a web site that you are browsing, and this data IS WRITTEN ONTO A FILE ON your HARD DRIVE. THAT MEANS A REMOTE SITE HAS CONTROL OF your COMPUTER.
The purpose of cookies is to make "commerce" easier for vendors. The cookies, once stashed on your hard drive, are read by the website the next time you visit it to "better enable them to serve you, by knowing your preferences from previous visits." That means the vendor (web site) can both READ AND WRITE TO YOUR HARD DRIVE. To hell with user's privacy and security.
This means that remote sites, if programmed properly, can read your entire drive, take command of your machine to delete or corrupt files, etc. What's amazing to me is that reports of such damage have been relatively rare.
What this means is that your data should be backed up to floppies (or ZIP drives, tape ...)
One privacy newsletter states flatly that if you use PGP, your keys should not be stored at all on your hard drive, but on floppy. And and sensitive data should be encrypted, even if you never send it to anyone but just on your hard drive for your own use.
-- vbProg (vbProg@MicrosoftAndIntelSuck.com), July 31, 1999.
-- vbProg (vbProg@MIS.com), July 31, 1999.
Help. I didn't realize I turned on underlining. How do I turn it off? -- Alexi Stand back Alexi. I'll teach that dastardly "underline" a lesson it won't soon forget!
BE GONE Ye EVIL LINE!There ya go Alexi. Underlines are easy to perform exorcisms on once ya know the right words to shout. However, should you ever discover that BOLD tries to stick around too long (like it did in the post above mine), just do what vbProg did... Calmly and quietly lean over your computer monitor and whisper; "bold off". Different techniques for different font effects. (Hotlink hint: you used one too many of these thingies "<" in your hotlink code.) Hope you take the above in the spirit it was meant ;-) Those were interesting articles on security flaws by the way. And a good question you posed... In the fog of Y2K, who's going to be able to tell which problems are caused by the Y2K bug, which by viruses, which by security breaches, and which by random nutrinos landing in the wrong place?
BE GONE I SAY OR I SHALL SEND Ye TO THE DEEPEST BOWELS o' HELL!!! _ _ _ _
-- CD (email@example.com), July 31, 1999.
I got a program from Walker Richer & Quinn called "At Guard". Cost was about $25. It's a "firewall" program, and can be set up to warn you if a cookie is being sent to you from the net. You can then choose to allow it or disallow it, either on a one-time or permanent basis. The program also COMPLETELY filters out web banner ads.
-- Dennis (firstname.lastname@example.org), July 31, 1999.
I have found that Cybermedia's GUARD DOG II provides an adaquite cookie blocker. I configure it to prompt me when a cookie is attempting to gain access.
You would NOT BELIEVE the various tracking cookies sent in a typical internet session. I run Guard Dog off line to clean deleted files (which CAN be recovered remotely), remove any cookies which slip by because of other users, and to delete FILES which some clever sites install to get around cookie blockers.
-- K. Stevens (kstevens@It's ALL going away in January.com), July 31, 1999.
[ Fair Use: For Educational/Research Purposes Only ]
7/31/99 -- 7:49 PM
Computer software security flaws could affect millions
SEATTLE (AP) - Flaws in the Microsoft Office software suite could be used by pranksters or cybercrooks through e-mail or rogue Web sites to retrieve, alter or erase data in computers used by millions of people.
Some newer Compaq and Hewlett-Packard computers that can be upgraded automatically over the Internet also contain flaws that could be similarly exploited, but only over the Web, security experts have found.
Attempts to take advantage of either set of vulnerabilities would not be detected or prevented by antivirus software but there is no evidence that such mischief has occurred, said Russ Cooper of Lindsay, Ontario, in a telephone interview Saturday.
Cooper, who runs a Windows NT security mailing list called NTbugtraq, said Microsoft developers expect to have an Office fix ready as early as Tuesday.
Andrew Dixon, group product manager for Office, did not return a call for comment and other knowledgeable Microsoft officials also were unavailable, company spokesman Dan Leach said.
Jeffrey Schiller, computer security chief at the Massachusetts Institute of Technology, said the problems illustrate the pitfalls of upgrading programs over the Web or through e-mail despite the convenience.
``It's not clear to me that it's a wise idea to write all these scripting files ... that let you completely control the computer,'' Schiller said.
Now that the flaws are known, recreational hackers and criminals may well be scrambling to take advantage of them before the fixes are in place, he warned.
The vulnerabilities were first reported Saturday in The New York Times.
Viruses typically have spread through macros, small programs combining a series of commands. A computer user opening e-mail or importing material from a Web site with macros typically is alerted and may disable the macros or reject documents and files that contain them.
The new vulnerability is from a different source.
Last week, Juan Carlos Cuartango, a programmer who previously found security gaps in Microsoft's Internet Explorer and Netscape Navigator, discovered that Internet Explorer and Windows are configured to ``trust'' Word, Excel, Powerpoint and other Office program documents.
They may be used as Trojan Horses to implant malicious code into a computer, triggering low-level operating system commands that could change or destroy files or even an entire hard drive without resorting to macros.
``This is a bug that needs to be fixed, a bug of huge proportions,'' Cooper said. ``The ramifications are quite large.''
Office 2000 and some of the final versions of Office 97 are free from the flaw, but it is present in millions of installed versions of Office 97 and probably also in many older versions, possibly dating as far back as 1992, Cooper said.
Dixon told the Times that Microsoft may offer a mechanism to alert computer users of embedded system commands and data base queries before they are executed.
``We take security issues very seriously,'' he said. ``Right now, we are working on testing a solution and steps for customers to take.''
One Compaq flaw was detected in November by Frank Farance of Farance Inc., an information technology consultant, and rediscovered July 23 by Richard Smith, president of Pharlap Software in Cambridge, Mass.
It involves a Java applet, or small program, that allows the quick upgrade of Compaq Presario computer programs over the Internet.
But the applet also can be directed by a Web page to reveal e-mail lists, release financial records or provide addresses, phone listings and credit card numbers.
Smith said he found a similar problem with some Hewlett-Packard computers. Hewlet-Packard officials would not discuss the matter.
A Compaq spokesman said other computer makers have similar problems and suggested there was little chance that a hacker could make malicious use of the applet.
For now, Compaq plans to instruct users on how to disable the utility for now, then will offer an improved applet that is being designed to prevent breaches.
Buy a Mac ;^)
xxxxxxxxxxxx xxxxxxxxxxxx xxxxxxxxxxxx xxxxxxxxxxxx xxxxxxx
-- Ashton & Leska in Cascadia (email@example.com), July 31, 1999.