Feeds

Hackers exploit MS design flaws

It's a question of trust, you see

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Bugs in Microsoft software have given rise to a new class of security problem for which antivirus software is completely ineffective. The problem arises because Microsoft decrees that IE can "trust" MS Office 97 programs and it is therefore possible for hackers to slip in something destructive through this route. This design loophole affects Windows 9x and NT, including Windows 2000. Microsoft acknowledged the problem only because of the publicity in a NYT article on Saturday. Andrew Dixon, the group product manager for MS Office, said Microsoft was "working on testing a solution". An AP follow-up revealed that Microsoft expected "to have an Office fix ready as early as Tuesday". These latest bugs involve a DLL in Office 97, where the JET version 3.5 engine "trusts" Office. The problem is not confined to versions of Office with Access, because JET is included with the standard version as well. Microsoft knew about this, and updated JET to version 4 in Windows 2000 to deal with the particular problem. With version 3.5, JET queries to databases can trigger commands to erase files or discs, as a result of a request from Office for data. Microsoft suggested downloading 8 megabytes of JET 4.0, but then withdrew this suggestion. Juan Carlos Cuartango, a programmer who had previously identified problems in IE and Navigator, found that the trust relationship was at fault, and could allow Trojan Horses to gallop in. Dangerous ActiveX controls An second problem is being experienced by users of recent Compaq and HP PCs, with Compaq admitting it and HP in denial. This concerns a digitally-signed applet that can execute programs when directed by a Web page. Even worse -- it is possible to email the applet. Again, Microsoft knew about this, starting with its discovery in November by Frank Farance of Farance Inc, and its more recent rediscovery by Richard Smith of Pharlap on an HP Pavilion last month. Smith pointed out that two ActiveX controls were dangerous, and could be used on a Web page to embed script code in an HTML email in Outlook or even Eudora. The ActiveX controls allow programs to read and write the Windows registry. As a result, Smith noted, a virus of malicious software could be installed; Windows security checking could be switched off; personal files could be read [by Microsoft for example]; documents could be deleted; and systems files could be removed to stop booting. Smith found four different ActiveX controls on the HP from three different vendors compromised security. He suggested that PC makers should take a closer look at the ActiveX controls that they ship with their hardware. Until Microsoft comes clean about all the problems that have been identified, it may be politic for users to switch off ActiveX controls in IE. ®

Security for virtualized datacentres

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Lawyers mobilise angry mob against Apple over alleged 2011 Macbook Pro crapness
We suffered 'random bouts of graphical distortion' - fanbois
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Verizon bankrolls tech news site, bans tech's biggest stories
No agenda here. Just don't ever mention Net neutrality or spying, ok?
Inside the EYE of the TORnado: From Navy spooks to Silk Road
It's hard enough to peel the onion, are you hard enough to eat the core?
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.