Feeds

Hackers exploit MS design flaws

It's a question of trust, you see

  • alert
  • submit to reddit

High performance access to file storage

Bugs in Microsoft software have given rise to a new class of security problem for which antivirus software is completely ineffective. The problem arises because Microsoft decrees that IE can "trust" MS Office 97 programs and it is therefore possible for hackers to slip in something destructive through this route. This design loophole affects Windows 9x and NT, including Windows 2000. Microsoft acknowledged the problem only because of the publicity in a NYT article on Saturday. Andrew Dixon, the group product manager for MS Office, said Microsoft was "working on testing a solution". An AP follow-up revealed that Microsoft expected "to have an Office fix ready as early as Tuesday". These latest bugs involve a DLL in Office 97, where the JET version 3.5 engine "trusts" Office. The problem is not confined to versions of Office with Access, because JET is included with the standard version as well. Microsoft knew about this, and updated JET to version 4 in Windows 2000 to deal with the particular problem. With version 3.5, JET queries to databases can trigger commands to erase files or discs, as a result of a request from Office for data. Microsoft suggested downloading 8 megabytes of JET 4.0, but then withdrew this suggestion. Juan Carlos Cuartango, a programmer who had previously identified problems in IE and Navigator, found that the trust relationship was at fault, and could allow Trojan Horses to gallop in. Dangerous ActiveX controls An second problem is being experienced by users of recent Compaq and HP PCs, with Compaq admitting it and HP in denial. This concerns a digitally-signed applet that can execute programs when directed by a Web page. Even worse -- it is possible to email the applet. Again, Microsoft knew about this, starting with its discovery in November by Frank Farance of Farance Inc, and its more recent rediscovery by Richard Smith of Pharlap on an HP Pavilion last month. Smith pointed out that two ActiveX controls were dangerous, and could be used on a Web page to embed script code in an HTML email in Outlook or even Eudora. The ActiveX controls allow programs to read and write the Windows registry. As a result, Smith noted, a virus of malicious software could be installed; Windows security checking could be switched off; personal files could be read [by Microsoft for example]; documents could be deleted; and systems files could be removed to stop booting. Smith found four different ActiveX controls on the HP from three different vendors compromised security. He suggested that PC makers should take a closer look at the ActiveX controls that they ship with their hardware. Until Microsoft comes clean about all the problems that have been identified, it may be politic for users to switch off ActiveX controls in IE. ®

Top three mobile application threats

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.