From: mea culpa (jerichoDIMENSIONAL.COM)
Date: Wed Sep 01 1999 - 16:47:52 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: "Noonan, Michael D" <michael.d.noonanintel.com>

Locking Windows' Backdoors
by Declan McCullagh <mailto:declanwired.com>
3:00 a.m. 26.Aug.99.PDT

WASHINGTON, DC -- If you use Microsoft Outlook, be warned. Over a dozen
bugs in Windows 98 let malicious virus writers and meddlesome peeping Toms
view or erase any file on your hard drive.

At a computer security conference Wednesday afternoon, an expert
demonstrated how malcontents can send apparently innocuous email with
hidden commands that -- if opened using certain email programs -- will
give an intruder complete access
<http://www.tiac.net/users/smiths/acctroj/index.htm> to a Windows
computer. See also: Same Hole, Different Exploit
<http://www.wired.com/news/news/technology/story/20916.html>

"We've got some serious problems here, folks. We've got some really bad
backdoors on the computers we have on our desktops," said Richard Smith,
president of Cambridge, Massachusetts-based Phar Lap Software
<http://www.pharlap.com/>, who identified the person
<http://www.wired.com/news/news/technology/story/19191.html> accused of
writing the Melissa virus.

During his presentation at the 8th Usenix Security Symposium
<http://www.usenix.org/events/sec99/>, Smith demonstrated some new
security flaws he and his collaborators have identified in their spare
time. One recently unearthed and not-yet-fixed Win98 glitch lets an email
opened in Outlook execute any DOS command -- including reformatting your
hard drive or uploading its contents to a remote Web site.

The solution? Consumers could switch to a non-Microsoft operating system.
Another option, Smith suggested, is for customers to begin asking computer
companies to turn off features that let email messages execute other
programs.

"It's prudent to avoid systems in which we can have executable content,"
said Peter Neumann, the conference's keynote speaker and a researcher at
SRI International. "There is no way you can have any assurance whatsoever
that it will work."

Many of the problems security experts have identified stem from the design
choices Microsoft made when developing Windows 95 and 98, which are much
more vulnerable to intrusions than Linux, Unix, or even Macintosh systems.
One gaping security hole is Microsoft's complicated ActiveX technology,
which lets remote Web pages or email messages execute programs that
manufacturers claim are trustworthy. But sometimes they're not. With a
little programming, a nefarious person can send email or create a Web page
that activates Active X functions that delete files, modify them, or even
send their contents to any address on the Internet.

As security experts have identified these flaws, Microsoft has tried to
fix them, and Smith said some have been eliminated from early versions of
Windows 2000. But the millions of people using current versions of Windows
98 and Outlook are still at risk, he said, unless they switch off ActiveX.
Not only Microsoft is to blame. Netscape has acknowledged security
glitches in its browser. Unrepaired versions of Qualcomm's Eudora 4 let
<http://www.tiac.net/users/smiths/security/email/bootrap.htm> executable
programs masquerade as links.

Computer makers, too, have been shipping buggy software. Hewlett Packard
has included two ActiveX controls on about 5 million Pavilion computers,
Smith said, that let HTML email messages opened in Outlook or Eudora take
control <http://www.tiac.net/users/smiths/acctroj/hp.htm> of the computer.
An intruder can silently insert a virus, disable security features, view
documents, or crash the system.

Some Compaq Presario computers suffer from a similar security risk
<http://www.tiac.net/users/smiths/acctroj/compaq.htm>. As configured from
the factory, the computers trust all applications provided by Compaq --
one of which can execute whatever program an email message orders it to
run. "Compaq gave every hacker in the world a way to run programs," Smith
said.

To improve the security of Outlook, go to the Security tab in the
program's Options dialog box and select "restricted sites zone." Then, in
the Internet Options Windows control panel, go to "Restricted sites/Custom
level" and scroll down and disable "Active Scripting."

ISN is sponsored by Security-Focus.COM

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]