Advertisement
Promo

Security threats Toolkit

MS again slammed on security

Rob Lemos ZDNet.co.uk

Published: 17 May 2000 08:45 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

So much for the friendly assistant. That's the hard lesson learned after last week's discovery of a security hole that subverts the powerful functions of Microsoft Office Assistant.

The hole, which allows an attacker to write a script that can do anything once on a user's computer, gets activated by clicking on a Web page or HTML-enabled email. The script can then add or delete files.

"Because its abilities are marked 'safe for scripting,' anything is possible," said the security researcher that found the hole, a hacker known as "Dildog" who works for the security firm @Stake.

Microsoft has released a patch to fix the permissions on the hole, but users still need to download the patch and update their Office program. Microsoft was not immediately available for comment.

When it debuted, the Office Assistant was dismissed by critics as the equivalent of training wheels for computer newbies. Yet the friendliness of the Office Assistant hides a great deal of power. In fact, it's essentially a back door for Microsoft to allow macros that can take control of a PC and help out users.

That control, however, can be manipulated to hurt users as well. A test program created by @Stake can set the system security to "low" and copy a text document to the hard drive.

"The fact that this control exists and is installed in the particular fashion would permit the construction of a worm of unparalleled devastation," @Stake wrote in its advisory.

While Dildog praised Microsoft for being quick to act in this case, he still criticised the low security of the Windows scripting system.

"You don't mark something safe for scripting unless you are going to let someone activate it remotely," he said. At the heart of the matter is the industry's penchant for marking most security holes as need-to-know information. Most of the time, only company insiders are those considered to have a need to know.

"Microsoft has this habit of keeping people in the dark," Dildog said. "It is totally undocumented control."

In the light of the recent denial of serivce attacks and the ILOVEYOU virus John Dvorak worries that we ain't seen nothin' yet. Go with him to AnchorDesk UK for the news comment.

What do you think? Tell the Mailroom. And read what others have said.

Take me to Hackers

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
48 out of 94 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:












Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Beware of keeping your head in the clo...

Information security professionals can look forward to a deepening appreciation for their skills as security continues to be recognised as an essential element for doing business in... More

1 comment

Civil liberties groups attack file-sha...

Civil liberties and digital rights organisations have strongly criticised Lord Mandelson's Digital Economy Bill. Liberty said in a position paper on Tuesday that the bill, part of... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters