happyhamster
05-17-2000, 04:43 PM
Recently, several more security holes have been discovered in Windows. I'm a bit shocked myself, and thought I'd sum it up for others, maybe sparkle some discussion.
The first hole is associated with the infamous ILOVEYOU virus. Many users have been surprised that clicking on an attachment with apparently harmless .vbs extension could cause trouble. The problem affects both Outlook and OutlookExpress. Fix for Outlook has been made available in "just" about 2 weeks. OutlookExpress is still vulnerable btw. The fix, already criticized as technically very poor solution, is to disable processing of several dozens of file types (http://www.officeupdate.microsoft.com/2000/articles/out2ksecFileTypes.htm) in email attachments.
In just a few days, another vulnerability was discovered, involving cookies. Basically, if you visit the attacker's site, IE can be tricked into sending your cookie for any particular site to the attacker. It opens up quite a few fun abuses, from impersonating you at any web service that uses cookies for identification, to simply verifying the fact that you visited that site. The same guy who discovered this one used this hole with some shortcomings of Hotmail to access Hotmail accounts. No fixes for this one yet, but Hotmail hole has been shut.
To add to the fun, today <A HREF="http://www.zdnet.com/zdnn/stories/news/0,4586,2570727,00.html" TARGET=_blank>
yet another hole</A> has been discovered. You're vulnerable if you installed the latest-n-greatest Office 2000. It turns out that this dancing Mr.Clippy from the programming point of view is an undocumented ActiveX control with broad access rights on the machine, including HD access and such. The bad part is that it can be accessed through scripting by any web page and even by HTML-enabled email read in Outlook. Some of the feasible scenarios are that you try reading(just reading) an email, and it wipes out you HD, or plants Black Orifice. At least M$ was quick to plug this hole, so fix is available already.
No conclusion, just some food for thought.
The first hole is associated with the infamous ILOVEYOU virus. Many users have been surprised that clicking on an attachment with apparently harmless .vbs extension could cause trouble. The problem affects both Outlook and OutlookExpress. Fix for Outlook has been made available in "just" about 2 weeks. OutlookExpress is still vulnerable btw. The fix, already criticized as technically very poor solution, is to disable processing of several dozens of file types (http://www.officeupdate.microsoft.com/2000/articles/out2ksecFileTypes.htm) in email attachments.
In just a few days, another vulnerability was discovered, involving cookies. Basically, if you visit the attacker's site, IE can be tricked into sending your cookie for any particular site to the attacker. It opens up quite a few fun abuses, from impersonating you at any web service that uses cookies for identification, to simply verifying the fact that you visited that site. The same guy who discovered this one used this hole with some shortcomings of Hotmail to access Hotmail accounts. No fixes for this one yet, but Hotmail hole has been shut.
To add to the fun, today <A HREF="http://www.zdnet.com/zdnn/stories/news/0,4586,2570727,00.html" TARGET=_blank>
yet another hole</A> has been discovered. You're vulnerable if you installed the latest-n-greatest Office 2000. It turns out that this dancing Mr.Clippy from the programming point of view is an undocumented ActiveX control with broad access rights on the machine, including HD access and such. The bad part is that it can be accessed through scripting by any web page and even by HTML-enabled email read in Outlook. Some of the feasible scenarios are that you try reading(just reading) an email, and it wipes out you HD, or plants Black Orifice. At least M$ was quick to plug this hole, so fix is available already.
No conclusion, just some food for thought.