IT@TT - Online

The fault detector is itself at fault

Its been said that Microsoft should develop a tool that notifies users of newly discovered flaws and vulnerabilities in its products. My fear is that such tool itself will itself (possibly) be flawed. The past two months have seen a Windows 2000 Service Pack followed in very short order by several hot fixes to plug problems caused by installing the service pack. There have also been at least 10 security bulletins and advisories. We've also seen how the RTF file format, long considered as the safest document format, has a flaw that can be so easily exploited (see Viruswatch, it@tt 3 July 01).

Well, this week sees another alert also concerning macros in the Word document (.DOC) format. Yet unlike the RTF glitch, this macro vulnerability also affects the recently released OfficeXP. But there's bad news for readers, like this former Beta-tester and current Corporate Preview user. The available patches don't work with these versions; only the final release one.

Word 2000 versions, especially those updated with Service Packs 1, 1a, and 2 include a self-checking macro security feature. This was first seen in Word 97. It's also available in WordXP with some additional features. This security check ensures that macros cannot directly run (execute) without explicitly seeking and receiving the user's approval. The feature ensures that even a repetitively-used macro needs the user's permission each time it has to run. The sole exceptions to this rule are macros digitally signed by a trusted party. The Word 97 update even asks for user approval to allow or disable documents with macros. You can also permanently disable macro execution through a core Visual Basic command.

However, the recently discovered flaw allows a macro embedded in a Word document to override the security settings. This permits the macro to run without first seeking user approval. Such a macro get user access rights and can even disable the application's security settings so that future or new documents opened are not checked for macros.

The versions affected by the glitch for which updates are available include Word 2002 Gold only; Word 2000; Word 97; Word 2001 for Mac; and Word 98 for Mac. Word 98 for Windows, an intermediate bridge between Word 97 and 2000 was released only in Japanese. A patch is under development.

Corporate Cisco user please note that devices running Cisco IOS software release 11.3 or later are vulnerable to hacker attacks. This vulnerability (Cisco Bug ID CSCdt93862) is due to the HTTP server component that allows intruders to execute privileged commands on Cisco routers if local authentication databases are used. All commands will be executed with the highest privilege (level 15). The URL used to launch the attack will be "http://<device address>/level/XX/exec/..." The value of XX is a number between 16 and 99. The flaw only affects Cisco IOS software. Until you apply an update, please disable the HTTP server or use Terminal Access Controller Access Control System (TACACS+) or Radius for authentication.

Finally, a word of warning. Many of us use text chat clients like MSN Messenger, Yahoo Messenger, ICQ, AOL Instant Messenger, and IRC. The first 3 can save a transcript of the conversation session. While you do need to specifically use a menu command to save the transcript as a .TXT or .DOC file, Yahoo Messenger and ICQ have this feature enabled by default. In a recent incident, a Net company president's private logs were circulated all over the Web. Because these were private he hadn't explicitly notified the other participants that he was recording the conversations. The resulting uproar has caused the company to prematurely shut down.

I raise this issue because whatever you say or exchange in the course of an Internet chat session may be recorded without your knowledge. Assume that chats are like telephone calls. You don't know what the other person is doing because you can't see them. My advice is to choose your chat partners wisely. And if you must record them, do let them know first. Not doing so may be a breach of privacy. Most importantly, LBE (learn by experience) and don't leave the transcripts lying around in public areas.

Govind Menon
[email protected]

Top

Other Articles