|
|
Joyce Winslow
jwins@oregon.uoregon.edu
In recent months, a number of serious security holes have been reported in
several widely used Microsoft products.
A cookie exploit and Active Scripting bug in Internet Explorer 5.5 and 6, a
macro protection hole in Excel and PowerPoint, continuing Nimda virus vulnerabilities
in Outlook, and a bug in Windows Media Player, are all significant liabilities.
Below we've summarized the specific problems and their remedies.
Cookie exploit. This high-risk vulnerability in Internet Explorer 5.5
and 6 allows attackers to access potentially sensitive user information that's
stored by website "cookies," the small text files recorded in your
hard drive that collect data such as the IP address of your machine, your operating
system, the browser you're using, and other information. These data allow advertisers
to "remember" you and the sites you visit, targeting you for advertising.
In response to this problem, Microsoft released a comprehensive patch that
is intended to address all known IE 5.5 and 6 vulnerabilities. For complete
details on the cookie vulnerability and the patch, see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-055.asp
ActiveX security hole. This new vulnerability, which was reported on
December 11, led security researcher Georgi Guninski to recommend not using
IE--or at the very least, to disable Active Scripting.
This bug could allow a hacker to execute malicious code on systems running
IE 5.5 and 6.0 by inserting a specially crafted script into a web page or email.
Microsoft issued a patch for a similar bug exposed in November, but the patch
itself seems to have created the new problem.
Details about the bug are available at http://www.theregister.co.uk/content/55/23557.html
and in the article "MS Releases Mother of All IE Security Patches"
at http://www.theregister.co.uk/content/55/23410.html
This vulnerability gives attackers the opportunity to take control of a victim's
computer by creating files that bypass macro security and allow macros to execute
automatically without user permission. When the victim opens one of these PowerPoint
or Excel files, malicious code can then operate in the background undetected.
The patch for this problem is available at http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/bulletin/MS01-050.asp
An Outlook Express feature that allows it to automatically execute scripted
code even on plain text messages, as well as its well-known problem of allowing
concealed attachments, make this software extremely vulnerable to invasion by
malicious code. For details, see
http://www.securiteam.com/windowsntfocus/5HP0D1P5FC.html
To evade these risks, make sure you set your browser as follows:
Internet Explorer: Under the Edit menu, choose Preferences and
go to "Security Zones." Select "Zone: Restricted Sites zone."
Choose "Custom" level security and make sure all the ActiveX options
are disabled.
Outlook Express: Go to Options->Security (or "Virus Protection").
Make sure you're using the Restricted Sites security settings.
Outlook: go to Tools ->Options->Security->Secure Content
and select the Restricted Sites settings.
Windows Media Player. Late last fall, a vulnerability was discovered
in the code of Windows Media Player 6.4 used to play Advanced Streaming Format
(ASF) content. This security hole can allow a malicious attacker to take control
of a victim's PC via a buffer overrun.
With the exception of those who have Windows XP, Microsoft is urging users
of all versions of Windows Media Player (6.4 through 7.1) to download the patch.
(Note: Windows XP users are being asked to download an updated version of Media
Player instead of using the patch.)
Additional information and links to the software updates are available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-056.asp