[Click here for Andersen Consulting.][GameDealer.com - The Internet's Game Superstore!]
           []
                          [Image]
   [Image][Image]            updated 3:00 a.m.  26.Aug.99.PDT
   [Image]
                           []  []
                               []                         []  []
                              Locking Windows' Backdoors     Printing? Use this version.
                              by Declan McCullagh            Fax this for free.
                                                             Email this to a friend.
                              3:00 a.m.  26.Aug.99.PDT
                              WASHINGTON, DC -- If you        BUSINESS
                              use Microsoft Outlook, be       Today's Headlines
                              warned. Over a dozen bugs        []
                              in Windows 98 let malicious     Locking Windows'
                              virus writers and               Backdoors
                              meddlesome peeping Toms
                              view or erase any file on       CE Fair: Germany
                              your hard drive.                Going Gaga

                              At a computer security          Howdy, (Asian
                              conference Wednesday            American)
                              afternoon, an expert            Pardner!
                              demonstrated how
                              malcontents can send            Y2K: What,
                              apparently innocuous email      Mom-n-Pops Worry?
                              with hidden commands that
                              -- if opened using certain      Wall Street Goes
                              email programs -- will give     Bonkers
                              an intruder complete access
                              to a Windows computer.          US, Aussies in
                                                              Censorship Spat
                              ----------------------------
                                 See also: Same Hole,         Disney Grabs
                                  Different Exploit           Online Toy Seller
                              ----------------------------
                                                              Serving Up Eggs
                              "We've got some serious         on the Web
                              problems here, folks. We've
                              got some really bad             Big Brother, Big
                              backdoors on the computers      'Fun' at Amazon
                              we have on our desktops,"
                              said Richard Smith,             Apple Defends its
                              president of Cambridge,         Blueberry Bush
                              Massachusetts-based Phar
                              Lap Software, who               Shoes Online
                              identified the person           Steps Up to the
                              accused of writing the          Net
                              Melissa virus.
                                                              AOL Update
                              During his presentation at      Doesn't 'AIM' at
                              the 8th Usenix Security         MS
                              Symposium, Smith
                              demonstrated some new
                              security flaws he and his
                              collaborators have
                              identified in their spare
                              time. One recently
                              unearthed and not-yet-fixed
                              Win98 glitch lets an email
                              opened in Outlook execute
                              any DOS command --
                              including reformatting your
                              hard drive or uploading its
                              contents to a remote Web
                              site.

                              The solution? Consumers
                              could switch to a
                              non-Microsoft operating
                              system. Another option,
                              Smith suggested, is for
                              customers to begin asking
                              computer companies to turn
                              off features that let email
                              messages execute other
                              programs.

                              "It's prudent to avoid
                              systems in which we can
                              have executable content,"
                              said Peter Neumann, the
                              conference's keynote
                              speaker and a researcher at
                              SRI International. "There
                              is no way you can have any
                              assurance whatsoever that
                              it will work."

                              Many of the problems
                              security experts have
                              identified stem from the
                              design choices Microsoft
                              made when developing
                              Windows 95 and 98, which
                              are much more vulnerable to
                              intrusions than Linux,
                              Unix, or even Macintosh
                              systems.

                              One gaping security hole is
                              Microsoft's complicated
                              ActiveX technology, which
                              lets remote Web pages or
                              email messages execute
                              programs that manufacturers
                              claim are trustworthy. But
                              sometimes they're not. With
                              a little programming, a
                              nefarious person can send
                              email or create a Web page
                              that activates Active X
                              functions that delete
                              files, modify them, or even
                              send their contents to any
                              address on the Internet.

                              As security experts have
                              identified these flaws,
                              Microsoft has tried to fix
                              them, and Smith said some
                              have been eliminated from
                              early versions of Windows
                              2000. But the millions of
                              people using current
                              versions Windows 98 and
                              Outlook are still at risk,
                              he said, unless they switch
                              off ActiveX.

                              Not only Microsoft is to
                              blame. Netscape has
                              acknowledged security
                              glitches in its browser.
                              Unrepaired versions of
                              Qualcomm's Eudora 4 let
                              executable programs
                              masquerade as links.

                              Computer makers, too, have
                              been shipping buggy
                              software. Hewlett Packard
                              has included two ActiveX
                              controls on about 5 million
                              Pavilion computers, Smith
                              said, that let HTML email
                              messages opened in Outlook
                              or Eudora take control of
                              the computer. An intruder
                              can silently insert a
                              virus, disable security
                              features, view documents,
                              or crash the system.

                              Some Compaq Presario
                              computers suffer from a
                              similar security risk. As
                              configured from the
                              factory, the computers
                              trust all applications
                              provided by Compaq -- one
                              of which can execute
                              whatever program an email
                              message orders it to run.

                              "Compaq gave every hacker
                              in the world a way to run
                              programs," Smith said.

                              To improve the security of
                              Outlook, go to the Security
                              tab in the program's
                              Options dialog box and
                              select "restricted sites
                              zone." Then, in the
                              Internet Options Windows
                              control panel, go to
                              "Restricted sites/Custom
                              level" and scroll down and
                              disable "Active Scripting."

                              Related Wired Links:
                              [Image]
                              Another Privacy Hole in IE
                              5.0?
                              16.Apr.99

                              E-Commerce Sites: Open
                              Sesame?
                              15.Apr.99

                              New NT Security Risk
                              Uncovered
                              19.Feb.99

                              Microsoft Patches NT Hole
                              28.Jul.98

                              Msoft Bug Opens Site
                              Secrets
                              2.Jul.98

                              MS Office Leaks Sensitive
                              Data
                              29.Jun.98

                              Have a comment on this
                              article?
                              Send it.
                               []
                               []

                              Send us feedback | Work at
                              Wired Digital | Advertise
                              with us
                              About Wired Digital | Our
                              Privacy Policy

                              Copyright  1994-99 Wired
                              Digital Inc. All rights
                              reserved.
                               []
