[Click here for Andersen Consulting.][GameDealer.com - The Internet's Game Superstore!] [] [Image] [Image][Image] updated 3:00 a.m. 26.Aug.99.PDT [Image] [] [] [] [] [] Locking Windows' Backdoors Printing? Use this version. by Declan McCullagh Fax this for free. Email this to a friend. 3:00 a.m. 26.Aug.99.PDT WASHINGTON, DC -- If you BUSINESS use Microsoft Outlook, be Today's Headlines warned. Over a dozen bugs [] in Windows 98 let malicious Locking Windows' virus writers and Backdoors meddlesome peeping Toms view or erase any file on CE Fair: Germany your hard drive. Going Gaga At a computer security Howdy, (Asian conference Wednesday American) afternoon, an expert Pardner! demonstrated how malcontents can send Y2K: What, apparently innocuous email Mom-n-Pops Worry? with hidden commands that -- if opened using certain Wall Street Goes email programs -- will give Bonkers an intruder complete access to a Windows computer. US, Aussies in Censorship Spat ---------------------------- See also: Same Hole, Disney Grabs Different Exploit Online Toy Seller ---------------------------- Serving Up Eggs "We've got some serious on the Web problems here, folks. We've got some really bad Big Brother, Big backdoors on the computers 'Fun' at Amazon we have on our desktops," said Richard Smith, Apple Defends its president of Cambridge, Blueberry Bush Massachusetts-based Phar Lap Software, who Shoes Online identified the person Steps Up to the accused of writing the Net Melissa virus. AOL Update During his presentation at Doesn't 'AIM' at the 8th Usenix Security MS Symposium, Smith demonstrated some new security flaws he and his collaborators have identified in their spare time. One recently unearthed and not-yet-fixed Win98 glitch lets an email opened in Outlook execute any DOS command -- including reformatting your hard drive or uploading its contents to a remote Web site. The solution? Consumers could switch to a non-Microsoft operating system. Another option, Smith suggested, is for customers to begin asking computer companies to turn off features that let email messages execute other programs. "It's prudent to avoid systems in which we can have executable content," said Peter Neumann, the conference's keynote speaker and a researcher at SRI International. "There is no way you can have any assurance whatsoever that it will work." Many of the problems security experts have identified stem from the design choices Microsoft made when developing Windows 95 and 98, which are much more vulnerable to intrusions than Linux, Unix, or even Macintosh systems. One gaping security hole is Microsoft's complicated ActiveX technology, which lets remote Web pages or email messages execute programs that manufacturers claim are trustworthy. But sometimes they're not. With a little programming, a nefarious person can send email or create a Web page that activates Active X functions that delete files, modify them, or even send their contents to any address on the Internet. As security experts have identified these flaws, Microsoft has tried to fix them, and Smith said some have been eliminated from early versions of Windows 2000. But the millions of people using current versions Windows 98 and Outlook are still at risk, he said, unless they switch off ActiveX. Not only Microsoft is to blame. Netscape has acknowledged security glitches in its browser. Unrepaired versions of Qualcomm's Eudora 4 let executable programs masquerade as links. Computer makers, too, have been shipping buggy software. Hewlett Packard has included two ActiveX controls on about 5 million Pavilion computers, Smith said, that let HTML email messages opened in Outlook or Eudora take control of the computer. An intruder can silently insert a virus, disable security features, view documents, or crash the system. Some Compaq Presario computers suffer from a similar security risk. As configured from the factory, the computers trust all applications provided by Compaq -- one of which can execute whatever program an email message orders it to run. "Compaq gave every hacker in the world a way to run programs," Smith said. To improve the security of Outlook, go to the Security tab in the program's Options dialog box and select "restricted sites zone." Then, in the Internet Options Windows control panel, go to "Restricted sites/Custom level" and scroll down and disable "Active Scripting." Related Wired Links: [Image] Another Privacy Hole in IE 5.0? 16.Apr.99 E-Commerce Sites: Open Sesame? 15.Apr.99 New NT Security Risk Uncovered 19.Feb.99 Microsoft Patches NT Hole 28.Jul.98 Msoft Bug Opens Site Secrets 2.Jul.98 MS Office Leaks Sensitive Data 29.Jun.98 Have a comment on this article? Send it. [] [] Send us feedback | Work at Wired Digital | Advertise with us About Wired Digital | Our Privacy Policy Copyright © 1994-99 Wired Digital Inc. All rights reserved. []