Information Security News mailing list archives
Microsoft's 'Clippy' a security nightmare?
From: William Knowles <wk () C4I ORG>
Date: Wed, 17 May 2000 12:26:21 -0500
http://www.zdnet.com/zdnn/stories/news/0,4586,2570727,00.html By Rob Lemos, ZDNN May 16, 2000 5:18 PM PT So much for the friendly assistant. That's the hard lesson learned after last week's discovery of a security hole that subverts the powerful functions of Microsoft Office Assistant. The hole, which allows an attacker to write a script that can do anything once on a user's computer, gets activated by clicking on a Web page or HTML-enabled e-mail. The script can then add or delete files. "Because its abilities are marked 'safe for scripting,' anything is possible," said the security researcher that found the hole, a hacker known as "Dildog" who works for the security firm @Stake Inc. MS issues patch, declines comment Microsoft has released a patch to fix the permissions on the hole, but users still need to download the patch and update their Office program. Microsoft was not immediately available for comment. 'The fact that this control exists and is installed in the particular fashion would permit the construction of a worm of unparalleled devastation.'|Security firm @Stake Inc. When it debuted, the Office Assistant -- also known as Clippy, because of its paper clip persona -- was dismissed by critics as the equivalent of training wheels for computer newbies. Yet the friendliness of the Office Assistant hides a great deal of power. In fact, it's essentially a back door for Microsoft to allow macros that can take control of a PC and help out users. That control, however, can be manipulated to hurt users as well. A test program created by @Stake can set the system security to "low" and copy a text document to the hard drive. "The fact that this control exists and is installed in the particular fashion would permit the construction of a worm of unparalleled devastation," @Stake wrote in its advisory. While Dildog praised Microsoftfor being quick to act in this case, he still criticized the low security of the Windows scripting system. "You don't mark something safe for scripting unless you are going to let someone activate it remotely," he said. At the heart of the matter is the industry's penchant for marking most security holes as need-to-know information. Most of the time, only company insiders are those considered to have a need to know. "Microsoft has this habit of keeping people in the dark," Dildog said. "It is totally undocumented control." *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Microsoft's 'Clippy' a security nightmare? William Knowles (May 17)