Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Android, Apple Own 80% of Global Smartphone Market; Microsoft's Share, 2.2%
Proposed New York Legislation Would Ban Anonymous Online Comments
Supercomputer to connect to 400PB of storage via Ethernet
Sales of unused IPv4 addresses gathering steam
Customizable cloud SLAs on the way, researchers predict
Google chairman pledges to fund Raspberry Pi availability in U.K. schools
Obama orders agencies to optimize Web content for mobile
Are CEOs getting the social media thing?
Managing Mobile Mania
Google's Android did not infringe Oracle patents, jury finds
HP to trim 27,000 jobs as part of restructuring program
VMware acquires desktop management company Wanova
Privacy advocates fear CISPA
Groups launch gigabit-per-second broadband project
Windows 8 touchscreen devices to be priced higher, Dell says
/

Recent security exploits in Microsoft software

Today's breaking news
Send to a friendFeedback

By Elinor Mills Abreu IDG News Service, 09/27/99

Microsoft has been plagued with security vulnerabilities this year, with many cropping up just in the past month. Recent security exploits or viruses that have hit Microsoft software include:

January:

-- Finjan Software reported a real-world example of an exploit, dubbed the Russian New Year attack, which Finjan said a Microsoft plug in December didn't adequately resolve. The exploit allowed an Excel spreadsheet to run arbitrary code when downloaded, via a Call function, giving hackers access to a user's files when a user received an e-mail or visited a Web page and clicked on an HTML link.

February:

-- A Macro virus, dubbed Triplicate because it infects Word, Excel and PowerPoint, was reported to exploit a vulnerability in Word 97 and infected Office 97 files via the Internet.

-- A Word 97 macro named Ethan was discovered arriving on e-mail attachments. The virus infected 30% of all Word documents once it was opened, and then transferred the virus code from the Word template to all Word documents the user had accessed. Once a document was infected, the title was changed to Ethan Frome. Ironically, the macro would cancel out the W97M/Class virus if it were present.

March:

-- The wide spreading Melissa virus arrived, moving so quickly it forced some companies to temporarily shut down their e-mail systems and Microsoft to close its Internet gateway. The virus showed up in an e-mail that contained a Word document to which the macro virus was attached. The seemingly innocuous virus replicated and sent itself in e-mail messages to 50 people in an infected user's e-mail address book when the attachment was opened.

-- A Melissa variant, dubbed Papa, was discovered later. The virus traveled in the same manner as Melissa but was sent via Excel spreadsheets and sent itself to the first 60 people in a user's address book instead of just 50. It also sent an e-mail out every time the virus was activated. The subject line claimed the message was from "all.net and Fred Cohen." The virus could bring a network down with numerous repeated pinging of an external site to make sure there was an external Internet connection.

April:

-- The Chernobyl virus, or CIH 1.2, affected mostly Windows 95 and 98 users in Europe and Asia by overwriting the flash BIOS, destroying the motherboard and wiping out a hard disk's contents. An infected computer would fail to reboot even from a floppy disk once the virus was activated and was disabled unless the BIOS was reprogrammed. The virus could activate on the 26th of every month but did it greatest damage on April 26, which was the date of the 1986 nuclear meltdown in the Soviet Union.

May:

-- WebTrends discovered a security hole in Internet Information Server (IIS) and Site Server that could expose sensitive files on a server to hackers with a remote browser. The vulnerability, which would not allow hackers to change or add new files, was caused by the default settings of three viewing tools that install sample active server Web pages without proper access control list settings.

June:

-- A virus called W97M/Heathen.A, which originally spread from a newsgroup, was found to replicate across Word 97 files but not destroy data.

-- The highly destructive W32/ExploreZip.worm wreaked havoc by erasing Office documents on local and network drives, reportedly infecting tens of thousands of Outlook and Exchange users and forcing several large companies to temporarily shut down their mail servers and Microsoft to close its gateway to the Internet. It arrived in an e-mail that contained executable code that propagated itself in the user's address book and responded to every e-mail message the user received.

-- eEye Digital Security Team beat Microsoft to posting a patch that closed a security hole in the Internet Information Server that allowed hackers to take over any Windows NT-based Web server and in some cases the network it was attached to.

July:

-- The Cult of the Dead Cow hacker group released Back Orifice 2K, an update of a Trojan Horse program that allowed intruders to take control of NT machines without the user's knowledge. The Cult of the Dead Cow said it was releasing the software to force Microsoft to improve the security of its NT software.

-- In a controversial move, eEye released to the public what was reportedly the first NT buffer overflow exploit, leaving vulnerable to attack any default NT Server 4.0 with IIS 4.0 and Service Pack 4 or 5. The vulnerability resulted from how IIS and the DLL it used handled application mapping for .htr, .stm and .idc files. When giving IIS a file name larger than expected, the ism.dll can overflow, allowing an attacker's code to go into memory and be executed.

August:

-- A virus dubbed the Christmas virus because it was set to activate on Christmas Day (December 25) was reported. Also known as Win32.Kriz, Win32Kriz.3740 or Win32.Kriz.3862, the virus replicated under Windows 95, 98 and NT systems and could infect files that were copied, opened and moved. It also killed the CMOS memory of an infected system, overwrote the data in all files on all available drives and destroyed the Flash BIOS leaving users unable to boot their computers properly or control their cursor. In addition, the virus delivered a very Scrooge-like antireligion message.

-- L0pht Heavy Industries announced an exploit that effected Windows 95, 98 and 2000 as well as SunOS and Solaris 2.6 running the ICMP router discovery protocol, or IRDP, which determines the route computers take to connect to the Internet. This exploit allowed unauthorized users to intercept outgoing information, modify it and deny service to the network. L0pht caused a controversy when it released the source code to a program that could exploit the hole.

-- A new IIS exploit results from a weakness in the Remote Data Service component of Microsoft Data Access Components. The vulnerability was originally described in a Microsoft Security Bulletin released nearly a year earlier but it was publicized after a canned exploit was made public in August.

-- Microsoft admitted that its Microsoft Network instant messaging software contained a glitch that allowed unauthorized users to see a person's e-mail password. The hole allowed anyone with access to someone else's computer to read and send email from that person's Hotmail account without their knowledge. The user's e-mail name and password were exposed if the Hotmail page was stopped from loading.

-- Microsoft acknowledged security holes in Office 97 and Office 2000, first reported in July, that are related to the company's data access software called Jet. The flaws allow code contained in an Excel 97 worksheet, hidden in a Web page or sent via email to delete data, read files, plant viruses. The researcher who discovered the hole claims Microsoft's fix is not adequate.

-- Microsoft acknowledged a security flaw in Windows NT when used with Service Pack 4 that enabled hackers masquerading as trusted hosts to get access to secure systems by using a so-called Predictable IP Sequence Numbering.

-- A new security hole related to an ActiveX control that ships with Internet Explorer 5.0 was discovered; it allowed arbitrary programs to execute on a user's computer when the user visits a Web page or receives Outlook e-mail. Hackers can exploit the code, using it to create new files or write over old ones, but hackers would need to know the exact location of files to take advantage of the hole.

-- Researchers at Xerox PARC and Princeton University discovered a security flaw in Microsoft's Java virtual machine (JVM) that allowed people to create an attack applet that was attached to an HTML page. The bug enabled a mobile code attack to be delivered over the Web via Internet Explorer or by e-mail via Outlook or other e-mail programs that use Microsoft's JVM. When executed, the attack applet can read, modify or destroy any data on the computer, insert a virus and even insert software to spy on future online activities.

-- A Hotmail breach was publicized; the breach exposed accounts of about 40 million users of the free e-mail service by allowing anyone to type in a user name and fake password to access an account. Microsoft fixed the breach the day it made headlines and has since agreed to have an outside firm check the security of the fix. A group called Hackers Unite claimed responsibility, saying they publicized the breach to point out weaknesses in Microsoft's Hotmail service.

September:

-- Network Associates Inc. announced the so-called "Thursday virus," which affects Word 97 and is designed to delete all the files on a user's "C:"drive on Dec. 13. The virus, which also goes by "W97M/Thursday" and "Thus.A," infected the "normal.dot" template and turned off the Macro warning feature. It was found to have spread throughout financial institutions in the U.S. and some European countries including Germany, Ireland, France and Switzerland.

-- Microsoft said it has corrected an auto-logon feature in versions of Windows 2000 Beta 3 designed to allow a system to load without a password, but which could have allowed a hacker with physical or Telnet access to find the name of a person logged onto a computer and silently log in as the default user.

-- Microsoft said it was developing a patch to eliminate a vulnerability in IE 5 that could allow a Web site operator to run malicious executable code on the computer of someone visiting the Web site. Until a patch is ready, Microsoft advised users to disable Active Scripting in IE 5's ImportExportFavorites feature.

-- Microsoft announces that unattended installations of Windows NT 4.0 Workstation or Server can leave a copy of the file that contains installation parameters on the hard drive. Any user able to perform an interactive logon could read this file, which could contain sensitive information such as the local administrator password.

-- Microsoft released a patch that eliminates a vulnerability in the Telnet client that ships as part of its Windows 95 and 98 software and which could allow arbitrary code to be executed on the user's computer when visiting a Web page. The Telnet client has an unchecked buffer that could allow malicious code to execute on the user computer via a classic buffer overrun technique.

-- Microsoft released a patch that eliminates a vulnerability in Site Server and Commercial Internet System that could allow a Web site visitor to inadvertently access another customer's data if the Internet gateway caches Web pages via a proxy server and the Web site authenticates based on a GUID (Globally Unique Identifier), which identifies a browser client to a Web server.

-- Microsoft issued a patch to eliminate a vulnerability in the TCP/IP stack implementations of Windows 95, 98 and NT 4.0 that could result in a system crash or a remote attack.

RELATED LINKS


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.