Microsoft security - the hole story

Microsoft has averaged two security or virus scares a week over the past two months - from instant messaging software that exposed user passwords to flaws in IE5, Windows NT and Office 2000.

The following security exploits or viruses have hit Microsoft software in the past two months.

August

* Reports publicise the "Christmas virus," set to activate on Dec. 25. Also known as Win32.Kriz, the virus replicates on Windows 95, Windows 98, and Windows NT systems and infects files that are copied, opened and moved. It also kills the CMOS memory, overwrites data in all files on available drives and destroys Flash BIOS, leaving users unable to boot computers properly or control cursors.

* L0pht Heavy Industries announces an exposure in Windows 95/98, Windows 2000, SunOS and Solaris 2.6 systems that runs the Internet router discovery protocol. The exposure allows hackers to intercept and modify outgoing information and deny network service.

* Microsoft admits its Microsoft Network instant-messaging software contains a glitch that lets unauthorised users see a person's e-mail password.

* Microsoft acknowledges security holes in Office 97 and Office 2000, first reported in July, related to the company's Jet data-access software. The flaws allow code in an Excel 97 worksheet that is hidden in a Web page or sent via e-mail to delete data, read files and plant viruses. The researcher who discovered the hole claims Microsoft's fix is not adequate.

* Microsoft acknowledges a security flaw in Windows NT when used with Service Pack 4 that enables hackers masquerading as trusted hosts to access secure systems using so-called Predictable IP Sequence Numbering.

* A security hole in Internet Explorer (IE) 5 ActiveX control is exposed. Hackers can exploit the code, using it to create new files or write over old ones on Web site visitors' computers, but hackers would need to know the exact location of the files.

* Researchers at Xerox PARC and Princeton University discover a flaw in Microsoft's Java virtual machine that allows people to create an attack applet attached to an HTML page. When executed, the attack applet can read, modify or destroy any data on the computer, insert a virus and insert software to spy on future online activities.

* Reports publicize Hotmail breach that allows anyone to enter a user name and fake password to access an account. Microsoft fixes the breach the day it makes headlines and hires an outside company to test the fix.

September

* Network Associates reports the "Thursday virus," which affects Word 97 and aims to delete all the files on a user's hard drive on Dec. 13. The virus, also called W97M/Thursday and Thus.A, infects normal.dot templates and turns off the Macro warning feature. It is discovered in financial institutions in the U.S. and Europe.

* Microsoft says it corrected the automatic log-on feature in versions of Windows 2000, Beta 3, designed to allow a system to load without a password. The features also allow hackers with physical or Telnet access to find the name of a person logged on to a computer and silently log in as the default user.

* Microsoft officials say it is developing a patch to fix an IE 5 flaw that allows Web site operators to run malicious executable codes on visitors' computers. Until the patch is ready, Microsoft advises disabling Active Scripting in IE 5's ImportExportFavorites feature.

* Microsoft announces that unattended installations of Windows NT 4.0 Workstation or Server can leave a copy of the file that contains installation parameters on the hard drive. The file can contain sensitive information, such as the local administrator password, and can be read by any users able to perform an interactive log-on.

* Microsoft releases a patch that eliminates a buffer overrun flaw in the Telnet in Windows 95 and Windows 98 that allows arbitrary code to execute on Web site visitors' computers.

* Microsoft releases a patch that eliminates Site Server and Commercial Internet System holes that could allow a Web site visitor to inadvertently access another customer's data.

* Microsoft issues a patch to eliminate vulnerability in TCP/IP stack implementation in Windows 95, Windows 98 and Windows NT 4.0 that could result in a system crash or a remote attack.

* Bulgarian programmer Georgi Guninski discovers Hotmail vulnerability that strikes when users open messages with malicious JavaScript code. The code executes a fake Hotmail log-in page and steals passwords when users enter their information. Microsoft says that the problem isn't a security issue and that users should disable JavaScript.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]