[Am-info] A MATTER OF TRUST

[Fred A. Miller]

BRIAN LIVINGSTON:     "Window Manager"     InfoWorld.com
========================================================

Monday, December 9, 2002


A MATTER OF TRUST

Posted December 6, 2002 01:01 PM  Pacific Time


I NEVER THOUGHT I'd see the publisher of Windows issue
an official document saying, "You shouldn't trust Microsoft."

But that day has arrived. And the behind-the-scenes
explanation reveals a lot about Windows and the flaws
users are constantly battling.

Our story begins with the software giant's most recent
security warning. I don't usually devote a whole
column to every weakness Microsoft makes known after
being nailed by a white-hat hacker. (There are, after
all, only 52 weeks in the year.) But this case cries
out for special attention.

For one thing, this particular flaw is especially
serious. A PC can be hacked if it merely views a
malicious Web page or HTML e-mail. No user action,
such as opening an attachment, is required.

The hole affects any system using MDAC (Microsoft Data
Access Components) prior to version 2.7. MDAC, which
helps Windows download data, and is just about
universal. The hole, therefore, threatens many
machines running Microsoft's Internet Information
Server, every Windows 2000 and Me desktop, and every
Windows 9x desktop that's added Internet Explorer 5.x
or 6.x.

Systems that are not at risk include Windows XP -- even
though it includes IE 6 -- because XP ships with MDAC
2.7. In addition, servers are not vulnerable if
Microsoft's IIS Lockdown Tool has been applied.
Finally, Windows clients are protected from HTML
e-mail attacks if they use Microsoft's Outlook 2002 or
Outlook Express 6 (with their default settings) or
Outlook 98/2000 with Microsoft's Outlook E-mail
Security Update.

All of this, and a patch to update the systems at risk,
is explained in the company's 65th security warning
this year, MS02-065, at
http://www.microsoft.com/technet/security/bulletin/MS02-065.asp
.

Even after being patched, however, many PCs can still
be exploited. If you view a tainted site or e-mail, an
earlier version of MDAC can be re-installed. If you've
ever downloaded an updated Windows component -- and
you happened to check the box that says "always trust
Microsoft" -- the insecure version of MDAC will
install itself without any notice. It can do this
because it still has a valid Microsoft digital signature.

This is where "trust" comes in. The Microsoft bulletin
says the only way to ward off this attack is to "make
sure you have no trusted publishers, including
Microsoft." To do this, start IE and click Tools,
Internet Options, Content, Publishers, Trusted
Publishers. Then remove every company name you find.
Sorry, if any new plug-ins arise, you'll now have to
decide Yes or No on your own.

In a recent financial statement, Microsoft revealed for
the first time that desktop Windows makes a profit
margin of more than 85 percent. To put this in
personal terms, for every dollar you spent licensing
the OS last year, Microsoft spent less than 15 cents
on all Windows packaging, marketing, and, oh yeah,
improving the product.

Setting aside just 1 cent of each dollar would create a
fund of $29 million a year. That'd pay a lot of
outside security auditors, don't you think?

Brian Livingston is co-author of 10 Windows books. Send
tips to brian@brianlivingston.com. Subscribe to Window
Manager and E-Business Secrets at www.iwsubscribe.com/newsletters.

-- 
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org, www.cupserv.org