[Am-info] A matter of trust

Mitch Stone mitch@accidentalexpert.com
Tue, 21 Jan 2003 20:30:18 -0800 

--Apple-Mail-2-478108722
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	delsp=yes;
	charset=US-ASCII;
	format=flowed

A matter of trust
by Brian Livingston

http://www2.infoworld.com/articles/op/xml/02/12/09/ 
021209opwinman.xml?Template=/storypages/printfriendly.html

I NEVER THOUGHT I'd see the publisher of Windows issue an official  
document saying, "You shouldn't trust Microsoft."

But that day has arrived. And the behind-the-scenes explanation reveals  
a lot about Windows and the flaws users are constantly battling.

Our story begins with the software giant's most recent security  
warning. I don't usually devote a whole column to every weakness  
Microsoft makes known after being nailed by a white-hat hacker. (There  
are, after all, only 52 weeks in the year.) But this case cries out for  
special attention. For one thing, this particular flaw is especially  
serious. A PC can be hacked if it merely views a malicious Web page or  
HTML e-mail. No user action, such as opening an attachment, is required.

The hole affects any system using MDAC (Microsoft Data Access  
Components) prior to version 2.7. MDAC, which helps Windows download  
data, and is just about universal. The hole, therefore, threatens many  
machines running Microsoft's Internet Information Server, every Windows  
2000 and Me desktop, and every Windows 9x desktop that's added Internet  
Explorer 5.x or 6.x.

Systems that are not at risk include Windows XP -- even though it  
includes IE 6 -- because XP ships with MDAC 2.7. In addition, servers  
are not vulnerable if Microsoft's IIS Lockdown Tool has been applied.  
Finally, Windows clients are protected from HTML e-mail attacks if they  
use Microsoft's Outlook 2002 or Outlook Express 6 (with their default  
settings) or Outlook 98/2000 with Microsoft's Outlook E-mail Security  
Update.

All of this, and a patch to update the systems at risk, is explained in  
the company's 65th security warning this year, MS02-065, at  
www.microsoft.com/technet/security/bulletin/MS02-065.asp.

Even after being patched, however, many PCs can still be exploited. If  
you view a tainted site or e-mail, an earlier version of MDAC can be  
re-installed. If you've ever downloaded an updated Windows component --  
and you happened to check the box that says "always trust Microsoft" --  
the insecure version of MDAC will install itself without any notice. It  
can do this because it still has a valid Microsoft digital signature.

This is where "trust" comes in. The Microsoft bulletin says the only  
way to ward off this attack is to "make sure you have no trusted  
publishers, including Microsoft." To do this, start IE and click Tools,  
Internet Options, Content, Publishers, Trusted Publishers. Then remove  
every company name you find. Sorry, if any new plug-ins arise, you'll  
now have to decide Yes or No on your own.

In a recent financial statement, Microsoft revealed for the first time  
that desktop Windows makes a profit margin of more than 85 percent. To  
put this in personal terms, for every dollar you spent licensing the OS  
last year, Microsoft spent less than 15 cents on all Windows packaging,  
marketing, and, oh yeah, improving the product.

Setting aside just 1 cent of each dollar would create a fund of $29  
million a year. That'd pay a lot of outside security auditors, don't  
you think?


Brian Livingston is co-author of 10 Windows books. Send tips to  
brian@brianlivingston.com. Subscribe to Window Manager and E-Business  
Secrets at www.iwsubscribe.com/newsletters.

--Apple-Mail-2-478108722
Content-Transfer-Encoding: 7bit
Content-Type: text/enriched;
	charset=US-ASCII

A matter of trust  

by Brian Livingston


<underline><color><param>1A1A,1A1A,FFFF</param>http://www2.infoworld.com/articles/op/xml/02/12/09/021209opwinman.xml?Template=/storypages/printfriendly.html</color></underline>


I NEVER THOUGHT I'd see the publisher of Windows issue an official
document saying, "You shouldn't trust Microsoft."


But that day has arrived. And the behind-the-scenes explanation
reveals a lot about Windows and the flaws users are constantly
battling.


Our story begins with the software giant's most recent security
warning. I don't usually devote a whole column to every weakness
Microsoft makes known after being nailed by a white-hat hacker. (There
are, after all, only 52 weeks in the year.) But this case cries out
for special attention. For one thing, this particular flaw is
especially serious. A PC can be hacked if it merely views a malicious
Web page or HTML e-mail. No user action, such as opening an
attachment, is required.


The hole affects any system using MDAC (Microsoft Data Access
Components) prior to version 2.7. MDAC, which helps Windows download
data, and is just about universal. The hole, therefore, threatens many
machines running Microsoft's Internet Information Server, every
Windows 2000 and Me desktop, and every Windows 9x desktop that's added
Internet Explorer 5.x or 6.x.


Systems that are not at risk include Windows XP -- even though it
includes IE 6 -- because XP ships with MDAC 2.7. In addition, servers
are not vulnerable if Microsoft's IIS Lockdown Tool has been applied.
Finally, Windows clients are protected from HTML e-mail attacks if
they use Microsoft's Outlook 2002 or Outlook Express 6 (with their
default settings) or Outlook 98/2000 with Microsoft's Outlook E-mail
Security Update.


All of this, and a patch to update the systems at risk, is explained
in the company's 65th security warning this year, MS02-065, at
<underline><color><param>1A1A,1A1A,FFFF</param>www.microsoft.com/technet/security/bulletin/MS02-065.asp.</color></underline>


Even after being patched, however, many PCs can still be exploited. If
you view a tainted site or e-mail, an earlier version of MDAC can be
re-installed. If you've ever downloaded an updated Windows component
-- and you happened to check the box that says "always trust
Microsoft" -- the insecure version of MDAC will install itself without
any notice. It can do this because it still has a valid Microsoft
digital signature.


This is where "trust" comes in. The Microsoft bulletin says the only
way to ward off this attack is to "make sure you have no trusted
publishers, including Microsoft." To do this, start IE and click
Tools, Internet Options, Content, Publishers, Trusted Publishers. Then
remove every company name you find. Sorry, if any new plug-ins arise,
you'll now have to decide Yes or No on your own.


In a recent financial statement, Microsoft revealed for the first time
that desktop Windows makes a profit margin of more than 85 percent. To
put this in personal terms, for every dollar you spent licensing the
OS last year, Microsoft spent less than 15 cents on all Windows
packaging, marketing, and, oh yeah, improving the product.


Setting aside just 1 cent of each dollar would create a fund of $29
million a year. That'd pay a lot of outside security auditors, don't
you think?



Brian Livingston is co-author of 10 Windows books. Send tips to
<underline><color><param>1A1A,1A1A,FFFF</param>brian@brianlivingston.com</color></underline>.
Subscribe to Window Manager and E-Business Secrets at
<underline><color><param>1A1A,1A1A,FFFF</param>www.iwsubscribe.com/newsletters.</color></underline>


--Apple-Mail-2-478108722--