A matter of trust

[an error occurred while processing this directive]

[an error occurred while processing this directive]

[an error occurred while processing this directive]
[an error occurred while processing this directive]
[an error occurred while processing this directive]

		Window Manager Brian Livingston

A matter of trust

I NEVER THOUGHT I'd see the publisher of Windows issue an official document saying, "You shouldn't trust Microsoft."

But that day has arrived. And the behind-the-scenes explanation reveals a lot about Windows and the flaws users are constantly battling.

Our story begins with the software giant's most recent security warning. I don't usually devote a whole column to every weakness Microsoft makes known after being nailed by a white-hat hacker. (There are, after all, only 52 weeks in the year.) But this case cries out for special attention.

For one thing, this particular flaw is especially serious. A PC can be hacked if it merely views a malicious Web page or HTML e-mail. No user action, such as opening an attachment, is required.

The hole affects any system using MDAC (Microsoft Data Access Components) prior to version 2.7. MDAC, which helps Windows download data, and is just about universal. The hole, therefore, threatens many machines running Microsoft's Internet Information Server, every Windows 2000 and Me desktop, and every Windows 9x desktop that's added Internet Explorer 5.x or 6.x.

Systems that are not at risk include Windows XP -- even though it includes IE 6 -- because XP ships with MDAC 2.7. In addition, servers are not vulnerable if Microsoft's IIS Lockdown Tool has been applied. Finally, Windows clients are protected from HTML e-mail attacks if they use Microsoft's Outlook 2002 or Outlook Express 6 (with their default settings) or Outlook 98/2000 with Microsoft's Outlook E-mail Security Update.

All of this, and a patch to update the systems at risk, is explained in the company's 65th security warning this year, MS02-065, at www.microsoft.com/technet/security/bulletin/MS02-065.asp.

Even after being patched, however, many PCs can still be exploited. If you view a tainted site or e-mail, an earlier version of MDAC can be re-installed. If you've ever downloaded an updated Windows component -- and you happened to check the box that says "always trust Microsoft" -- the insecure version of MDAC will install itself without any notice. It can do this because it still has a valid Microsoft digital signature.

This is where "trust" comes in. The Microsoft bulletin says the only way to ward off this attack is to "make sure you have no trusted publishers, including Microsoft." To do this, start IE and click Tools, Internet Options, Content, Publishers, Trusted Publishers. Then remove every company name you find. Sorry, if any new plug-ins arise, you'll now have to decide Yes or No on your own.

In a recent financial statement, Microsoft revealed for the first time that desktop Windows makes a profit margin of more than 85 percent. To put this in personal terms, for every dollar you spent licensing the OS last year, Microsoft spent less than 15 cents on all Windows packaging, marketing, and, oh yeah, improving the product.

Setting aside just 1 cent of each dollar would create a fund of $29 million a year. That'd pay a lot of outside security auditors, don't you think?

Brian Livingston is co-author of 10 Windows books. Send tips to brian@brianlivingston.com. Subscribe to Window Manager and E-Business Secrets at www.iwsubscribe.com/newsletters.

RELATED SUBJECTS

Security

Click here for all of Brian Livingston's past columns.

[an error occurred while processing this directive]

// // // Article

[an error occurred while processing this directive] [an error occurred while processing this directive]

	<A HREF="http://ad.doubleclick.net/jump/idg.us.ifw.community/opinions;abr=!ie;pkey=security;skey=security;paud=cto;saud=cio;saud=endusersupportmgmt;saud=midtolarge;pos=bot;sz=468x60;tile=4;ord=211804170508?"><IMG SRC="http://ad.doubleclick.net/ad/idg.us.ifw.community/opinions;abr=!ie;pkey=security;skey=security;paud=cto;saud=cio;saud=endusersupportmgmt;saud=midtolarge;pos=bot;sz=468x60;tile=4;ord=211804170508?" BORDER="0" HEIGHT="60" WIDTH="468"></A>

[an error occurred while processing this directive]

About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store

COLUMN ARCHIVE

FORUMS

COLUMN

Window Manager
Brian Livingston

A matter of trust

I NEVER THOUGHT I'd see the publisher of Windows issue an official document saying, "You shouldn't trust Microsoft."

ADVERTISEMENT

<a href="http://ad.doubleclick.net/jump/idg.us.info.opinions/article;abr=!ie;pos=skyscraper;pkey=security;skey=;paud=;saud=;sz=160x600;tile=2;ord=211804170508?"> <img src="http://ad.doubleclick.net/ad/idg.us.info.opinions/article;abr=!ie;pos=skyscraper;pkey=security;skey=;paud=;saud=;sz=160x600;tile=2;ord=211804170508?" border="0"> </a>

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

TOP NEWS

IT SOLUTION SEARCH

But that day has arrived. And the behind-the-scenes explanation reveals a lot about Windows and the flaws users are constantly battling.

Our story begins with the software giant's most recent security warning. I don't usually devote a whole column to every weakness Microsoft makes known after being nailed by a white-hat hacker. (There are, after all, only 52 weeks in the year.) But this case cries out for special attention.

For one thing, this particular flaw is especially serious. A PC can be hacked if it merely views a malicious Web page or HTML e-mail. No user action, such as opening an attachment, is required.

The hole affects any system using MDAC (Microsoft Data Access Components) prior to version 2.7. MDAC, which helps Windows download data, and is just about universal. The hole, therefore, threatens many machines running Microsoft's Internet Information Server, every Windows 2000 and Me desktop, and every Windows 9x desktop that's added Internet Explorer 5.x or 6.x.

Systems that are not at risk include Windows XP -- even though it includes IE 6 -- because XP ships with MDAC 2.7. In addition, servers are not vulnerable if Microsoft's IIS Lockdown Tool has been applied. Finally, Windows clients are protected from HTML e-mail attacks if they use Microsoft's Outlook 2002 or Outlook Express 6 (with their default settings) or Outlook 98/2000 with Microsoft's Outlook E-mail Security Update.

All of this, and a patch to update the systems at risk, is explained in the company's 65th security warning this year, MS02-065, at www.microsoft.com/technet/security/bulletin/MS02-065.asp.

Even after being patched, however, many PCs can still be exploited. If you view a tainted site or e-mail, an earlier version of MDAC can be re-installed. If you've ever downloaded an updated Windows component -- and you happened to check the box that says "always trust Microsoft" -- the insecure version of MDAC will install itself without any notice. It can do this because it still has a valid Microsoft digital signature.

This is where "trust" comes in. The Microsoft bulletin says the only way to ward off this attack is to "make sure you have no trusted publishers, including Microsoft." To do this, start IE and click Tools, Internet Options, Content, Publishers, Trusted Publishers. Then remove every company name you find. Sorry, if any new plug-ins arise, you'll now have to decide Yes or No on your own.

In a recent financial statement, Microsoft revealed for the first time that desktop Windows makes a profit margin of more than 85 percent. To put this in personal terms, for every dollar you spent licensing the OS last year, Microsoft spent less than 15 cents on all Windows packaging, marketing, and, oh yeah, improving the product.

Setting aside just 1 cent of each dollar would create a fund of $29 million a year. That'd pay a lot of outside security auditors, don't you think?

Brian Livingston is co-author of 10 Windows books. Send tips to brian@brianlivingston.com. Subscribe to Window Manager and E-Business Secrets at www.iwsubscribe.com/newsletters.

RELATED SUBJECTS

Security

Click here for all of Brian Livingston's past columns.

SPONSORED WHITE PAPERS

EMC - Lower costs and improve reliability-Get the EMC CLARiiON white paper!
Ciphertrust - Are you ready for Sobig.G? Learn how to protect your email systems.
CDW - Personal attention. CDW. The Right Technology. Right Away.
EMC - Explore key performance features and capabilities of EMC ControlCenter 5.1.1.
Intel - Free Intel white paper shows you how to deploy a secure wireless LAN
Cisco - FREE WHITE PAPER: BLUEPRINT to design and implement secure VPNs
Verity, Inc. - "Mass Consolidation Hits the Web-Search Market"
McDATA - Download a FREE storage consolidation white paper from McDATA(R).
Lucent Technologies - Overcoming Common Firewall Limitations
Lucent Technologies - Leverage Your Mobile High Speed Data Access. Download Free White Paper!
Nokia - Get the scoop! Mobilizing business white papers & case studies.
BMC Software - Maximize the Potential of Enterprise Data: Free white paper!
Network Associates - Free white paper - Strategies for Optimizing Network Costs and Benefits
Entrust - Manage identities across applications. Improve productivity.
Stalker Software - CommuniGate Pro - Transform your Email and Calendaring
Remedy - A NEW Gartner Research Note:Producing Quality IT Services

Search the IDG White Paper Library: