Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Microsoft "FLAW" !!!

Microsoft "FLAW" !!!

From: <dgoulet_at_vicr.com>
Date: Tue, 18 Jul 2000 09:58:07 -0400
Message-Id: <10562.112260@fatcity.com> 





Since I know that some of you out there (like me) use Windows 95/98 and or NT,
You may be interested in this from InformationWeek.






The System Administration, Networking, and Security (SANS) Institute on 
Monday identified what it called "probably the most dangerous
programming error" found in any workstation running Windows 95, 98, 
2000, and NT 4.0.



A security alert issued by the cooperative research and education group 
states that users are vulnerable to a total compromise when they 
preview or read an infected E-mail--without having to open any 
attachment--if they're running any of the affected operating systems 
and have Microsoft Access 97 or 2000, Internet Explorer 4.0 or higher, 
including version 5.5 that ships with Windows 2000.



According to the institute, the exploit was first discovered June 27, 
but Microsoft requested that SANS not release the details of the 
vulnerability until the company developed a fix. Microsoft posted a 
workaround on July 14 that is available at www.sans.org. Users running 
systems with Outlook, Outlook Express, Eudora, or any mail reader that 
uses Internet Explorer to render HTML documents are also vulnerable to 
this exploit through E-mail.



According to the SANS advisory, a hacker could get into Microsoft 
Access using ActiveX controls without the victim knowing that it's 
happening. "This is a very serious problem," says Forrester Research 
analyst Frank Prince. "Anyone with Visual Basic knowledge could 
potentially send an E-mail -- that doesn't have to be opened--and give 
the hacker complete access to the user's system."



Prince says he agrees with SANS's decision not to publicize the 
vulnerability until a patch was available. "The bar is so low for this 
exploit, and the potential for damage so high, a lot of people with 
Visual Basic knowledge would jump on the Internet to see what they 
could do. I'll bet a lot are doing just that right now," he says. For a 
complete workaround for the security flaw, visit 
http://www.sans.org/newlook/resources/win_flaw.htm. --George V. Hulme
Received on Tue Jul 18 2000 - 08:58:07 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US