Microsoft Warns of Security Risks in Office, IE

New York Times ^

[milestogo]

August 22, 2002

Microsoft Warns of Security Risks in Office, IE

By REUTERS

Filed at 9:49 p.m. ET

SEATTLE (Reuters) - Microsoft Corp. (MSFT.O) said on Thursday that ``critical'' security lapses in its Office software and Internet Explorer Web browser put tens of millions of users at risk of having their files read and altered by online attackers.

The world's No. 1 software maker said that an attacker, using e-mail or a Web page, could use Internet related parts of Office to run programs, alter data and wipe out the hard drive as well as view file and clipboard contents on a user's system.

Office is a software product that runs on Windows and is used to write documents and crunch numbers.

``Microsoft is committed to keeping customers' information safe, and is providing a patch that eliminates three vulnerabilities in Office Web Components,'' Microsoft Security Program Manager Christopher Budd said in an e-mail.

In addition, Microsoft reported vulnerabilities in the three latest versions of its dominant Internet Explorer browser software that allows infiltrators to read files.

Microsoft urged users to fix the glitches by downloading software patches from Microsoft's TechNet Web site (http://www.microsoft.com/technet).

``It's important that users get the patch,'' said Russ Cooper, head of security at TruSecure Corp., a computer security company, and editor of NTBugTraq.

``Typically with these types of issues it will be six to nine months until we see a massive attempt to start exploiting it,'' Cooper said, adding that a preemptive patch was critical.

Since Office is used by at least 100 million users, the risk of widespread attacks was significant, Cooper said.

The security warnings are the latest headaches for the Redmond, Washington-based software company.

Microsoft, shaken by break-ins to its system and vulnerabilities in its software, launched a ``trustworthy computing'' campaign earlier this year to improve the security of all of its software.

Since that initiative, which chairman Bill Gates said had cost the company $100 million so far this year, Microsoft has issued at least 30 security bulletins for flaws in its software.

Last week, security experts reported serious flaws in the Internet Explorer browser and a complementary encryption program that could expose credit card and other sensitive information of Internet users.

The Office-related programs vulnerable to attacks include Microsoft Office 2000, Office XP, Money 2002, Money 2003, Project 2002 as well as server software related to such client software, Microsoft said.

Microsoft said it is not aware of any specific security breaches or the amount of any potential damage that might have occurred due to vulnerabilities in its software.

[jumpstartme]

And this comes after Bill Gates' so-called emphasis on security...

LINUX, real soon.

[jude24]

Oh, I bet Linux has similar gaping security holes....

It's just MS gets all the attention since its what 90% of computers use.

[Mixer]

Get a PC from Walmart for 199 loaded with the Lindows OS. This is the best thing you could do for yoursefl and your online security.

http://www.lindows.com

[Abcdefg]

I just downloaded the latest security update and the license agreement has this jewel:

" * You may not disclose the results of any benchmark test of the .NET Framework component of the OS Components to any third party without Microsoft's prior written approval."

What are they trying to hide?

[jumpstartme]

That's not the point. Gates said that the next releases of Windows and Office would focus on these issues. He lied.

Time to give someone else a chance after 10 years of crap from MS.

[jenny65]

Microsoft urged users to fix the glitches by downloading software patches from Microsoft's TechNet Web site (http://www.microsoft.com/technet).

Why the F isn't this on the Windows Update page? God, I'm sick and tired of these "critical" security problems. Maybe I should just disconnect my Windows machine from the internet permanently and get a cheap Linux box to access the web.

If it weren't for all the bells and whistles that MS puts in its products that 99.999% of people don't use, they wouldn't be having these problems.

Hey, here's a novel idea: How about Microsoft comes out with an OPERATING SYSTEM and leaves the applications to people who know what the hell they're doing.

P.S. - Speaking of bells and whistles, why is it that when I try to edit this text, and I select a word or phrase, IE 5.5 forces the selection to go to the start and end of a word (including end spaces)? It's impossible to select just part of a word for correcting misspellings or replace a word without having to add the space back. Drives me nuts! While minor, that's the kind of crap that seems to take precedence over stability and security.

[IncPen]

Um. Buy a Mac.

[Darth Sidious]

Scratch IE and go with Mozilla. Been using it for two months ever since its release date and haven't used IE once since. Mozilla is stable, fast, can turn off pop-up ads without additional software, can open up different windows in the same browser via a neat "tab" feature, tons more stuff... but best of all it's all open-source code.

[scab4faa]

I agree totally, I am so sick of the bullsh1t game microcrap has been playing with all of us. I did just that I unplugged my machine from the internet. besides all of the crap filled security patches you constantly have to download, it seems that Microcrap thinks that because you put their sh1tty os on YOUR machine they have some right to it.. F@ck them!... Have I said latly how much I hate BIll GAtes and his terrorist company Microcrap?

[litany_of_lies]

Y'know, there's no excuse for MS not e-mailing all known users of the Office versions in their database of these problems. It's sheer laziness that they aren't.

For that matter, MS should be well past this point. It's 2002, guys, not 1996--They should enable the user to automatically download all service updates to the software on a scheduled basis, like Norton, Adobe, and Mac OSX currently do (at least for their Mac Products).

[jenny65]

They should enable the user to automatically download all service updates to the software on a scheduled basis, like Norton, Adobe, and Mac OSX currently do (at least for their Mac Products).

Actually, I think they do that now in XP, but usually without your knowledge or control, which is another gripe I share with scab4faa (#10). If they told you what they wanted to install, and allowed you to deny it, I might accept that. It's widely reported that they eventually want to take complete control of what you can and can't run on your own machine, all in the name of anti-piracy.

I'm still running Windows 98SE, and have no plans of EVER upgrading beyond it, what with all the intrusive, controlling, personal information-stealing things they install on XP without telling you. I've yet to install the Media Player 7.1 patch either for the same reason.

[discostu]

No it comes BECAUSE of the emphasis on security. That emphasis is how they're finding the security holes. Notice this is very different from similar stories this time last year. MS found it, MS fixed it and MS announced it. None of the usual 3rd party stuff.

[discostu]

Uh, there hasn't been a release of either since he made the announcement.

[Naspino]

You people need to get in the real world. When any other OS starts marketing serious business solutions that interoperate hole will start opening up in those too. Its not so simple to close all conceivable holes and maintain superior functionality.

If you think Linux and Mozilla and Mac are any more secure you're deluded; the only reason they might possibily be more secure is that all the hackers are Linux zealots. If the tables turned in the market you can expect Linux to spread open wide...

[discostu]

No excuse!? The install base is an estimated 100 million users. They're just supposed to spam the world with a mega e-mail? And what about the people they don't know who are using it?

Actually most of their stuff has had automatic updates available since Win98, they were ahead of the curve on that.

[discostu]

Preaching to the choir hos. I'm of the firm belief that many of the demands MS bashers make of MS are not impossible, and most (even the arguably possible) aren't actually achieved by the competition. My favorite is the "OSes should never crash" discussion, yeah there's plenty of OSes out that have never crashed all right /sarcasm.

[discostu]

Nope you can control it easy. Actually you've got it in 98. Just go to System Tools/ Scheduled Tasks and add a task for Windows Update. By default, at least early on, it was set to trigger every other friday at 2AM or something odd like that. That always annoyed me because Scheduled Tasks bitches about not being on when something was scheduled. You should also have Windows Update as an icon in the Start Menu (sometimes under Settings). If you run it scheduled you configure what level of update it will get (just critical security, just critical, everything, a few gradients in between); if you run it by hand you have total control. It doesn't generally dig all the way down to MS applications, just Windows and stuff tied deeply into Windows (IE, Media Player, stuff like that).

Don't believe everything you hear from the bashers. A lot of these "MS plans" are not only completely unbacked by fact, they're technically unfeasable.

[litany_of_lies]

Thanks for the tip on Mozilla. I downloaded the Mac OSX version last night, and it flies compared to IE 5.2.1 for Mac. It's like going from DSL to cable modem without getting the cable modem.