The Archives of the Evil Empire

The Archives of The Evil Empire

2000 May

ISSN 1726-5339

Late Breakers

Archive:
Archive Index
1999
07 08 09 10 11 12
2000
01 02 03 04 05 06
07 08 09 10 11 12
2001
01 02 03 04 05 06
07 08 09 10 11 12
2002
01 02 03 04 05 06
07 08 09 10 11 12
2003
01 02 03 04 05 06
07 08 09 10 11 12
2004
01 02 03 04 05 06
07 08 09 10 11 12

A new computer virus dubbed "Killer Resume" is spreading through email systems using the Microsoft Outlook program, the FBI said. Antivirus companies reported late yesterday that several corporate email systems had already been infected, and some had been shut down, the FBI's National Infrastructure Protection Center said. The virus, similar in makeup to the notorious Melissa virus, is carried in a file attached to an email with the subject "Resume--Janet Simons." The attachment is a Microsoft Word file named "Explorer.doc" or "Resume.doc," according to an alert posted on the Web site of computer security company Network Associates.

A phone call from a Microsoft lawyer earlier this month provided some more signposts as to how Microsoft intends to implement/embrace 'open' industry standards. Jason Bishop, who'd been involved in development of SOAP in his previous job as a contractor at Microsoft, was due to give a talk to the Seattle area Java-XML SIG, but immediately prior to his presentation he took the call, and was reminded that he was still covered by NDA.

Security Focus has posted a comparative review on the number of security incidents that have appeared on the BUGTRAQ mailing list for various operating systems and software packages. The most-often plagued software package seems to be Windows NT.

Microsoft's remedy to the ILOVEYOU virus may cause more problems than the original virus. Microsoft posted three patches as an answer to the Outlook email virus and its copycat cousins. "Microsoft has reported several cases of functionality failure surrounding the Outlook updates. The most significant of these involves the updates' installation procedures," reports Windows Web site EntEnt. According to Microsoft itself, there is no uninstall procedure and if the patch installation goes awry.

With its patches this week, Microsoft typically went for the symptoms, rather than try and tackle the root cause of the problem, which now leads to perfectly normal systems procedures causing virus alerts.

Microsoft's browser bug team is working to patch an Internet Explorer glitch that afflicts Apple Macintosh computers running the latest iteration of IE. The bug, which can expose private files and, in some circumstances, grant unauthorized access to sites on a company's intranet, first cropped up in late 1997. Microsoft patched it then, only to reintroduce the bug with the release of IE 5. Dick Craddock, product unit manager for Mac IE at Microsoft, would not estimate when a fix would be available.

If you're a Windows 2000 user, be warned: Your security software may not work the way you think it does. Microsoft intentionally designed Windows 2000 so that export versions can use a notoriously weak encryption method to scramble information sent over the Internet and intranets, leaving sensitive data exposed to hackers and eavesdroppers.

Microsoft Corp. intensified its counterattack on government antitrust enforcers, boosting lobbying and political contributions and helping fund a group that blames recent state pension-fund losses on state officials. The Redmond, Wash., software concern said it will give about $1 million each in cash, software and services to the Republican and Democratic national conventions this summer. The gifts are the latest escalation in campaign giving by Microsoft, which amount to $2.6 million so far for the 1999-2000 election cycle.

Heise Publishers of Germany report a security hole in Office 2000 which can allow a malicious web site or e-mail to erase your entire hard disk. This is due to an ActiveX component installed by Office, which is incorrectly marked as "safe for scripting". This control, the Office 2000 UA Control, is used by the "Show Me" function in Office Help, and allows Office functions to be scripted. A malicious web site operator could use the control to carry out Office functions on the machine of a user who visited his site.

Microsoft has released a patch that diasbles the UA Control, also disabling the "Show Me" function in the process.

NOTE: This article is in German

Security enthusiasts Bennett Haselton and Jamie McCarthy demonstrated how a simple substitution in Web addresses (URLs) can foil IE's security checks, exposing the cookie files that Web sites place on visitors' computers. Cookies authenticate people's identities when they return to Web sites and store data about visitors' activities and purchases. Microsoft acknowledged that the hole leaves room for plenty of trouble. "The vulnerability could allow a malicious Web site to read, change or delete cookies that belong to another Web site," Microsoft said in a statement. "We expect to deliver the patch shortly. A security bulletin will be published...to discuss the issue and advise customers how to obtain and apply the patch."

A new security hole in Microsoft's Hotmail service allows enterprising snoops to browse your email messages without a password. If a Hotmail user clicks on an attachment that contains a Javascript Trojan horse, an attacker can read, send, and delete messages from that person's account. "Anyone could use this trick to gain access to another person's Hotmail account temporarily and read their messages," says Bennett Haselton, a programmer who lives in Bellevue, Washington and discovered the bug.

A spokeswoman for Microsoft Benelux in the Netherlands has claimed that the love bug affects both Linux and Apple, in an interview with Egbert Kalse, a journalist with the Dutch newspaper NRC Handelsblad. The story subsequently appeared on the front page of the newspaper last Friday, and included: "A spokesperson from Microsoft Benelux denies [the virus only spreads on Microsoft software] and said that other operating systems such as Apple and Linux are hit." A glance at the VB script of the love bug shows with no doubt whatsoever that it is impossible for there to be any adverse effect on non-Microsoft software. But that's not all. The Register asked Microsoft Benelux to confirm the claim. They denied that this had been said by a Microsoft spokesperson. They subsequently spoke to Egbert Kalse and he confirmed that he was "absolutely sure" about the response from a spokeswoman with Microsoft Benelux: he had called Microsoft Benelux and asked for the right person in PR with whom to discuss the virus.

The Justice Department's top trust buster said today Microsoft's anti-competitive actions were not invented for the New Economy, but instead relied on "time-tested tricks" of monopolists. Klein said that Microsoft got into trouble by using illegal business techniques, "as old as the antitrust laws themselves." Those techniques include: cutting off the access to competitors to important suppliers and markets, tying two products together, predatory practices, in which a firm spends money in a way that makes sense only to hurt a competitor, and others. "Basically, these are the time-tested tricks of the monopolist's trade," Klein added.

While most of the world convalesces from the Love Bug worm, people running alternatives to Windows are smugly congratulating themselves for knowing better than to use Microsoft software. The Love Bug and its variants over the last few days have melted down millions of computers worldwide and caused billions of dollars in damages. But clever users running Macs, the BeOS, and various flavors of Unix happily gloat that they were immune to the attacks. "The point is that the root cause of these mass virus proliferations is a pathetically insecure email client foisted upon the public by a certain evil monopoly whose name I need not mention," wrote Seldolivaw Ssov in an email. "Hey, this *only* happens when you use Outlook and Outlook Express!"

Global virus armageddon will be the result of the breakup of Microsoft, writes Bill Gates in this week's Time magazine. If Microsoft is split into two, there would be less innovation in the software, hence fewer developers, and ultimately less defence against viruses. So there you go. If you've been thinking that the reasons viruses are specifically targetted at Microsoft software are because Outlook leaves plenty big holes for them to drive through, and because Microsoft software has 90 per cent plus of the market, then you're wrong. On the contrary, continual Microsoft innovation must have made the software less vulnerable.

Security issues tied to Microsoft's Outlook email program drew heated criticism today from security analysts after a new virus swept through computer systems across the globe. Some analysts said the "I Love You" attack points to serious flaws in Microsoft code. They noted that the virus takes advantage of well-known exploits involving Visual Basic script files. Michael Zboray, chief technology officer for market researcher Gartner Group, harshly criticized Microsoft for releasing a programming language with the "wrong security posture" to businesses and the public. "Visual Basic script and the macros are proving to be a disaster. This is just happening over and over again. We have to get away from this hostile active content that is coming in through Word documents, Excel spreadsheets and the browser. The security posture from which ActiveX and VBScript were designed is the wrong posture."

For its part, Microsoft attributes the ongoing security issues not so much to inherent problems with Visual Basic script and its macro language, but to bad people misusing good software.

In his commentary on the ILOVEYOU virus for ZDNN, Steve Vaughan-Nichols tells readers why he wasn't affected by the virus: he is not using Microsoft Outlook, which he calls "a security hole that also happens to be an e-mail client". He points out: "If it weren't for the fundamental flaws of Outlook having minimal security and its too-close integration with Windows, we wouldn't have a Melissa or an ILOVEYOU at all."

His conclusion is therefore: "[...] because Microsoft isn't going to fix the Outlook vulnerabilities, which leads to worms, you've got one choice. Change your e-mail client today."

Read the full article at ZDNN.

A computer virus that experts warn could be more disruptive than the notorious Melissa virus has hit computers in Asia and Europe and is quickly spreading across the United States via email. The virus, which includes the message "I Love You" or "Love Letter" in the email subject line, was first spotted in Asia this morning, according to security systems firm F-Secure. Antivirus experts were amazed by the power of the virus. "I've been doing antivirus research for the past nine years, and it hasn't been this bad," said Mikko Hypponen, a research manager at F-Secure. "It's spreading so fast, so globally, and twice as widespread as the Melissa virus." The virus uses a security leak in Microsoft¹s Outlook email program to send messages with the virus to everyone listed in that person's address book. The email virus has infected computer systems across Asia, Europe and the United States and is spreading fast, according to representatives from many companies.

Computers running Apple's MacOS operating system are mostly immune to the virus, as it makes explicit use of Windows-specific security holes.

Microsoft chief technology officer Nathan Myhrvold, the brains behind the software titan's $3 billion-a-year research lab, has left the company, officially ending a nearly year-long leave of absence. Myhrvold's decision not to return to Microsoft is also the latest in a series of high-level departures, including that of the company's former chief financial officer, Greg Maffei.

According to a study brough forward by the German TÜV institute, Microsoft Office 2000 is not compliant with the DIN EN ISO 9241-10 norm for usability. In particular, it did not meet required standards for data safety and intuitive user interface. The product was therefore classified as "unfit for daily use". Non-compliance with this ISO norm means that employers in Germany have to remove the software from all computers should employees demand it.

NOTE: This article is in German.

Previous | Next