Computer Security Weekly, Sep.10. 2000


Another interesting interaction between MS Office and Internet Explorer, although related to some issues previously mentioned. If an Office file, with VBA programming, is called from a Web page, the programming can be run with minimal, or no, warning to the user. This is the case even if the file is renamed to an unknown or non-Office extension. Internet Explorer will, apparently, check the contents of the file, and determine that it is an Office file type.

A related issue is posted at: http://www.securityfocus.com/archive/1/7...

In regard to the MS Office "Web bug" issue reported last week (also being referred to as documents that "phone home"), some exploration has been done with other Office document compatible applications. StarOffice, in particular, has an Offline mode, which appears to be the default for standalone installations. In Offline mode, the program will not contact the Web site, and the user will be notified by a message box. In Online mode, the Web contact is made, but other functions may not happen.

Probably due to the furor earlier this year, DoubleClick now has an "opt-out" system. You can visit their Web site, select the opt-out option, and have a cookie set that prevents them from tracking you. Unfortunately, the system seems to have serious flaws. The user who has noted this says DoubleClick claims not to be able to reproduce the problems he is seeing, but he has publicly posted a challenge for others to try the experiment.

http://www.doubleclick.net/optout/ http://messages.yahoo.com/bbs?.mm=FN&act...

If you visit Microsoft Network (MSN.COM), the server MSID.MSN.COM apparently sets a unique ID, via cookies. This identifier is shared with bCentral.com, and thence apparently with other domains. Interestingly, the "trusted zone" cookie system, recently implemented by Microsoft in Internet Explorer, can be easily compromised using this system.

Some details of the operation of the identifier passing can be found at: http://www.pc-help.org/privacy/ms_guid.h...

A new type of companion virus has been found. Companion viruses use the fact that a program file exists to prepare a means of activation, without affecting the original file. The new type uses a little known function of the NTFS file system, used by Windows NT and 2000. NTFS files can have optional "streams." The primary stream is generally the only one used, and is the content of the file. However, other streams are possible, and the new virus creates a stream to take over control from the original file or program. At this time, the only known stream companion is fairly simple to detect, but other variants may require a significant change in virus detection technology.

http://www.avp.ru/news.asp?tnews=0&nview... http://www.viruslist.com/eng/viruslist.a...

mailto:rslade@vcn.bc.ca
mailto:rslade@sprint.ca
mailto:robertslade@usa.net
mailto:p1@canada.com Robert Slade's Guide to Computer Viruses, 0-387-94663-2, (800-SPRINGER)
The copyright of the article Computer Security Weekly, Sep.10. 2000 in Computer Security is owned by Robert Slade. Permission to republish Computer Security Weekly, Sep.10. 2000 in print or online must be granted by the author in writing.

Go To Page: 1

Articles in this Topic    Discussions in this Topic