Wednesday, 23 May 2007
Tuesday, 15 May 2007
Sunday, 13 May 2007
Monday, 7 May 2007
Sunday, 6 May 2007
What's the problem with Microsoft Word?
n the last two months alone, at least four major security flaws involving Microsoft Word have come to light. All are "zero day" flaws, meaning Microsoft and security organizations became aware of them at the same time that destructive hackers became aware of them. In many "zero day" cases, it's the exploitation of the flaw that brings it to the attention of the software companies; in other cases, the software companies announce the flaw and hackers immediately take advantage of it before a patch can be released. The strange thing about the latest Word problems is that almost eight weeks after the first one hit the news because it was exploited by attackers, Microsoft still hasn't released a patch to fix it.
The first in this string of security holes popped up in early December. This flaw affects computers running Word 2000, 2002 and 2003; Word 2004 for Mac and Word 2004 version X for Mac; Word Viewer 2003; and Microsoft Works 2004, 2005 and 2006. An attacker hides a piece of code in a Word document and puts it on a Web site for download or sends it out as an e-mail attachment. When a user downloads or opens the document, the attacker can remotely control the user's computer and execute a wide array of codes under the user's own login. This flaw came to Microsoft's attention on December 5, 2006, when people started reporting attacks.
A second, previously unknown flaw started to draw attention just a week later, this one also allowing a remote attacker to take control of a user's PC. According to Microsoft, though, this flaw exploits a entirely different security hole -- one that opens when Word undergoes a specific error. Apparently, this attack doesn't require a user to download a malicious file; it only requires the Word program on the person's computer to experience this error, at which point an attacker can enter the system and run malicious code. It affects Word 2000, 2002 and 2003 and Word Viewer 2003.
Security experts have attributed these two security holes to memory-corruption flaws in the Word programs. Days later, a third flaw was revealed. This one also allows for remote access and control of a user's machine and has been tied to a buffer-overflow problem in Word. It came to public attention when a software expert called "Disco Johnny" published a proof-of-concept code on the Web that showed how a malicious hacker could exploit it, essentially providing instructions for running an attack in addition to showing Microsoft it has yet another problem. And about five weeks later, on January 25, a fourth security hole became the subject of a malicious attack that begins when a user opens a rigged Word file sent as an e-mail attachment and has similar results to the previous attacks: Remote access and control of an entire system if it's running Word 2000. If the computer is running Word 2003 or Word XP, it only crashes the computer, as opposed to opening it up to remote control.
These four issues are only the latest in a series of attacks exploiting previously undiscovered flaws in a wide array of Microsoft Office applications. In September 2006, hackers started exploiting another zero-day Word flaw, this one only affecting Word 2000. A user had to open an infected Word 2000 document using the Word 2000 program in order for the virus, MDropper.Q, to drop a piece of code in the user's PC. This allowed a remote attacker to take control of the infected PC. Security sources report that this flaw still has not been patched, almost five months later. Microsoft has, however, patched several of the flaws involving other Office programs, including security holes in versions of PowerPoint and Excel.
Since no security patches have been released for the Word flaws, Microsoft recommends installing multiple layers of security software and updating the versions vigilantly. Beyond that, we can only use the wariness we've become accustomed to when opening attachments or downloading files, with an extension into a traditionally safer area: Now, if it ends with .doc, don't touch it unless you know and trust the source.
The first in this string of security holes popped up in early December. This flaw affects computers running Word 2000, 2002 and 2003; Word 2004 for Mac and Word 2004 version X for Mac; Word Viewer 2003; and Microsoft Works 2004, 2005 and 2006. An attacker hides a piece of code in a Word document and puts it on a Web site for download or sends it out as an e-mail attachment. When a user downloads or opens the document, the attacker can remotely control the user's computer and execute a wide array of codes under the user's own login. This flaw came to Microsoft's attention on December 5, 2006, when people started reporting attacks.
A second, previously unknown flaw started to draw attention just a week later, this one also allowing a remote attacker to take control of a user's PC. According to Microsoft, though, this flaw exploits a entirely different security hole -- one that opens when Word undergoes a specific error. Apparently, this attack doesn't require a user to download a malicious file; it only requires the Word program on the person's computer to experience this error, at which point an attacker can enter the system and run malicious code. It affects Word 2000, 2002 and 2003 and Word Viewer 2003.
Security experts have attributed these two security holes to memory-corruption flaws in the Word programs. Days later, a third flaw was revealed. This one also allows for remote access and control of a user's machine and has been tied to a buffer-overflow problem in Word. It came to public attention when a software expert called "Disco Johnny" published a proof-of-concept code on the Web that showed how a malicious hacker could exploit it, essentially providing instructions for running an attack in addition to showing Microsoft it has yet another problem. And about five weeks later, on January 25, a fourth security hole became the subject of a malicious attack that begins when a user opens a rigged Word file sent as an e-mail attachment and has similar results to the previous attacks: Remote access and control of an entire system if it's running Word 2000. If the computer is running Word 2003 or Word XP, it only crashes the computer, as opposed to opening it up to remote control.
These four issues are only the latest in a series of attacks exploiting previously undiscovered flaws in a wide array of Microsoft Office applications. In September 2006, hackers started exploiting another zero-day Word flaw, this one only affecting Word 2000. A user had to open an infected Word 2000 document using the Word 2000 program in order for the virus, MDropper.Q, to drop a piece of code in the user's PC. This allowed a remote attacker to take control of the infected PC. Security sources report that this flaw still has not been patched, almost five months later. Microsoft has, however, patched several of the flaws involving other Office programs, including security holes in versions of PowerPoint and Excel.
Since no security patches have been released for the Word flaws, Microsoft recommends installing multiple layers of security software and updating the versions vigilantly. Beyond that, we can only use the wariness we've become accustomed to when opening attachments or downloading files, with an extension into a traditionally safer area: Now, if it ends with .doc, don't touch it unless you know and trust the source.
Saturday, 21 April 2007
How Firefox Works
A Web browser is sort of like the tires on your car. You don't really give them much daily thought, but without them, you're not going anywhere. The second something goes wrong, you definitely notice.
Chances are, you're reading this article on Internet Explorer. It's the browser that comes already installed on Windows operating systems; most people use Windows, and most Windows users don't give a second thought to which browser they're using. In fact, many people aren't aware that they have an option at all.
Options are out there, however -- some people call them "alternative browsers," and one of them has been steadily chipping away at Internet Explorer's dominance. It's called Firefox. From its origins as an offshoot of the once popular Netscape browser, Firefox is building a growing legion of dedicated users who spread their enthusiasm by word of mouth (or blog).
In this article, we'll find out what makes Firefox different, what it can do and what effect an open-source browser might have on the Internet landscape.
Chances are, you're reading this article on Internet Explorer. It's the browser that comes already installed on Windows operating systems; most people use Windows, and most Windows users don't give a second thought to which browser they're using. In fact, many people aren't aware that they have an option at all.
Options are out there, however -- some people call them "alternative browsers," and one of them has been steadily chipping away at Internet Explorer's dominance. It's called Firefox. From its origins as an offshoot of the once popular Netscape browser, Firefox is building a growing legion of dedicated users who spread their enthusiasm by word of mouth (or blog).
In this article, we'll find out what makes Firefox different, what it can do and what effect an open-source browser might have on the Internet landscape.
Nokia rumored 8600 Luna exposed
The rumored Nokia 8600 “Luna” just got a lot more real now that a suspiciously similar twin is teasing us from the Carphone Warehouse site. The site dubs the phone the Nokia High Fashion because it’s “so new it doesn’t even have a model number.” Sure, whatevs. At least they know that it’s “coming soon” with an “on-screen menu system,” 2 megapixel camera for photos and video, MP3 player, and 1GB of built-in memory. It’s also likely to be sporting Series 40 under that sliding, semi-transparent hood. Nice.
Subscribe to:
Posts (Atom)