[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Legality of suverting computational cycles via Microsoft



>Does anybody here know if it is illegal to get unwiting users to download
>benign viruses via MSN?
>
>Doesn't this sort of hole, by its very nature, make it trivial for people
>to violate Europes future electronic privacy laws? (despite Microsoft's
>guarantee that MSN would follow those rules.)
>
>JWS
>

Yes, the whole MSN virus thing is quite interesting from a privacy standpoint.  About 9 months ago (after I'd left Microsoft) I was evaluating the security risks of viruses that could be embedded in Word and Excel documents.  It is actually quite trivial to develop a virus or Trojan-horse with macro BASIC that is completely transparent to the user.  Once the document is opened, the code executes and does its thing. 

Many organizations use e-mail software that supports attaching a file to an e-mail message.  You double click the file icon, it runs the creator application (i.e. Word, Excel), and loads the document.  Everyone at Microsoft, uses MS Mail.  An interesting scenario I proposed would be to send e-mail to Bill Gates (anonymously or with a spoofed address) with the text body reading something like "Bill, here's a way to get more marketshare away from Novell.  Read the attached document."  He'd obviously double click the file icon, which would have some real data in it to make it look legitimate.  However, when the document opened, he would have unwittingly executed a macro that scanned his hard drive and e-mailed the directory contents or an interesting looking file or two elsewhere.

As e-mail within MSN supports this type of object/file embedding, there are not only risks from destructive viruses but also potential attacks on your privacy (no, not the MSN online registration thing, but a targeted attack by an individual/organization).

Concluding note:  When I was at MS, the saying "Eat your own dog food" was popular (akin to "some things come back to haunt you").  Last week a friend told me the company was being plagued with a non-destructive version of a Word macro-virus.  Let's say in the future someone "get's hurt" because of MSN's embedding feature and decides to sue Microsoft.  It will be interesting to see the company's response when they knew that a security flaw existed internally, but did nothing to resolve it externally.

Joel McNamara
[email protected] - http://www.eskimo.com/~joelm for PGP key
Thomas Jefferson used strong crypto, shouldn't you?