[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MSN hackers heaven (fwd)
This is a variation on Brad's forward of the MSN security
Information Week, August 28, 1995, p. 24.
Risk Looms On Microsoft Network. E-mail icons can hide
A feature designed to make electronic mail easy to use on
the Microsoft Network online service may also make it
easier for hackers to trick users into running destructive
software programs on their PCs.
When a Microsoft Network user sends a binary file embedded
in an E-mail message, the file appears as an icon on the
recipient's screen. The recipient can double-click on the
icon to automatically download the embedded file and
execute it. To download the file without executing it, the
recipient must use the mouse's right button, which has been
rarely needed until now.
Though other online services offer automatic downloading of
files, Microsoft's goes one step further in allowing the
file's automatic execution. That file could be a virus or
other malicious program that could erase files or reformat
a hard disk, according to Mike Wyman, VP and chief
technical offficer of Interactive Data Corp., an investment
information firm in Lexington, Mass., and a Microsoft
Network beta user. "On the Microsoft Network, I can
disguise an icon so that it looks innocuous," says Wyman.
"The analogy I like to use is the Unabomber. If you get a
package in the mail that's wrapped in duct tape and brown
paper, you'd regard it as suspicious. But if it's a plain
white envelope with Ed McMahon's picture on it, you
wouldn't think twice about opening it."
Microsoft says the feature is a convenience, not a security
hole. "There are risks of getting [data] off the network in
any form," says George Meng, group product manager for the
Microsoft Network in Redmond, Wash. "People have to be
aware of what the source of information is."
Winn Schwartau, president of Interpact Inc., a computer
security consulting firm in Seminole, Fla., disagrees. "If
the ability to execute programs bypasses conventional
filtering and virus controls, then you certainly have a
security hole," he says "Potential 'Trojan horse' programs
could be sent by anyone."
By Mitch Wagner and Clinton Wilder