Back doors in code raise questions about security vulnerabilities

John McCormick

If you have a suspicious mind, you might have figured all along that software vendors build back doors into their programs on purpose. If not, you have a nasty surprise coming.

The cute ActiveX applets that make Web sites so interactive'and sometimes so slow'have always bothered security experts because the applets load themselves onto your computer. Even if every Web site was trustworthy, the applets seldom tell you exactly what they are going to do.

Optional control

Microsoft Corp., inventor of ActiveX, knew it could be abused, so it built ActiveX security controls into the Internet Explorer browser. You have the option of refusing all ActiveX controls and plug-ins. Most users choose to be notified before such code runs so they have the option of blocking it. If you've never turned this protection on, go to Tools, Internet Options, Security, Custom Level.

You may know that the default setting for 'Download signed ActiveX controls' is 'Prompt,' and believe that no ActiveX code will come through your browser without your knowledge. But this is not always true.

One tiny loophole might be big enough to drive a truck through. According to recent Web reports, some ActiveX code, especially the Install Engine Control, can get through Internet Explorer without asking permission first, as long as it carries a Microsoft signature.

Microsoft certainly would not want to harm its users, but if it built this back door into Explorer 4 and 5, how long will it take some cracker to figure out how to exploit it by capturing an authentic Microsoft ActiveX message and hiding a payload inside?

If you don't want even Microsoft software to install through Internet Explorer without permission, watch for a patch at www.microsoft.com/security/default.asp. And see the details about the back door as described by its discoverer, Juan Carlos G. Cuartango, at www.angelfire.com/ab/juan123/iengine.html.

Another Microsoft software feature a lot of people aren't aware of was discovered quite a while ago.

Ever write an anonymous memo? If it was in Microsoft Office 97's Excel, Word or PowerPoint, and if your computer had an Ethernet card installed, Office 97 tagged it uniquely. Office documents contain more than just text equivalents. Part of their extra size comes from special formatting, links to other files and, of course, macros.

I always save Office files in Rich Text Format because any macros I created are stored in a local file and therefore will still work, but anything I distribute in RTF loses the macros, effectively sanitizing the file.

Got your number

Office 97's buried identifier code is called metadata because most of it does not pertain to the content, just to how it is presented.

The unique code is generated from the identifying number of the installed network interface card.

Microsoft officals have said that the company makes no improper use of this information, which is for the benefit of developers, but I've never heard of any third-party application that uses it.

I'd guess it could theoretically ensure that the particular copy of Office is running only on one authorized computer.

If you're tracking the origin of a document created in Office 97'not in Office 2000'what you do is go to a computer you think might have generated it and create a test document, then compare its metadata against that of the unknown file. You won't always know who created the document, but you can positively identify the computer that last saved it.

Remember that this tagging still applies to all Office 97 files, even if you have since upgraded to Office 2000. Information about a patch that removes the Office 97 metadata appears at officeupdate.microsoft.com/articles/metadata.htm.

John McCormick, a free-lance writer and computer consultant, has been working with computers since the early 1960s. E-mail him at [email protected].


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected