Back doors in code raise questions about security vulnerabilities

John McCormick

If you have a suspicious mind, you might have figured all along that software vendors build back doors into their programs on purpose. If not, you have a nasty surprise coming.

The cute ActiveX applets that make Web sites so interactive'and sometimes so slow'have always bothered security experts because the applets load themselves onto your computer. Even if every Web site was trustworthy, the applets seldom tell you exactly what they are going to do.

Optional control

Microsoft Corp., inventor of ActiveX, knew it could be abused, so it built ActiveX security controls into the Internet Explorer browser. You have the option of refusing all ActiveX controls and plug-ins. Most users choose to be notified before such code runs so they have the option of blocking it. If you've never turned this protection on, go to Tools, Internet Options, Security, Custom Level.

You may know that the default setting for 'Download signed ActiveX controls' is 'Prompt,' and believe that no ActiveX code will come through your browser without your knowledge. But this is not always true.

One tiny loophole might be big enough to drive a truck through. According to recent Web reports, some ActiveX code, especially the Install Engine Control, can get through Internet Explorer without asking permission first, as long as it carries a Microsoft signature.

Microsoft certainly would not want to harm its users, but if it built this back door into Explorer 4 and 5, how long will it take some cracker to figure out how to exploit it by capturing an authentic Microsoft ActiveX message and hiding a payload inside?

If you don't want even Microsoft software to install through Internet Explorer without permission, watch for a patch at www.microsoft.com/security/default.asp. And see the details about the back door as described by its discoverer, Juan Carlos G. Cuartango, at www.angelfire.com/ab/juan123/iengine.html.

Another Microsoft software feature a lot of people aren't aware of was discovered quite a while ago.

Ever write an anonymous memo? If it was in Microsoft Office 97's Excel, Word or PowerPoint, and if your computer had an Ethernet card installed, Office 97 tagged it uniquely. Office documents contain more than just text equivalents. Part of their extra size comes from special formatting, links to other files and, of course, macros.

I always save Office files in Rich Text Format because any macros I created are stored in a local file and therefore will still work, but anything I distribute in RTF loses the macros, effectively sanitizing the file.

Got your number

Office 97's buried identifier code is called metadata because most of it does not pertain to the content, just to how it is presented.

The unique code is generated from the identifying number of the installed network interface card.

Microsoft officals have said that the company makes no improper use of this information, which is for the benefit of developers, but I've never heard of any third-party application that uses it.

I'd guess it could theoretically ensure that the particular copy of Office is running only on one authorized computer.

If you're tracking the origin of a document created in Office 97'not in Office 2000'what you do is go to a computer you think might have generated it and create a test document, then compare its metadata against that of the unknown file. You won't always know who created the document, but you can positively identify the computer that last saved it.

Remember that this tagging still applies to all Office 97 files, even if you have since upgraded to Office 2000. Information about a patch that removes the Office 97 metadata appears at officeupdate.microsoft.com/articles/metadata.htm.

John McCormick, a free-lance writer and computer consultant, has been working with computers since the early 1960s. E-mail him at [email protected].


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected