POWER USER

Back doors in code raise a few questions about security vulnerabilities

John McCormick

If you have a suspicious mind, you might have figured all along that software vendors build back doors into their programs on purpose. If not, you have a nasty surprise coming.

The cute ActiveX applets that make Web sites so interactive'and sometimes so slow'have always bothered security experts because the applets load themselves onto your computer. Even if every Web site was trustworthy, the applets seldom tell you exactly what they are going to do.

Microsoft Corp., inventor of ActiveX, knew it could be abused, so it built ActiveX security controls into the Internet Explorer browser. You have the option of refusing all ActiveX controls and plug-ins. Most users choose to be notified before such code runs so they have the option of blocking it. If you've never turned this protection on, go to Tools, Internet Options, Security, Custom Level.

You may know that the default setting for 'Download signed ActiveX controls' is 'Prompt,' and believe that no ActiveX code will come through your browser without your knowledge. But this is not always true.

One tiny loophole might be big enough to drive a truck through. According to recent Web reports, some ActiveX code, especially the Install Engine Control, can get through Internet Explorer without asking permission first, as long as it carries a Microsoft signature.

Microsoft certainly would not want to harm its users, but if it built this back door into Explorer 4 and 5, how long will it take some cracker to figure out how to exploit it by capturing an authentic Microsoft ActiveX message and hiding a payload inside?

Not permitted

If you don't want even Microsoft software to install through Internet Explorer without permission, watch for a patch at www.microsoft.com/security/default.asp. And see the details about the back door as described by its discoverer, Juan Carlos G. Cuartango, at www.angelfire. com/ab/juan123/iengine.html.

Another Microsoft software feature a lot of people aren't aware of was discovered quite a while ago.

Ever write an anonymous memo? If it was in Microsoft Office 97's Excel, Word or PowerPoint, and if your computer had an Ethernet card installed, Office 97 tagged it uniquely. Office documents contain more than just text equivalents. Part of their extra size comes from special formatting, links to other files and macros.

I always save Office files in Rich Text Format because any macros I created are stored in a local file and therefore will still work, but anything I distribute in RTF loses the macros, effectively sanitizing the file.

Office 97's buried identifier code is called metadata because most of it does not pertain to the content, just to how it is presented.

The unique code is generated from the identifying number of the installed network interface card.

If you're tracking the origin of a document created in Office 97'not in Office 2000'what you do is go to a computer you think might have generated it and create a test document, then compare its metadata against that of the unknown file. You won't always know who created the document, but you can positively identify the computer that last saved it.

Remember that this tagging still applies to all Office 97 files, even if you have since upgraded to Office 2000. Information about a patch that removes the Office 97 metadata appears at officeupdate.microsoft.com/articles/metadata.htm.

John McCormick, a free-lance writer and computer consultant, has been working with computers since the early 1960s. E-mail him at poweruser@mail.usa.com.

inside gcn

  • cloud environment

    Microsoft brings Azure Stack to Government Cloud

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group