[ISN] Computer security experts unveil way for hackers to steal data from Web users

From: mea culpa (jerichoat_private)
Date: Thu Jan 07 1999 - 01:29:40 PST

  • Next message: mea culpa: "[ISN] U.S. mulls offensive info warfare strategy"

    From: 7Pillars Partners <partnersat_private>
    
    Computer security experts unveil way for hackers to steal data from Web users 
    5.21 p.m. ET (2221 GMT) January 5, 1999
    
    SAN JOSE, Calif. - A new and potentially dangerous security flaw that
    allows a hacker to steal data off an unsuspecting Web surfer's computer
    was unveiled Tuesday by Finjan Inc., a San Jose-based computer security
    company. 
    
    The security hole could affect anyone using the Internet that has
    Microsoft Corp.'s Excel spreadsheet on their computer, said Finjan chief
    executive Bill Lyons. 
    
    "We believe this could affect tens of millions of users as they're
    configured today,'' said Lyons. "An attacker could steal or copy innocent
    Internet users' private files without their knowledge.''
    
    Here's how it works: A hacker sets up a Web site with the corrupt code
    programmed into it. Then an unknowing computer user, who has Microsoft
    Excel installed but not necessarily running, visits the site. While the
    user is at the site, the hacker worms into the user's Excel program and,
    through that, is able to pull files off their computer. 
    
    What makes this flaw more devastating is that normally users have to take
    steps such as downloading infected software to be attacked; in this case,
    users could be hit by simply visiting a Web site. 
    
    So far it's only theoretical. Neither Finjan nor Microsoft has heard of
    actual attacks. But as John Stewart, a chief architect at Digital Island
    pointed out, it would be simple enough to do. 
    
    "This attack can be executed by almost anyone,'' he said. 
    
    Reporters who went to a designated Finjan World Wide Web site on Tuesday
    experienced the rip-off firsthand. After clicking on Finjan's site and
    agreeing to be hacked, the security company was able to pull files out of
    reporters' computers. 
    
    At the Redmond, Wash.-based Microsoft, John Duncan, a product manager in
    Microsoft's Office group, said they already heard about and offered a
    solution to the problem last month, e-mailing close to 1 million customers
    a security bulletin on Dec. 10 that offered a free, downloadable patch. 
    
    "We were notified by a third party and we moved to fix it immediately,''
    he said. More importantly, Duncan said they have had no customer
    complaints about the problem. 
    
    "There really is no newness to this,'' he said. "There's not a bug in the
    software.''
    
    Microsoft's security bulletin warned that an attacker could get in to the
    computer via an Excel function, though it did not mention specifically how
    the attack could be made using the Internet. 
    
    "The bulletin provides customers with the information they need to decide
    whether or not they want to install the ... patch,'' said Duncan.
    "However, we want to avoid providing hackers with a blueprint for how they
    can exploit security issues such as this.''
    
    Avi Ruben, a researcher at AT&T Labs, said it's that widespread ease that
    could make the hacking devastating. 
    
    "It is the kind of attack that makes your jaw drop when you hear about it
    and makes you wonder if sensitive information should ever be kept on a
    networked computer,'' he said. 
    
    Finjan said Microsoft's free patch will solve the problem. Finjan was also
    offering a software solution to customers. 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:13 PDT