From: 7Pillars Partners <partnersat_private> Computer security experts unveil way for hackers to steal data from Web users 5.21 p.m. ET (2221 GMT) January 5, 1999 SAN JOSE, Calif. - A new and potentially dangerous security flaw that allows a hacker to steal data off an unsuspecting Web surfer's computer was unveiled Tuesday by Finjan Inc., a San Jose-based computer security company. The security hole could affect anyone using the Internet that has Microsoft Corp.'s Excel spreadsheet on their computer, said Finjan chief executive Bill Lyons. "We believe this could affect tens of millions of users as they're configured today,'' said Lyons. "An attacker could steal or copy innocent Internet users' private files without their knowledge.'' Here's how it works: A hacker sets up a Web site with the corrupt code programmed into it. Then an unknowing computer user, who has Microsoft Excel installed but not necessarily running, visits the site. While the user is at the site, the hacker worms into the user's Excel program and, through that, is able to pull files off their computer. What makes this flaw more devastating is that normally users have to take steps such as downloading infected software to be attacked; in this case, users could be hit by simply visiting a Web site. So far it's only theoretical. Neither Finjan nor Microsoft has heard of actual attacks. But as John Stewart, a chief architect at Digital Island pointed out, it would be simple enough to do. "This attack can be executed by almost anyone,'' he said. Reporters who went to a designated Finjan World Wide Web site on Tuesday experienced the rip-off firsthand. After clicking on Finjan's site and agreeing to be hacked, the security company was able to pull files out of reporters' computers. At the Redmond, Wash.-based Microsoft, John Duncan, a product manager in Microsoft's Office group, said they already heard about and offered a solution to the problem last month, e-mailing close to 1 million customers a security bulletin on Dec. 10 that offered a free, downloadable patch. "We were notified by a third party and we moved to fix it immediately,'' he said. More importantly, Duncan said they have had no customer complaints about the problem. "There really is no newness to this,'' he said. "There's not a bug in the software.'' Microsoft's security bulletin warned that an attacker could get in to the computer via an Excel function, though it did not mention specifically how the attack could be made using the Internet. "The bulletin provides customers with the information they need to decide whether or not they want to install the ... patch,'' said Duncan. "However, we want to avoid providing hackers with a blueprint for how they can exploit security issues such as this.'' Avi Ruben, a researcher at AT&T Labs, said it's that widespread ease that could make the hacking devastating. "It is the kind of attack that makes your jaw drop when you hear about it and makes you wonder if sensitive information should ever be kept on a networked computer,'' he said. Finjan said Microsoft's free patch will solve the problem. Finjan was also offering a software solution to customers. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:13 PDT