Bugs afflict Microsoft, Netscape, Sun

The companies start off the week battling two security exploits, one of which exposes a computer's contents and the other of which makes computers vulnerable to a complete takeover.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
2 min read
Microsoft, Sun Microsystems and Netscape Communications have started off the week battling two different security problems: one that exposes a computer's contents and another that makes computers vulnerable to a complete takeover.

The latest security vulnerability to surface in Microsoft's products could make an emailed Word attachment a potent Trojan horse, an application that does something unexpected and potentially malicious.

The bug could yield full control of the victim's computer, according to Bulgarian bug hunter Georgi Guninski. The exploit takes advantage of various combinations of Microsoft products, including the Word word-processing application, Access database software, Internet Explorer Web browser and Outlook productivity application suite.

The problem: An attacker can send a Word document that imports an Access database through Word's Mail Merge feature for moving data from one document to another. The database can include Visual Basic Applications (VBA), Microsoft's programming shortcuts for applications, which could be designed to take over the target computer.

Exploits can be designed using Word attachments, through Web sites visited using the IE browser, or by viewing HTML emails with Outlook, according to Guninski.

One security analyst noted that in many corporate settings a firewall can stymie the exploit.

"The vulnerability may be exploited via the Web or email as long as the user under attack can access a file share with the malicious document," wrote Elias Levy, an analyst with SecurityFocus.com and moderator of the Bugtraq security mailing list. "Firewalls can, and are likely to be, configured to stop such file-sharing protocols from crossing corporate network boundaries."

Microsoft said it had been notified of the issue late last night and was still working to evaluate it.

Meanwhile, a company spokesman said the vulnerability required numerous preconditions to be exploited.

"In order to exploit this vulnerability, if it works the way it is described, the malicious user would have to get his Access file onto your machine first," said Microsoft security program manager Scott Culp. "He'd have to get it into a predetermined location on your computer or local network."

In addition, Culp said, those who have downloaded Microsoft's recent Outlook security patches would get a warning before opening an attachment. Even older Microsoft security patches warn people before running an Office application from a Web site.

Guninski posted sample exploit files for both a Word document and a database file.

Java problem
Netscape and Sun are also facing a security problem with Java--Sun's cross-platform programming language--and Netscape's implementation of it in the Netscape browser.

The problem: The implementation allows an unsigned Java applet to read files off a computer and distribute them by acting as a Web server.

Netscape, a division of America Online, said it was in the process of confirming the bug and said concerned users could disable Java in the meantime. Sun representatives were not available to comment.

The bug, dubbed Brown Orifice, was discovered and demonstrated by Dan Brumleve, a programmer with a number of Netscape vulnerabilities to his credit.