From: 7Pillars Partners <partners@sirius.infonex.com>
Computer security experts unveil way for hackers to steal data from Web users
5.21 p.m. ET (2221 GMT) January 5, 1999
SAN JOSE, Calif. - A new and potentially dangerous security flaw that
allows a hacker to steal data off an unsuspecting Web surfer's computer
was unveiled Tuesday by Finjan Inc., a San Jose-based computer security
company.
The security hole could affect anyone using the Internet that has
Microsoft Corp.'s Excel spreadsheet on their computer, said Finjan chief
executive Bill Lyons.
"We believe this could affect tens of millions of users as they're
configured today,'' said Lyons. "An attacker could steal or copy innocent
Internet users' private files without their knowledge.''
Here's how it works: A hacker sets up a Web site with the corrupt code
programmed into it. Then an unknowing computer user, who has Microsoft
Excel installed but not necessarily running, visits the site. While the
user is at the site, the hacker worms into the user's Excel program and,
through that, is able to pull files off their computer.
What makes this flaw more devastating is that normally users have to take
steps such as downloading infected software to be attacked; in this case,
users could be hit by simply visiting a Web site.
So far it's only theoretical. Neither Finjan nor Microsoft has heard of
actual attacks. But as John Stewart, a chief architect at Digital Island
pointed out, it would be simple enough to do.
"This attack can be executed by almost anyone,'' he said.
Reporters who went to a designated Finjan World Wide Web site on Tuesday
experienced the rip-off firsthand. After clicking on Finjan's site and
agreeing to be hacked, the security company was able to pull files out of
reporters' computers.
At the Redmond, Wash.-based Microsoft, John Duncan, a product manager in
Microsoft's Office group, said they already heard about and offered a
solution to the problem last month, e-mailing close to 1 million customers
a security bulletin on Dec. 10 that offered a free, downloadable patch.
"We were notified by a third party and we moved to fix it immediately,''
he said. More importantly, Duncan said they have had no customer
complaints about the problem.
"There really is no newness to this,'' he said. "There's not a bug in the
software.''
Microsoft's security bulletin warned that an attacker could get in to the
computer via an Excel function, though it did not mention specifically how
the attack could be made using the Internet.
"The bulletin provides customers with the information they need to decide
whether or not they want to install the ... patch,'' said Duncan.
"However, we want to avoid providing hackers with a blueprint for how they
can exploit security issues such as this.''
Avi Ruben, a researcher at AT&T Labs, said it's that widespread ease that
could make the hacking devastating.
"It is the kind of attack that makes your jaw drop when you hear about it
and makes you wonder if sensitive information should ever be kept on a
networked computer,'' he said.
Finjan said Microsoft's free patch will solve the problem. Finjan was also
offering a software solution to customers.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Jan 7 15:54:09 1999