http://chkpt.zdnet.com/chkpt/zdnn010699/www.zdnet.com/zdnn/stories/news/0,4586,383371,00.html
Latest scary virus draws skeptics
The Russian New Year Excel bug hasn't hurt anybody and perhaps never will.
By Jim Kerstetter, PC Week
An Israeli security company finds an ingenious hack that has impacted no
one and has yet to be spotted on the Internet, and everyone gets upset.
But should they?
This time, the danger is in malicious mobile code hidden on Web sites.
Finjan Inc., with U.S. headquarters in San Jose, Calif., detailed the
attack, called the Russian New Year, during a teleconference earlier
today.
The genius of this attack, according to Finjan officials, is in taking two
functions normally used separately -- HTML and the CALL function available
in Microsoft Corp.'s Excel 95 and 97 -- and combining them to form an
attack. With this combination, an attacker could steal or copy Internet
users' documents and spreadsheet files. The Excel application does not
have to be running to execute this exploit. It just has to be installed on
a PC.
The victim would never know what happened, said Bill Lyons, Finjan's
president and CEO.
Lyons said he is not aware of any companies that have been exposed to the
attack, although another Finjan official said he has heard of a few but
couldn't disclose their names. They also said no one had pinpointed a site
that's conducting such attacks.
A Finjan customer notified the company about the security "hole" after
being alerted by a colleague in Russia (hence the "Russian New Year" tag).
Finjan, in turn, contacted Microsoft (which had already posted a security
alert last month that said such a thing was possible with Excel), alerted
the highly regarded CERT (Computer Emergency Response Team), added a patch
to its own mobile code-scanning software, gave The Wall Street Journal a
heads-up and called a press conference.
The problem appears to be preventable, although at the cost of losing some
of the Web's interactive features, said Lyons.
Install or upgrade to Microsoft's Office 97 and install Service Release 1
and then install Service Release 2 plus patch to eliminate the CALL
function.
If using Microsoft's Internet Explorer version 4.x, adjust the security
setting on the browser to the highest level.
If using Netscape Communications Corp.'s Navigator browser, install or
upgrade to Navigator 4.5.
Finjan is also offering a free 30-day trial of its SurfinGate server
software that deals with the problem.
Observers are wary
To some industry observers, the Russian New Year is more water than vodka.
They say by all means pay attention to such alerts and take steps to
protect against such attacks. But a company -- or a consumer -- cannot be
a fortress and still function in an Internet economy. Fears of hackers,
malicious Web sites and internal saboteurs can't derail a company from
taking advantage of the Internet.
"I fear that the media focus on things like this is making people make
unwise security investments," said Ted Julian, an analyst at Forrester
Research Inc.
What Julian says is: Be prepared, be safe and expand your security plans
to include issues like giving customers and business partners access to
data via authentication mechanisms like digital certificates. Maintaining
tough security policies is often more beneficial than buying expensive
software. Whatever you do, he said, don't become so paranoid that your
business becomes an island on the Internet.
"Application access control is far more important in the long run than a
lot of these issues," Julian said.
So far, most highly publicized security breaches have been isolated to a
single company or even the laboratory.
Last month, for example, Network Associates Inc. called a press conference
to talk about a virus that had been set loose on the internal network of
MCI/Worldcom. One Network Associates official dubbed the attack
"cyberterrorism," although the company later played it down. MCI/Worldcom
officials even called reporters to refute such characterizations. And last
summer, researchers at Bell Laboratories exposed a hole in the Secure
Sockets Layer security used in most browsers. Netscape and Microsoft
quickly released patches and the hole was never exploited outside of a
lab.
Sprinkle in the dozens of Microsoft Office macro viruses and other
nuisance attacks, and it would appear that the world is a very dangerous
place.
And it can be, said analysts. But the more worrisome attacks, like one on
Caterpillar Inc. last summer that lasted for two weeks, still rely more on
guile than technical savvy.
As bad as the worm?
Forrester's Julian chaffed at an assertion by Finjan that the Russian New
Year attack is the worst thing since the Morris Worm, which virtually
brought down the Internet about 10 years ago.
Robert Morris, a student at Cornell University at the time, created a
self-replicating virus -- more of an experiment than a malicious act --
and set it loose on the university's network to see what would happen.
Within days, it had spread across the Internet and even disabled part of
AT&T's phone system, according to the book, "Cyberpunk: Outlaws and
Hackers on the Computer Frontier" by Katie Hafner and John Markoff.
"Give me a break," said Julian. "There is no comparison between a
malicious code incident with no fallout and what was one of the seminal
hacks of all time."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Jan 7 15:55:05 1999