'

Yet another Microsoft security <BR>foul-up: Office 2K clipart!

Are you getting tired of reading about security holes? I don't know about you, but I'm getting tired of writing about them.

Are you getting tired of reading about security holes? I don't know about you, but I'm getting tired of writing about them.

It's too bad for both of us that this doesn't matter. In a world glued together by the Internet, a security problem discovered by a guy in Bulgaria on Monday can kick your network's rear on Tuesday. Ain't the World Wide Web wonderful?

One company that I--well, everyone, actually -- likes to kick around a lot for its security problems is Microsoft. It's not that we don't like Microsoft. It's that, well, it fouls up ... a lot. And when you're the world's biggest software company, when you catch a cold the whole world sneezes.

Take its latest fiasco, the clip-art catastrophe. Clip Art Gallery, a sub-program in Office 2000, Works 2000 and every modern Microsoft graphics program, can be expanded by adding new clip art to it in the CIL format. Guess what? You can provoke perhaps that most common of ways of prying into an operating system, a buffer overflow, with a deliberately misdesigned CIL file.

And what does that mean for you and your users? It means you can open up a clip-art image, in any mail program, and could end up with the image-maker's virus of choice on your system. Have I mentioned recently that you need to tell users to never, ever open mailed binary files unless they're expecting to get one? No? Well, go and warn them repeatedly.

Oh, and while you're at it, get them off Microsoft Outlook. One reason why Microsoft leads the bug parade is that one of Windows and its programs "features" is that you can easily swap data and code around. Nowhere do you get to see that danger more than in Outlook. For more on that see my rantings in "A Modest Proposal"

We're in luck today, however. Microsoft, while saying that it's only a potential problem, immediately released a fix to the problem. You can pick up your copy at http://cgl.microsoft.com/clipgallerylive/pss/bufovrun.htm.

Have fun installing it on every workstation running Office 2000.

Still, while Microsoft isn't getting rid of Windows' inherent security problem, it's finally attacking specific security problems the way they should be: quickly and efficiently.

Other companies, like Trend Micro, always had the right idea. One reason why I like Trend Micro is when it has a problem, it acknowledges it (Are you listening Microsoft?) and fixed it--fast.

It's Not Just Microsoft

Microsoft gets all the red ink, but that's not fair. Yes, I just said that we're not being fair to Microsoft. (That was not a typo.) You see, everything that runs over the Internet is vulnerable.

For example, of the latest 10 problems as of March 8 on Security-Focus' listing of security vulnerabilities, only one, the Clip Art, rests completely on Microsoft's doorstep. Of the others, only one, a problem with Internet Security Systems (ISS) RealSecure products, is Windows-centric. Of the others, three of them are Linux problems.

Shocked? Don't be. All of the Unixes, including BSD, Linux, SCO and Solaris, have more than their share of security problems. Think about it. The recent rash of distributed denial-of-service (DDoS) attacks were all launched from unsecured Solaris systems. And, much as I rag on Outlook, the all time champion application for security holes must be that Unix mail transfer agent, which still sends most e-mail along its way: Sendmail.

Now, don't start digging out your typewriter and your dial phone. It's been too late to go back since 1980. What has happened since then is that because the Internet connects everyone, security problems anywhere really can whack you.

Also, you OS/2 and Mac users out there; don't get too smug. Your systems tending to be virus-free has more to do with the number of crackers after you than it does with any theoretical built-in OS security.

What you must do, if you're any kind of administrator, is to start getting on top of security problems. Pay attention to your security and antiviral vendor's software newsletters. OK, I know that the antiviral companies, in particular, make it sound like opening an Internet connection is like opening up your faucet to the Love Canal, but beneath the hysteria, there's some sound information.

You should also get an e-mail subscription to Bugtraq and the Security Focus Newsletter. Both are available from Security-Focus. It's only by keeping up to date on security that you can hope to practice good security.

You also need to implement security fixes as soon as they're available. It would be nice to think that all you had to do was install the best antiviral-firewall-intruder detection, forget about it and then start Quake III death matching again.

To do security right, you have to be updating your programs and operating systems constantly. Heck, as the cases of recent security problems with Trend Micro's OfficeScan and IIS' RealSecure show, you can't relax even about your security systems.

Windows, Linux, whatever. If you want your systems to be trouble-free, you need to take a lot of trouble. Hard work and due diligence are the only real security answer.