I just heard of a vulnerability of people using IE 4 and Office 97. It
checks out at the MS site, and am just passing it along (although I realize
it is OT.)
GAPING SECURITY HOLE IN IE/OUTLOOK AND OFFICE
~~~~~~~~~~~~~~~
Listen up, people. This is serious. Probably the most
important article that's ever appeared in Woody's Office
Watch.
WOWser DavidF wrote to me last week with a masterful,
amazing hack that exploits the largest Office security hole
I've ever seen. No, I'm not going to tell you the details
of how the security hole works (Microsoft will give some
broad info) - and I sure as hell hope nobody else drops
enough hints to teach some %$#@! idiot malware writer how
to do it. But I will tell you what it does. If you have
Office installed, and you use Internet Explorer to view an
infected Web page, that page - without your knowledge, or
any action on your part - can wreak havoc on your system.
It can drop a virus, delete a folder, scramble data, send
your tax files to Timbuktu... anything. Similarly, if you
use Outlook 98 or later to view an infected HTML message,
that message - with no action on your part - can do
anything to your system.
Anti-virus legend Dr. Vesselin Bontchev confirmed DavidF's
report by showing me an HTML file that exploits the
security hole. It's... scary. It's way too easy to
exploit, unlike some more obscure security problems you
don't have to be a 'rocket scientist' to spread trouble.
For that reason, WOW has decided to be quick about warning
our readers to get the protective patch before examples of
this spread 'in the wild'.
DavidF told me, "I'm a bit surprised this isn't more widely
known. I notified the IE team of it long ago..." As in the
past WOW has been able to bypass Microsoft's bureaucracy
and quickly get the details to the people who matter. Once
we passed along David's news to the right levels inside
Microsoft, the offal hit the impellers, a team has been
working day and night for the last few days to find a fix.
Microsoft will be posting that fix in the next few hours.
That's why we held off on sending WOW to you this week - to
make sure the fix was ready and that it works. It does.
Let me make this really clear. Every single Office user who
also uses Internet Explorer or Outlook 98 or later, MUST
INSTALL THIS PATCH. It's only a matter of time before some
%$#@! cretin figures out how to exploit this hole. You -
and everyone you know - needs protection NOW.
There's actually TWO security patches out today. We're
particularly concerned with the Word 97 Template patch, but
you should get the Forms 2.0 patch as well. More info on
both problems below.
WORD 97 TEMPLATE PATCH
Microsoft Security Bulletin:
http://www.microsoft.com/security/bulletins/ms99-002.asp
Office Update Download Page:
http://officeupdate.microsoft.com/downloaddetails/wd97sp.htm
FORMS 2.0 CONTROL PATCH
Office Update Download Page:
http://officeupdate.microsoft.com/downloaddetails/fm2paste.htm
Microsoft Security Bulletin:
http://www.microsoft.com/security/bulletins/ms99-001.asp
Please. Take a few seconds to forward this article to
everyone you know who doesn't subscribe to WOW. Urge them
in no uncertain terms to get the patches, and apply them
immediately.
======================================================
Don Cooley / San Jose CA / dcooley(a)dnai.com . Go to
http://prostate-help.com to join the Prostate-Help Mailing List,
subscribe to the Newsletter, find my cancer story and family
history. To discuss our prostate cancer call me at 408-268-6400
======================================================