W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H Volume 7 Issue 47 is really annoyed with Microsoft.
W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H describes QUOTE security holes in Word so big they defy description. UNQUOTE Subscribe to W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H for the low down on understanding that Microsoft Security is an Oxymoron. There is a wealth of information in this regular e-newsletter.
Scenario:
- Bob has access to a file.
- Alice wants it.
- Alice sends Bob a document, innocently asking Bob to edit it and return it to her.
- When it comes back, it contains the file that Alice wanted, and Bob is none the wiser. Bob cannot block this with anti-virus or any of the usual PC security because this is the way Microsoft Word is supposed to work.
- or, Word can "phone home" to Alice web site, delivering what she wants. Bob does not need to send the document back to Alice and she can still get copy of the file she wants.
- Woody showed Microsoft step by step exactly how that could be done, Sep 17, and the latest Microsoft press release is still pretending that this capability is not in their software.
- Oct 5 Woody sent Microsoft a demonstration Word document that when opened, sends Woody the first 230 characters of any file on your PC that he cares to name, to anywhere he cares to send it.
- Contrary to Microsoft public statement, Alice does not need to know the absolute path to Bob's file. The person doing the pilfering can use just the name of the file without knowing what directory it is in.
- You can go after just about any file, such as the passwords file, so long as you know how Windows organizes these things.
- The ability to do this stuff is what Microsoft calls a feature, so obviously, to Microsoft, this is not something they have any commitment to fixing.
W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H QUOTE
LIES, DAMN LIES, AND MICROSOFT
Man, am I ticked off.
On October 8 - yesterday - I received a copy of Microsoft's
Inside Office Newsletter. Under the headline "Answers to
Concerns About Security in Word" there's a link to
, where you'll find the same press release Microsoft posted
a month ago about the "confusion and speculation"
surrounding the huge security holes in all versions of
Word. This is the first time Microsoft has notified its
customers about Alex's Document Collaboration Spy problem,
as far as I can tell, and instead of telling something
resembling the truth, all we get is more obfuscation.
Recycled obfuscation at that.
Only Microsoft would have the unmitigated gall to lie so
blatantly, at this late date, and expect their customers to
swallow it. I use the term lie quite deliberately,
Microsoft is still making statements that it knew then and
knows now are totally false.
YODA tore the press release apart in Woody's Windows Watch
a couple of weeks ago
But YODA only knew part of the story: he didn't know
about the security holes I've been feeding to Microsoft,
and he hasn't seen the gaping exposures other folks have
encountered. The truth is far more devastating than
anything YODA could imagine.
In this issue of Woody's Office Watch, I'm going to show
you specifically how Microsoft is lying to you.
UNQUOTE
and Woody does so, with ample examples.
BACKGROUND
On August 26th Alex Gantman released to a small community of fellow anti-virus analysts details of a new type of security breach in Word, which has many variations and consequences. He didn’t misuse his discovery but told other computer security specialists through an avenue that Microsoft closely watches. Therefore Alex did notify Microsoft, at the same time as others. Microsoft objects to anyone else being told about security problems with Microsoft products, preferring to be the sole clearing house for information and arbiter of what their customers should know. It was only after Woody published some details in Woody’s OFFICE Watch on September 6th that the mainstream press got a hold of the story.
If you like the no-nonsense straight scoop of W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H, assuming I have done an adequate job of translating / reviewing the latest news on this Microsoft Security is an Oxymoron front, here are some books to look out for from Woody (Al advertisement for Woody here in appreciation for the great education Al gets from Woddy). Windows XP All-In-One Desk Reference For Dummies", Hungry Minds http://www.woodyswatch.com/l.asp?0764515489
"Special Edition Using Microsoft Office XP" with Ed Bott, Que
"Special Edition Using Microsoft Office 2000" with Ed Bott, Que http://www.woodyswatch.com/l.asp?0789718421
"Woody Leonhard Teaches Office 2000", Que
4:13:49 PM 
|
