Security Watch

Too Much Academic Freedom?

A crack in the ivory tower might require a Big Brother to patch.

• By Russ Cooper
• 01/24/2005

It sure seems to me that going to college these days pretty much means you must expose all your private information to some hacker who will likely give it away to any number of other unknown folks.

One reason continually cited as being the cause of lax security at such institutions is the need for "free" and "open" environments. In other words, we can't have strong security at an ".edu," because to do so would mean monitoring student traffic, enforcing controls on student-owned systems (such as the use of personal firewalls and ensuring that antivirus software is up-to-date). At what point will the student body realize that not having institutionally enforced security leads to its privacy being compromised by hackers? Better the devil you know...

T-Mobile was compromised by a 21-year-old who, seemingly through social engineering, managed to view e-mails and account information for some 400 customers. Apparently, he was offering to look up any of their customers for a price. It looks like he may be working with law enforcement, since the offenses occurred in 2003 and there's been no sentencing information yet.

Hacking
Three new patches that fix security holes were recently delivered by Microsoft. The worst was a vulnerability in the HTML Help ActiveX control patched in MS05-001. This cross-zone scripting vulnerability would permit an attacker to have a page read from, say, the Internet zone drop and execute code in the Local Computer zone. This is most likely to be exploited by spyware.

More graphic formats were found to be vulnerable to overflows in their parsing engines (whatever tools render the graphic file); these flaws were patched by MS05-002. In this case it was cursors and icons (including animated icons). Internet Explorer automatically downloads an icon file (FAVICON.ICO), if it exists, from a Web site when it's bookmarked, so be careful.

Finally, the Microsoft Index service was found to have yet another overflow, now patched by MS05-003. This is the same service targeted by the Code Red worm several years back. In this case, you have to be able to submit a complete query for anything to happen.

Note: Windows 2000's Index Service isn't vulnerable to the issues in MS05-003, but there's a patch for the platform anyway. Microsoft made some security enhancements to the COM object delivered with Index Service, and the Win2K version of MS05-003 provides those enhancements.

Firefox was found to be vulnerable to having security dialogs spoofed. Hmmm ... when that vulnerability was found with IE, there was no end of chatter; but now that it's been determined to be more a problem with HTML than with browsers themselves, people seem awfully quiet. It will be an interesting browser that finally prevents—completely and absolutely—the ability of a Web page to obscure a security dialog box. I doubt we'll see one in our time.