Simplify for security

Friday, 26 September 2003, 8:46 AM EST

It's been a bad month. We've learned of critical loopholes in recent versions of Windows and in even more versions of Microsoft Word. A month like this—a month of drawing up budgets for many—gives IT managers fair warning that future problems of this kind may well occur and that it's part of their job to be ready with both strategies and resources.

At 3 a.m. Sept. 8, I was trying to get actual work done when I was interrupted by a SANS Critical Vulnerability Analysis. It warned of a macro execution loophole in every version of Microsoft Word beginning with the venerable, but still widely used, Word 97. Regardless of security settings, I learned with dismay, a maliciously crafted .doc file can execute macro code that runs with all of the user's privileges.

It's exasperating that there's no distinction between the privileges that you have from a console window—from which you might actually want to format a hard drive—and the more limited privileges that you'd typically want within a word processing session. I'm tired of pointing out the wrongheadedness of this model, which dates back two decades to the time when any code on a machine was there because the user wanted it there. In this era of transparent connectivity to unknown service providers, all IT buyers should be demanding that platforms limit the privileges of a process to those that are needed to do its intended job.

[ Read more ]




Spotlight

Intentional backdoors in iOS devices uncovered

Posted on 22 July 2014.  |  A researcher has revealed that Apple has equipped its mobile iOS with several undocumented features that can be used by attackers and law enforcement to access the sensitive data contained on the devices running it.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Jul 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //