Simplify for security

Friday, 26 September 2003, 8:46 AM EST

It's been a bad month. We've learned of critical loopholes in recent versions of Windows and in even more versions of Microsoft Word. A month like this—a month of drawing up budgets for many—gives IT managers fair warning that future problems of this kind may well occur and that it's part of their job to be ready with both strategies and resources.

At 3 a.m. Sept. 8, I was trying to get actual work done when I was interrupted by a SANS Critical Vulnerability Analysis. It warned of a macro execution loophole in every version of Microsoft Word beginning with the venerable, but still widely used, Word 97. Regardless of security settings, I learned with dismay, a maliciously crafted .doc file can execute macro code that runs with all of the user's privileges.

It's exasperating that there's no distinction between the privileges that you have from a console window—from which you might actually want to format a hard drive—and the more limited privileges that you'd typically want within a word processing session. I'm tired of pointing out the wrongheadedness of this model, which dates back two decades to the time when any code on a machine was there because the user wanted it there. In this era of transparent connectivity to unknown service providers, all IT buyers should be demanding that platforms limit the privileges of a process to those that are needed to do its intended job.

[ Read more ]




Spotlight

Hackers indicted for stealing Apache helicopter training software

Posted on 1 October 2014.  |  Members of a computer hacking ring have been charged with breaking into computer networks of prominent technology companies and the US Army and stealing more than $100 million in intellectual property and other proprietary data.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //