"Worst Ever" Windows Security Flaw

18-JUL-00 - Your computer can be attacked from an e-mail message without opening attachments. Windows 95, 98, NT, 2000 vulnerable.





Here is the fatal combination:
  • Windows 95, 98, NT or 2000
  • Microsoft Access 97 or 2000 (the database included in Microsoft Office Pro).
  • Internet Explorer 4.x or 5.x
This attack works even if the Outlook security patches are installed, and even if Scripting Host is removed. The attack can be launched from a Web site you are viewing, or from e-mail with any reader that launches Internet Explorer to read HTML messages (Outlook, Outlook Express, Eudora, etc.).

You don't have to open any attachments. You don't even have to fully open the e-mail. Just the message appearing in the preview window is sufficent. If your in-box is empty, it will run immediately. You can just be viewing a Web site - even e-mail isn't required.

If you have Access on your computer, even if (especially if) you never use it, you must execute the following procedure to secure your system. This attack is so simple lots of kiddies will be trying it now that it is known.

  1. Start Access, but don't open any databases.
  2. From the tools menu, choose Security.
  3. Select User and Group Accounts.
  4. Select the Admin user (there by default).
  5. Go to the Change Logon Password tab.
  6. If the Admin password is blank (the default), assign a secure password.
  7. Click OK to exit the menu.
Due to a design flaw, Windows opens an Access database before asking if you want to open it. When your email reader sees a message with HTML code, it calls Internet Explorer to read it. Explorer is asked by the message to open an Access databse containing hostile code, so Explorer calls up Access. Once Access is open, the code can run any program the perpetrator desires, even a program on a remote computer over the Internet.

For more information, and for information on the Office HTML Script Vulnerabilty, visit the SANS Institute.

For information on other Windows / Outlook threats, visit our Viruses, Worms and Other Threats page.

©:Andrew Grygus - Automation Access - www.aaxnet.com - aax@aaxnet.com
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners