[7012] in bugtraq
Re: Microsoft Insecurity...
daemon@ATHENA.MIT.EDU (Courteney van den Berg)
Mon Jun 22 14:30:43 1998
Date: Mon, 22 Jun 1998 10:00:45 -0700
Reply-To: Courteney van den Berg <cjv@RBMI.ORG>
From: Courteney van den Berg <cjv@RBMI.ORG>
To: BUGTRAQ@NETSPACE.ORG
This is an OLE structured storage problem, not a Microsoft application
problem (although very few non-Microsoft apps use OLE structured
storage). It was fixed on Windows95 a long time ago by an OLE patch
(see MS KB article Q139432). Microsoft need a kick in the pants for
leaving such an old bug in their latest release of MAC OLE though. I
guess the MAC OLE source is probably based on an ancient version of the
PC OLE code.
CJ van den Berg
Computer Information Systems Department
CfaN
cjv@cfan.org
> -----Original Message-----
> From: Mike [mailto:mike@WOWDX.NET]
> Subject: Microsoft Insecurity...
>
> Well! After an overwhelming response from everyone, just a
> summery of the
> conclusions:
>
> 1. This is a Microsoft Application problem, from Word,
> excel, etc from way
> back as far as Word 2.0
>
> 2. This has been reported before to Microsoft, without any kind of
> response or patch, etc
>
> 3. The problem is that the Microsoft Applications take RAM or Buffer
> blocks to fill out application files - reading plaintext, etc,
> indiscriminately.
>
> 4. Suggestions to turn off the 'Fast Save' option help, but
> do not by any
> means eliminate the problem.
>
> 5. There is no other Fix - other than not attaching an application
> document to send to anyone who could possibly use it maliciously.
>
> 6. I think I have heard the opinions from everyone EXCEPT any sort of
> Microsoft rep, surprised?
>
> 7. It would be a simple fix of encrypting the 'fill'
> information with a
> simple MD5 encryption or something similar, just to eliminate
> any plaintext.
>
> Thanks to everyone for their suggestions and information....
>
> Cheers
>
> Mike
