By Kenneth Moser, CNA, CNSA

For those of you who use Microsoft's Internet Explorer, you should be aware that the company has recently confirmed the existence of several vulnerabilities in Internet Explorer 3.01, 3.0 and 2.0 for MS Windows® 95 or MS Windows NT® Workstation 4.0. Internet Explorer for Windows 3.1, Windows NT 3.51 and the Macintosh are not affected.

The first vulnerability, called Cybersnot, allows malicious programmers to write code in a Web page that uses Internet Explorer 3.x versions to access a Web page hyperlink pointing to a .LNK (a Windows shortcut file) or .URL file. These .LNK or .URL files can launch executable programs that could damage the computer. The Massachusetts Institute of Technology also reported a variation on this attack that affects .ISP files. The creator of the link would have to know the specific name and path of the program on your computer in order for this technique to work. However, since many people accept default names when installing software, this kind of attack often will be successful.

Microsoft strongly recommends that customers using the English language version of its software download the patches required to correct these problems. Once the patch is installed, an attempt to run an executable program from a Web page will result in an Internet Explorer security dialog box that reminds the user that any viruses in the program could be damaging to the computer. Then, it asks the user if the file should be opened or saved to disk. Remember, it's in your best interest to know for sure that the program comes from a reliable source.

Please note that, according to Microsoft, AOL users are running Internet Explorer 3.01 and are therefore affected by this problem. If you're connected to the Internet through AOL, download the new software patch to protect your computer. Otherwise, you should connect to http://www.microsoft.com/ie/download, upgrade to the latest version of the Internet Explorer, and then install all relevant security patches. For more detailed information on Microsoft security issues and problems, connect to http://www.microsoft.com/ie/security/update.htm.

If you use Microsoft browsers to access the Internet through a corporate firewall or Internet service provider, you may be affected by another vulnerability. If your connection allows file system calls to be passed to the Internet, it is possible for a hacker to present an icon or other graphic in a Web page that, in fact, exists within a regular Windows 95/Windows NT 4.0 folder of your Web site server or computer. Under the right circumstances, this could be used to damage your computer. You can prevent this by checking for the name of the link in the status bar at the lower left of the Internet Explorer window as you pass your mouse over the icon. If no link appears, do not click on the icon. Please note that you need only click a Web icon once (single click) to activate it.

For those of you who think you are safe because you use Netscape Navigator or some other browser, I suggest that you keep an eye on security news and watch the vendor sites for patches.

Second, if you pay any attention at all to new developments in the computing industry, you must have heard by now of two new products called Java and ActiveX. In case you're behind on your reading (and who isn't?), Java is a new programming environment developed by Sun Microsystems. Applets (programs) written in pure Java can run on any computer that hosts what Sun calls a Java Virtual Machine, a facility that is being incorporated into most of the major browsers on the market. ActiveX is Microsoft's answer to Java and does pretty much for Microsoft environments what Java does for everyone else. As with Java, support for ActiveX is being added to most major browsers. If you are running a recent version of the Internet Explorer or Netscape Navigator, for example, you're probably running in both of these environments. Why does this matter?

Well, while Java and ActiveX developers did build some security features into these new environments, they can be abused in many ways. For example, one Java applet being demonstrated on the Web will shut down your computer. Another particularly inventive ActiveX applet will search your hard drive for Intuit's Quicken software and, if found, will insert transactions that will cause a funding transfer next time you access your bank.

These applets were written for demonstration purposes only, but they show what these new facilities can do quite nicely.

You can defeat this kind of abuse by simply turning off Java and ActiveX support in your browsers, but you must be willing to do without some of the more advanced facilities becoming available on the Web. Until more security is built into these environments, I recommend that you turn off all support for executable code when visiting unknown or potentially hazardous sites. This approach is not 100 percent effective, but it probably strikes an acceptable balance in most situations.

If you are responsible for operating a part of your company's internal network, you may want to consult an article Microsoft has published, "How to Maintain Intranet Security When Downloading Executables." This article reviews the potential threat to an organization when users download anonymous executables from the Web, and it advises IT professionals on mechanisms available to enhance security and safeguard corporate assets. This article is available on both the Microsoft TechNet CD reference (available by subscription) and the Microsoft Web site.

Is there an underlying message here? I certainly do not want to discourage use of the Internet and the Web. However, it is worthwhile to remind yourself every now and then that new technologies bring benefits, costs and potential hazards.

Enjoy the benefits, watch the costs and, by all means, avoid the hazards.

Copyright © 2020 by APICS — The Educational Society for Resource Management. All rights reserved.

Web Site © Copyright 2020 by Lionheart Publishing, Inc.
All rights reserved.


Lionheart Publishing, Inc.
2555 Cumberland Parkway, Suite 299, Atlanta, GA 30339 USA
Phone: +44 23 8110 3411 | br> E-mail:
Web: www.lionheartpub.com


Web Design by Premier Web Designs
E-mail: [email protected]