Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Microsoft Insecurity...
From: cjv () RBMI ORG (Courteney van den Berg)
Date: Mon, 22 Jun 1998 10:00:45 -0700

This is an OLE structured storage problem, not a Microsoft application
problem (although very few non-Microsoft apps use OLE structured
storage).  It was fixed on Windows95 a long time ago by an OLE patch
(see MS KB article Q139432).  Microsoft need a kick in the pants for
leaving such an old bug in their latest release of MAC OLE though.  I
guess the MAC OLE source is probably based on an ancient version of the
PC OLE code.

CJ van den Berg
Computer Information Systems Department
cjv () cfan org

-----Original Message-----
From: Mike [mailto:mike () WOWDX NET]
Subject: Microsoft Insecurity...

Well!  After an overwhelming response from everyone, just a
summery of the

1.  This is a Microsoft Application problem, from Word,
excel, etc from way
back as far as Word 2.0

2.  This has been reported before to Microsoft, without any kind of
response or patch, etc

3.  The problem is that the Microsoft Applications take RAM or Buffer
blocks to fill out application files - reading plaintext, etc,

4.  Suggestions to turn off the 'Fast Save' option help, but
do not by any
means eliminate the problem.

5.  There is no other Fix - other than not attaching an application
document to send to anyone who could possibly use it maliciously.

6.  I think I have heard the opinions from everyone EXCEPT any sort of
Microsoft rep, surprised?

7.  It would be a simple fix of encrypting the 'fill'
information with a
simple MD5 encryption or something similar, just to eliminate
any plaintext.

Thanks to everyone for their suggestions and information....



  By Date           By Thread  

Current thread:
  • Microsoft Insecurity... Mike (Jun 22)
    • <Possible follow-ups>
    • Re: Microsoft Insecurity... Courteney van den Berg (Jun 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]