news

Privacy hole inWindows/MSNMessenger

A feature in MSN andWindows Messenger that wasintended to identify IE userscan be easily exploited by anyWebmaster using Javascriptor Vbscript it has been report-ed in The Register.

This vulnerability enablesanyone to get a surfer’sMessenger username and alltheir contacts as reported byRichard Burton in a post tothe BugTraq mailing list. Also,if a username is unavailable,the email address and contactsare presented instead. Theemail address of the surfer andtheir contacts should only beaccessed by Microsoft.com,Hotmail.com and Hotmail.msn.com. But it is possiblethat software could easilymake a registry entry duringinstallation, which wouldallow an associated website toget full details fromMessenger.

A program could simplyallow Web access by addingdomain suffixes by using theregistry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies\Suffixes.

Burton commented that thesuffix can even be as short as.org or .com and so any web-site with these suffixes canaccess your details.

By default, there are no suf-fixes listed in the registry,according to Burton but theMicrosoft domains are hard-coded into Messenger.Currently the only know fixfor IE users is to disableMessenger before visiting thementioned Microsoft sites. It

would also be beneficial tocheck for entries under theabove registry key, especiallyafter installing software, com-mented Burton.

VIRUS NEWS

Have you got theParty Bug?

Thousands of computer usershave been struck by a newvirus, which offers the falseillusion of a Web page linkleading to party photographs.

Most anti-virus firms havebranded the ‘My Party’ wormas medium risk. The tacticsimplemented by the ‘MyParty’ worm are new and relyon social engineering. Anemail arrives from a knowncontact luring recipients byenticing them to click on afake website to view partyphotographs. So, on receipt, itappears to come from aknown contact that has hosteda party and you haven’t beeninvited! The subject title of theemail states “new photos frommy party”. The url iswww.myparty.yahoo.com. Aclick of the Web page starts upa computer program, whichincludes the virus.

After infection, a backdooris left in computers so it is vitalfor infected users to use ananti-virus tool. After the filecalled www.myparty.yahoo.com is opened, the worm dis-tributes itself to every contactin the Windows Address book.

The file is a Windows appli-cation, which is about 30Kbin length, it is written inMicrosoft Visual C++ and iscompressed in a UPX utility.

The worm has highlightedthe risks from users clicking

on invalid links. Cross-sitescripting attacks rely on usersclicking on an invalid link andare a danger. Cross-site script-ing involves one source inject-ing code into pages sent byanother. The vulnerabilitymeans that hackers can usemalicious code to read anyconfidential informationentered on a dynamic Webpage.

INDUSTRY NEWS

Baltimore sellsContentTechnologies toClearswift

Clearswift Corporation hasoffered £20.5 million toacquire the ContentTechnologies subsidiary ofBaltimore Technologies plc.The acquisition will costClearswift a minor amount incomparison to the colossalsum of £692 million paid byBaltimore in 2000.

Whether this offer will beaccepted depends onBaltimore shareholder ap-proval at an extraordinary gen-eral meeting in March.

Clearswift was created in2001 from the 19-year-oldNET-TEL organization. InJuly 2001, it launched theClearswift Enterprise Suite,which is a solution for contentfiltering, messaging policyenforcement and email securi-ty. The Content Technologiespart of Baltimore Technologiesplc sells and supports theMIMEsweeper product family.Over 10 000 customers and 10million end-users deployMIMEsweeeper Policy-BasedContent Security solutions

within their email and Webenvironments. MIMEsweeperwas developed on MicrosoftServer-based technology andcan be used to manage Internetand Internet-based messagingsystems. IDC analysts predictthat the Secure ContentManagement software willgrow 20.5% CompoundAnnual Growth Rate up to2005. Diminishing cash sup-plies and lower PKI technologysales has led Baltimore to scaledown, which has resulted insubstantial job losses. A busi-ness review also revealed thatBaltimore was running twobusinesses (PKI and ContentTechnologies) with minimalcommon ground betweenthem.

Microsoft calls onhacker expert

Microsoft Corp. has hired anew chief security strategistcalled Scott Charney as partof Microsoft’s TrustworthyComputing initiative.

The new chief securitystrategist will abandon his cur-rent position as a principal atPricewaterhouseCoopers LLP(PwC)’s Cybercrime Pre-vention and ResponsePractice, according to thestatement. Before Pricewater-houseCoopers, Charney waschief of the Computer Crimeand Intellectual PropertySection (CCIPS) at the USDepartment of Justice, wherehe chased international hack-ing incidents and economicespionage.

Bill Gates, MicrosoftChairman and Chief SoftwareArchitect said that customersshould be able to rely on com-puting that is as available,

3

march.qxd 2/14/02 8:23 AM Page 3