Trojan rides in on unpatched Office flaw

Cnet News ^ | 09/30/2005 | Joris Evers

[Panerai]

A new Trojan horse exploits an unpatched flaw in Microsoft Office and could let an attacker commandeer vulnerable computers, security experts have warned.

The malicious code takes advantage of a flaw in Microsoft's Jet Database Engine, a lightweight database used in the company's Office productivity software. The security hole was reported to Microsoft in April, but the company has yet to provide a fix for the problem.

"Microsoft is aware that a Trojan recently released into the wild may be exploiting a publicly reported vulnerability in Microsoft Office," a company representative said in a statement sent via e-mail on Friday. The software maker is investigating the issue and will take "appropriate action," the representative said.

The Trojan horse arrives in the guise of a Microsoft Access file, security software maker Symantec said in an advisory. When run on a vulnerable system, it would give a remote attacker full access to a compromised computer, Symantec said. The company calls the pest "Backdoor.Hesive" and notes that it is not widespread.

Although exploits had already been released in April when HexView publicly reported the flaw, the Trojan is believed to be the first actual threat to take advantage of the security hole. Security monitoring firm Secunia rates the issue "highly critical," one notch below its most serious rating.

[Golden Eagle]

Any lock can be picked, just like all software has holes. In fact, there are more holes in Unix/Linux products reported every single week.

http://www.us-cert.gov/cas/bulletins/SB05-271.html

[Petronski]

I'm not going to bicker semantics with you because it's pointless.

Any lock can be picked, but a defective lock is easier to break than one that works as designed. I didn't mention Linux and I don't use it.

[Golden Eagle]

Any lock can be picked, but a defective lock is easier to break than one that works as designed.

Well according to that link from US-Cert, Unix/Linux products are about 10x more defective.

[Petronski]

Well according to that link from US-Cert, Unix/Linux products are about 10x more defective.

Yawn. Irrelevant to my point.

Microsoft AND the hackers are to blame for any damage resulting from this flaw.

[Golden Eagle]

I don't think lock companies are typically liable when they're picked by professional thieves. Trying to insist you'd just as quickly condemn the platforms with 10x as many holes is laughable too. Just what have you supposedly added to this discussion that had any actual merit?

[Petronski]

Just what have you supposedly added to this discussion that had any actual merit?

If a professional thief can open a defective lock, you can be damn sure the maker of the defective lock will be liable.

Trying to insist you'd just as quickly condemn the platforms with 10x as many holes is laughable too.

Never did it.

[Golden Eagle]

you can be damn sure the maker of the defective lock will be liable."

Sure not taking your word on it. Proof? Precidence?

Never did it.

I know, everyone else always gets a pass with you guys, no matter how much more "defective" their software is.

[N3WBI3]

Yea its not like they have had five months between then and now to fix it right?

reported to Microsoft in April, but the company has yet to provide a fix for the problem.

Oh wait its exactly like that..

[Petronski]

It's a narrow fact set, and I don't have precedents. Of course, I don't care whether you believe it or not, and I don't believe I could bring you to understand the principles involved.

I know, everyone else always gets a pass with you guys, no matter how much more "defective" their software is.

"you guys?" Just the one of me here, a Windows user. Sorry to deprive you of the only thing you have to say.

[Petronski]

Looks like some hackers named "Hexview" released a hack to the public instead of giving it to the vendor privately so they could patch it prior to working exploits being available.

Does the security of Microsoft products REALLY rely on the charity of hackers to privately report the defects they find in Microsoft software?

Good Lord, it's worse than I thought. I'm glad I don't use the affected product.

[Golden Eagle]

Experts estimate the damage of viruses to be in the billions of dollars.

http://news.com.com/2100-1001_3-240112.html?part=msnbc-cnet

Why wasn't Microsoft responsible to pay for any of it? Not even a single penny? Could it be that most rational people rightfully blame the hackers for these attacks? I'd say yes, obviously.

[N3WBI3]

The whole, some hacker did not tell MS first argument might hold weight if this hole was not revealed nearly 6 months ago! Six months to fix a pretty serious bug, should be long enough..

[Golden Eagle]

The hackers should have privately submitted it, so that users weren't exposed. You'd obviously rather lob rotten tomatoes at one of the victims - in this case Microsoft - instead.

[Petronski]

. . . one of the victims - in this case Microsoft . . .

LOL

[Golden Eagle]

They are a victim, which is why they've never been held liable for any of these damages, your whines about it notwithstanding.

[Petronski]

They are a victim...

The wahhhhhhmbulance will be by shortly.

[Golden Eagle]

You're the whiner, not me. I'm just pointing out the facts, which are, MS isn't liable, and neither are lock companies which was your supposed analogy. The crooks are, which for some reason you seem very interested in protecting.

[Petronski]

Things must be getting rough in Redmond. You Microsoft lackeys are doing less strutting these days and more whining.

Too bad so sad.

[Golden Eagle]

Pointing out what's right and what's wrong isn't whining. Whining is what you do when it's demonstrated, which is all you've done.

[Petronski]

LOL