Microsoft faces further security questions

Doubts over the security of Microsoft’s operating systems and software have again been raised following the discovery of further flaws in its Office Web and Terminal Advanced Client (TSAC) Active X Control components.

  • E-Mail
By  Zoe Moleshead Published  October 6, 2002

Security vulnerabilities|~||~||~|Doubts over the security of Microsoft’s operating systems and software have again been raised following the discovery of further flaws in its Office Web and Terminal Advanced Client (TSAC) Active X Control components.

The latest vulnerabilities again raise concerns that Microsoft may have sacrificed security for features or the early delivery of products.

The vendor, however, was quick to notify users about the flaws and issue patches, while reiterating its commitment to security.

“Microsoft is committed to keeping customers’ information safe and is providing a patch that eliminates the vulnerabilities in the Office Web and TSAC Active X Control components,” says Zaid Abunawar, enterprise and partner group manager, Microsoft Middle East South Gulf.

“Customers who read e-mail in the ‘restricted sites’ zone would be protected against attempts to exploit this by e-mail. Those using Outlook 2002, Outlook Express 6.0 and Outlook 2000 & 98 with the Outlook e-mail security update would [also] be protected by default,” he adds.

The Office Web component contains multiple holes, which could enable attacks to run commands on a user’s system. Microsoft programs affected by this flaw include BizTalk Sever 2000 & 2002, Commerce Server 2000 & 2002, Office 2000 and XP.

While XP Professional, Windows 2000, Windows NT 4.0 and Windows 98 systems are among the programs affected by the TSAC flaw, which leaves systems vulnerable as a result of an unchecked buffer in the code. Attacks against users’ systems can be mounted through web pages or e-mail.

Although Microsoft classified the threats as “moderate-to-critical” and advised users to download patches, the vendor also iterated the importance of user vigilance when it comes to keeping up-to-date with the latest vulnerabilities.

“Network managers should ensure that updates are ‘forced’ to each system to overcome user negligence or blocking… and managers should be aware of the benefits of training users about the [actions] they can take in using systems to ensure that security measures, such as the restricted site zones on the internet and e-mail, are understood and embraced by end users,” comments Abunawar.

The Active X controls have been at the root of many of Microsoft’s recent security holes and the vendor is keen to distance itself from the vulnerabilities of the component architecture.

According to Abunawar, Active X can be maliciously coded in similar ways to Java applets. As such, he stresses the importance of educating independent software vendors (ISVs) and developers in security practises.

“A secure code mindset is slowly reaching a larger number of developers thanks to the initiatives of Microsoft and other companies. The broader reach of Microsoft in the developer community and the diffusion of its products makes the task of reducing security holes more difficult and the exposure to security attacks greater,” he says.

“[Although] Microsoft cannot control Active X as such, we are working to ensure that any security vulnerabilities in our products are patched and protected against, as well as developing protocols… that protect users against attacks,” adds Abunawar.

With Microsoft continually coming under fire for the vulnerabilities and insecurities in its software programs, security has scaled the vendor’s agenda over the last two years. Abunuwar says that despite these latest flaws, security is still very much an ongoing process and priority for the company.

“Security is a journey, not a destination, and it is one of our highest priorities. This has not changed, we are still investing heavily in security measures and the trustworthy computing initiative in general,” he comments.

Such is Microsoft’s current commitment to shoring up its systems, the vendor has shifted its business strategy, placing a greater emphasis on security rather than developing additional software features.

“Historically, our emphasis has been on adding features and functionality to make our software and services more compelling for users. This is still important to us, but we have now reprioritised to make security improvements a higher priority than new features,” says Abunuwar.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code