[ Pobierz całość w formacie PDF ]
.In other words, if you know oneMicrosoft program, you pretty much know them all.(This is similar to the way everyapplication melts its menus into the bar at the top of the MacOS desktop.)Microsoft has thus created its own standards in a market that previously adheredto few rules.In this respect, Microsoft has revolutionized the PC computing world.Furthermore, because Microsoft products are so popular worldwide, programmers rushto complete applications for use on the Microsoft platform.Along that journey, programmersmust strictly adhere to design standards set forth by Microsoft--well they must ifthey seek that approval sticker on the box.If the U.S.Attorney General is lookingfor an antitrust issue, she might find one here.Moreover, Microsoft has put much effort into application integration and interoperability.That means an Excel spreadsheet will seamlessly drop into a Word document, an Accessdatabase will interface effortlessly with a Visual Basic program, and so on.AllMicrosoft products work in an integrated fashion.To perform such magic, Microsoft designed its products with components that meetcertain criteria.Each of these applications contain building blocks that are recognizableby the remaining applications.Each can call its sister applications through a languagethat is common to them all.This system gives the user an enormous amount of power.For example, one need not leave an application to include disparate types of mediaor information.This design increases productivity and provides for a more fluid,enjoyable experience.Unfortunately, however, it also makes for poor security.Internet Explorer was designed with this interoperability in mind.For example,Internet Explorer was, at the outset, more integrated with the Windows operatingsystem than, say, Netscape's Navigator.Mr.Gates undoubtedly envisioned a browserthat would bring the Internet to the user's desktop in the same manner as it woulda local application.In other words, Internet Explorer was designed to bring theInternet to the user in a form that was easy to understand, navigate, and control.To its credit, Microsoft's merry band of programmers did just that.The problem withMicrosoft's Internet Explorer, then, is that it fulfills its purpose to the extreme.In a period of less than two weeks in early 1997, Internet Explorer was discoveredto have three serious security bugs:Students at a university in Maryland found that they could embed an icon on aWeb page that would launch programs on the client user's computer.Microsoft posteda public advisory on this issue on its WWW site.In it, the company explained:If a hacker took advantage of this security problem, you could see an icon, ora graphic in a Web page, which is, in fact, within a regular Windows 95/Windows NT4.0 folder of the Web site server or your computer.The hacker could shrink the framearound the icon or graphic so that you would think it was a harmless, when in factit allows you or anyone else to open, copy, or delete the file, or run a programthat could, if the author has malicious intent, damage your computer.You can launchthe program because the folder bypasses the Internet Explorer security mechanism.Cross Reference: Microsoft's public advisory,Update on Internet Explorer Security issues UMD Security Problem, can be foundon the Web at http://www.microsoft.com/ie/security/umd.htm.Several sources determined that one could launch programs on the client's machineby pointing to either a URL or an LNK file.Folks at A.L.Digital, a London-based firm, determined that Microsoft's InternetExplorer contained a bug that would allow a malicious Java applet to steal, corrupt,or otherwise alter files on the client's machine.Each of these holes is Class A in character--that is, they allow a remote siteto access or otherwise manipulate the client's environment.The risk representedhere is tremendous.To its credit, Microsoft responded quickly to each instance.For example, thesecond hole was acknowledged within hours of its discovery.The authors of that advisorydid not mince words:.this problem concerns the ability of a programmer to write code in a Web pagethat uses Internet Explorer 3.x versions to access a Web page hyperlink that pointsto a.LNK (a Windows shortcut file) or.URL file.Pointing to that.LNK or.URL couldlaunch a program or an executable that could cause damage to a computer.Cross Reference: Microsoft's advisoryabout the second hole, "`Cybersnot' Security Problem," can be found onthe Web at http://www.microsoft.com/ie/security/cybersnot.htm.The fix for that problem was also posted.If this is the first you have heardof this problem (and you use Internet Explorer), you should immediately downloadthe patch.Cross Reference: The patch for the holediscussed in Microsoft's advisory, "`Cybersnot' Security Problem," canbe found on the Web at http://www.microsoft.com/msdownload/ie301securitypatch.htm.News of these holes rocked the computing communities, which were still reelingfrom earlier holes
[ Pobierz całość w formacie PDF ]