ISSUE 491: The high-tech office- March
23 1999
ALAN ZISMAN
New concerns over Internet security
leave computer users surfing for fixes
Worried about the impact of computers on your
privacy? The past week has brought to light more than enough privacy
concerns to justify feelings of paranoia in even the most complacent of
us. For example:
A bug in some versions of Netscape's
Communicator and Navigator Web browsers can allow others to read the
contents of users' hard drives. The problem, in the way Netscape
implemented JavaScript, allows others to read HTML (Web page) files,
along with the contents of the cache and browsing folders. This bug is
known to affect version 4.5 for Windows 95/98 and 4.08 for NT. While
the company recently released a minor upgrade (version 4.51) to patch
three security problems reported earlier, the security leak isn't fixed
in this version. Instead, the company recommends turning off JavaScript
for now.
Users of Windows 98, together with Internet Explorer
were reported to be vulnerable to a security problem allowing Web sites
to read Microsoft-generated customer ID numbers, and to track
computers via a unique ID number generated by Ethernet network
adapters. Microsoft claims to be studying the report and has promised a
fix if it "turns out to be a real issue."
Microsoft also admitted that it had been collecting
information on users' PCs, via the Windows 98 online registration
process. While users could avoid sending this information at the time
of registration, the company announced that collecting this data was
unnecessary and that they were stopping the practice. However, combined
with the bug mentioned above, it seems possible for other Web sites to
harvest the same information that Microsoft had been gathering. At the
same time, it was noted that information such as product serial numbers
is automatically inserted into saved Office documents -- identifying
the author and the system on which it was created. Microsoft is
planning to release software that lets users turn that off, along with
a utility to remove such information from saved Office documents. The
upcoming Office 2000 will not save such information.
Meanwhile, in response to business complaints about
Windows 98's automated Windows Update "feature," the company is
offering businesses the ability to manually download Win98 patches and
upgrades at a new Web site, www.microsoft.com/windows98/
downloads/corporate.asp.
Macromedia Shockwave is a popular add-in to Web
browsers that allows users to view animated tutorials, product demos
(and, yes, play games) online. There's a feature in the product that
lets it automatically update itself to the newest version. But, in the
process, it sends Macromedia a list of visited Web sites. Macromedia
claims to use this information to determine the most popular
Shockwave-using sites, and help those sites optimize their use of the
product. At the same time, the company was ending up with lists of user
names, passwords, and names and passwords to private Web sites --
without wanting that information. The latest release claims to strip
any such information out, while still sending Macromedia lists of sites
visited.
Intel's new Pentium-III processor includes a
unique serial number, imbedded digitally inside each chip. While the
company meant for it to be used as an identifier for corporate
inventories, in case of theft and as an aid to e-commerce, concerns
have been expressed that it could also be used to track a user's
movements on the Internet. Now, Intel has admitted that the serial
number scheme was also used in other recently released processor
models, including Pentium II and Celeron chips designed for notebook
computers, released this past January..
While Intel has set its new systems so that the ID
number is turned off by default, Zero Knowledge Systems of
Montreal claims to have developed software that can still retrieve the
code number. Presumably, there is a 15-second gap between the time a
P-III machine starts up and when the ID code is turned off by the
system. Zero Knowledge's software tricks a machine into crashing, then
grabs its ID code while it is restarting. The company suggested that
the software could be easily inserted in a virus or an e-mail
attachment, to reside on a computer so that when it retrieves the code
number it can store it in an Internet cookie that then be read by a Web
site. Computer manufacturers can, however, limit this period of
vulnerability by turning off the ID in the System Setup. *
|