ISSUE 491: The high-tech office- March 23 1999
ALAN ZISMAN
New concerns over Internet security
leave computer users surfing for fixes
Worried about the impact of computers on your privacy? The past week has brought to light more than enough privacy concerns to justify feelings of paranoia in even the most complacent of us. For example:
A bug in some versions of Netscape's Communicator and Navigator Web browsers can allow others to read the contents of users' hard drives. The problem, in the way Netscape implemented JavaScript, allows others to read HTML (Web page) files, along with the contents of the cache and browsing folders. This bug is known to affect version 4.5 for Windows 95/98 and 4.08 for NT. While the company recently released a minor upgrade (version 4.51) to patch three security problems reported earlier, the security leak isn't fixed in this version. Instead, the company recommends turning off JavaScript for now.
Users of Windows 98, together with Internet Explorer were reported to be vulnerable to a security problem allowing Web sites to read Microsoft-generated customer ID numbers, and to track computers via a unique ID number generated by Ethernet network adapters. Microsoft claims to be studying the report and has promised a fix if it "turns out to be a real issue."
Microsoft also admitted that it had been collecting information on users' PCs, via the Windows 98 online registration process. While users could avoid sending this information at the time of registration, the company announced that collecting this data was unnecessary and that they were stopping the practice. However, combined with the bug mentioned above, it seems possible for other Web sites to harvest the same information that Microsoft had been gathering. At the same time, it was noted that information such as product serial numbers is automatically inserted into saved Office documents -- identifying the author and the system on which it was created. Microsoft is planning to release software that lets users turn that off, along with a utility to remove such information from saved Office documents. The upcoming Office 2000 will not save such information.
Meanwhile, in response to business complaints about Windows 98's automated Windows Update "feature," the company is offering businesses the ability to manually download Win98 patches and upgrades at a new Web site, www.microsoft.com/windows98/
downloads/corporate.asp.Macromedia Shockwave is a popular add-in to Web browsers that allows users to view animated tutorials, product demos (and, yes, play games) online. There's a feature in the product that lets it automatically update itself to the newest version. But, in the process, it sends Macromedia a list of visited Web sites. Macromedia claims to use this information to determine the most popular Shockwave-using sites, and help those sites optimize their use of the product. At the same time, the company was ending up with lists of user names, passwords, and names and passwords to private Web sites -- without wanting that information. The latest release claims to strip any such information out, while still sending Macromedia lists of sites visited.
Intel's new Pentium-III processor includes a unique serial number, imbedded digitally inside each chip. While the company meant for it to be used as an identifier for corporate inventories, in case of theft and as an aid to e-commerce, concerns have been expressed that it could also be used to track a user's movements on the Internet. Now, Intel has admitted that the serial number scheme was also used in other recently released processor models, including Pentium II and Celeron chips designed for notebook computers, released this past January..
While Intel has set its new systems so that the ID number is turned off by default, Zero Knowledge Systems of Montreal claims to have developed software that can still retrieve the code number. Presumably, there is a 15-second gap between the time a P-III machine starts up and when the ID code is turned off by the system. Zero Knowledge's software tricks a machine into crashing, then grabs its ID code while it is restarting. The company suggested that the software could be easily inserted in a virus or an e-mail attachment, to reside on a computer so that when it retrieves the code number it can store it in an Internet cookie that then be read by a Web site. Computer manufacturers can, however, limit this period of vulnerability by turning off the ID in the System Setup. *
Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan
