HTML-Based Thievery Challenges Worldwide Security Measures

<P><IMG SRC="/graphics/excelcall2.jpg" align=right>An exploit that uses HTML code to steal files from an unsuspecting user’s desktop is drawing strong reaction from security analysts and industry experts around the world. Steve Foote, an analyst with the Hurwitz Group (www.hurwitz.com), calls it "the single biggest security threat in the history of the Internet."</P>

An exploit that uses HTML code to steal files from an unsuspecting user’s desktop is drawing strong reaction from security analysts and industry experts around the world. Steve Foote, an analyst with the Hurwitz Group (www.hurwitz.com), calls it "the single biggest security threat in the history of the Internet."

Russian New Year (RNY), so called for the timing and geography of its discovery, was uncovered in late December. The invader combines HTML code and the "call" function in Microsoft Excel to steal or copy files on a user’s desktop as soon as the user downloads a Web page. Finjan Software Ltd. (www.finjan.com) brought widespread attention to the problem and offers a temporary fix.

Finjan’s CEO Bill Lyons says the exploit strikes without warning to the user, who receives no prompts that the unwanted task is to occur. Also, Excel doesn’t have to be running. An attacker only needs knowledge of standard HTML to take advantage of the Excel feature installed on Windows operating systems. Lyons estimates that as many as 80 percent of Web users have Excel installed on their desktops.

"It is the kind of attack that makes your jaw drop," says Avi Rubin, a researcher at AT&T Labs (www.att.com/attlabs). "When coupled with mobile code technologies, the results are potentially catastrophic."

Lyons says the exploit could be used to attack everyone who visits a particular site, or it could be used to target specific people. For example, one bank could trigger the exploit to download user files when someone from a competing bank visits its site. By adjusting the code, a Russian New Year attacker could insert damaging programs such as password grabbers, Back Orifice or a logic BIOS bomb. Any capability the desktop computer has can be accessed and exploited if Russian New Year is successfully implemented.

Microsoft created a patch that turns off Excel’s call feature and posted it on its Web site in early December -- almost a month before Finjan’s announcement. Although Finjan reports the attack could affect both 95 and 97 versions of Excel, Microsoft only posted a patch for the latter. For Excel 95 users to turn off the function, they first must upgrade to Excel 97, then download both Excel Service Release 1 and 2 and the call function disable patch from Microsoft’s Web site.

Call is an advanced user function in Excel that developers use to run a piece of code outside the Excel spreadsheet. For those who don’t use the function, Microsoft strongly recommends downloading the patch from http://officeupdate.microsoft.com.

John Duncan, Microsoft Office product manager, agrees that the exploit is serious, but he says Microsoft was proactive in early December when it sent out mass e-mails to customers and security bulletin subscribers, and posted the patch on its Web site. Duncan says he hasn’t seen a malicious use of the call function. One reason Microsoft’s early December warning didn’t cause a stir was because they did not mention that HTML could be used as the exploiting language. Duncan says Microsoft had to weigh the chance crackers already knew of the exploit against the risk that the warning itself would educate potential abusers.

Other security measures can be taken as well. Finjan recommends setting Internet Explorer 4.0’s security level to high and upgrading to Netscape Navigator 4.5 to block Plug-ins. Finjan is distributing a free 30-day version of its SurfinGate security software -- which can be downloaded from Finjan’s Web site -- so companies can quickly implement something until they decide what security steps they want to take.

Russian New Year isn’t something to be taken lightly, Foote says. "The potential implications of this are staggering. As the person in charge of corporate technology, if this doesn’t make you weak in the knees, then you do not fully understand the implications."

So far the hole has only been exploited in Excel running on the Windows operating system, but Lyons hasn’t ruled out other spreadsheets and other operating systems. He says his company is testing different software and different configurations. Until then, he recommends that IS managers implement strong corporate security protocols, such as setting policies, increasing security awareness and training programs and using software to deploy multiple layers of defense, such as firewalls and mobile code inspection.