Office 10 applications & flashdrives can be used to browse restricted drives
From: Discini, Sonny (Sonny.Discini_at_montgomerycountymd.gov)
Date: 02/23/05
- Previous message: Maciej Bogucki: "[Fwd: [arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue]"
- Next in thread: Denis Jedig: "Re: Office 10 applications & flashdrives can be used to browse restricted drives"
- Reply: Denis Jedig: "Re: Office 10 applications & flashdrives can be used to browse restricted drives"
- Maybe reply: Paul: "Re: Office 10 applications & flashdrives can be used to browse restricted drives"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Feb 2005 13:58:22 -0500 To: <bugtraq@securityfocus.com>
************************************************************************
*************
Originally this issue was explained and patched here:
http://support.microsoft.com/?id=302753
SYMPTOMS
After you establish a group policy to restrict access to a drive by
selecting the Hide these specified drives in My Computer and Prevent
access to drives from My Computer options, you can use a Microsoft
Office program to browse and read the contents of the drive.
CAUSE
This problem occurs when your operating system is Microsoft Windows
2000. The problem occurs because of the way that policies are applied.
When you restrict access to a drive by establishing a group policy,
restrictions apply to users, but they do not apply to services and
programs. Because the browse feature is performed through a program such
as Microsoft Excel or Microsoft Word, the program is permitted to view
the drive. As a result, when you define a group policy and select the
Hide these specified drives in My Computer and Prevent access to drives
from My Computer options on a specific drive, the drive is read-only
with respect to Microsoft Office 2000 programs.
RESOLUTION
To resolve this problem, obtain Microsoft Office Service Pack 3 or
later.
************************************************************************
*************
This bug has been re-introduced in Office 10 (Word 2002, Excel 2002,
etc.) SP3
It may also apply to Office 11 but we have not tested it.
ADDITIONAL FINDINGS
The same condition occurs when you insert a flashdrive and a common
dialog box is presented asking you what you'd like to do. If you select
open drive you can then browse all of the hidden and restricted drives
the same way that you can using MS office.
HOST
Win XP Pro SP2, all available patches as of 2/23/05
Windows 2000 Server SP4, all available patches as of 2/23/05, running
Active Directory.
VENDOR RESPONSE
This issue was reported to Microsoft on Feb 11, 2005, acknowledged by
support, and as of today our best efforts to get a hotfix (or even a
commitment to produce a hotfix at some later date) have been fruitless.
Sonny Discini, Senior Network Security Engineer
Department of Technology Services
Enterprise Infrastructure Division
Montgomery County Government
- Previous message: Maciej Bogucki: "[Fwd: [arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue]"
- Next in thread: Denis Jedig: "Re: Office 10 applications & flashdrives can be used to browse restricted drives"
- Reply: Denis Jedig: "Re: Office 10 applications & flashdrives can be used to browse restricted drives"
- Maybe reply: Paul: "Re: Office 10 applications & flashdrives can be used to browse restricted drives"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
