Re: Word Exploit and Word 97

From: Jeff (jeff@nospam.com)
Date: 09/17/02 

From: "Jeff" <jeff@nospam.com>
Date: Tue, 17 Sep 2002 12:32:23 -0700

Rey - look again at what I said. To quote me, yes, no one
should be OPENING word documents on a server. I did not
say storing them. Two separate issues. My statement is
still correct.

No one will care about joe blow's PC. However, if Joe
Blow is your CEO and you have Windows installed in the
default location, you just made it really easy for someone
to guess the locations. Beyond that, don't they have to
know how you are naming your email accounts?

READ what I write before you attack me. If you're really
concerned about security, you would not be using default
locations to install any program. Thus, your worries
about this would all be blown way out of proportion.

I'm not saying that this could not cause issues, but a
properly secured environment would minimalize this without
a patch. I'm not even mentioning the social engineering
that is involved.

>-----Original Message-----
>Hi Jeff,
>
>FWIW, MS has a technet bulleting saying Office 97 is
supported through PSS
>and a patch will be issued for all supported versions.
Secondly, inline:
>
>> Second point here is that they have to know the exact
name
>> and location of the file that they want. No one is
going
>> to care about Joe Blow's files on his PC.
>
>Huh? You mean swiping "joeblow.pwl" from C:\Windows would
not give me access
>to Joe Blow's email account through the company's Outlook
Web Access system,
>where Joe Blow is the CEO or other officer?
>
>> No one should be opening any Word documents on a server.
>
>Huh? It is a very common practice to forbid local hard
drive storage of
>company documents if only for disaster recovery purposes.
>
>> Just my two cents on this. I'm not siding with MS on
this
>> at all, as it is a hideous flaw. I'm just trying to get
>> people to see this in a bit more realistic light. I
know
>> that I would worry more about one of my operators going
>> AWOL and messing up a server than I do about this flaw
>> being exploited on anything I have on my pc.
>
>
>
>.
>

Relevant Pages

  • Re: GPOs not being applied
    ... create a new user named Joe in the OU ... create a new GPO and link it to the new OU ... > problem server, and all tests passed. ... >>Derek Melber ...
    (microsoft.public.win2000.group_policy)
  • Re: GPOs not being applied
    ... The user policy was applied to ... >>2) create a new user named Joe in the OU ... >>3) create a new GPO and link it to the new OU ... >>> problem server, and all tests passed. ...
    (microsoft.public.win2000.group_policy)
  • RE: Error in licensing protocol
    ... "Joe E." ... Ask other user to log off the server and to stay off line during the test ... Try to connect this Laptop. ... to delete in the "Troubleshooting Remote Desktop Licensing Error ...
    (microsoft.public.windows.terminal_services)
  • Re: Logon mapping
    ... create a user called joe with the same password and it should work. ... full advantage of your Server afterall that's what you paid for you should ... > So to map this I would create the user "Joe" on the server> to match the Xp machine logon? ... >>Is this a hobby or business environment. ...
    (microsoft.public.windows.server.general)
  • Re: Word 2003 cannot save files to http://host/site/folder/file.doc
    ... On one server, it will not save Word documents using http url address file ... We have checked directory security, ... security and IIS settings with a working machine; ...
    (microsoft.public.inetserver.iis.security)