Two new security loopholes in Microsoft's much-touted Office XP programme could allow hackers to 'take over' a company's system, warns researcher Georgi Guninski
Independent security systems researcher Georgi Guninski has pinpointed two security flaws in Microsoft's recently-launched Office XP programme that could "allow attackers to take-over" a company's system.

According to the Computer Weekly web site, the first vulnerability – directly affecting Outlook XP – would allow an attacker to embed 'active' content in an e-mail. Active content contains both an object and a script. The content embedded in the e-mail would then execute when the e-mail is forwarded or responded to, claims Guninski. "The vulnerability could force a user to visit a web page designated by the attacker," he added.

The second security loophole, which affects the spreadsheet component of Office XP, can be used in line with the first vulnerability to place executable files in a user's start-up directory – which could then lead to a takeover of the target machine.

So-called 'workarounds' for the vulnerabilities include disabling all 'active' content in Internet Explorer (which is used by parts of outlook) and fully deleting the spreadsheet component of Office XP.

In an official statement, Microsoft said that the company is investigating the matter, and has acknowledged the accuracy of the first vulnerability. In the past, the company has criticised Guninski for releasing his vulnerability data too quickly, at the same time branding his actions as "completely irresponsible".

  • Insurance companies are asking IT departments to install elaborate security precautions in the wake of a series of raids by professional gangs who have been targeting Sun Microsystems equipment.

    In the most recent attack reported to SMT, three masked men broke into the IT department at Barking and Dagenham Council, tieing up and threatening the staff before leaving empty-handed. The Sun equipment they were looking for had actually been stolen in an earlier raid...

    Insurers are now advising IT and security managers to install protective security measures that would cost upwards of £10,000. Smoke cloaks, steel entrapments, intruder alarms and CCTV cameras have all been put forward. Insurer Zurich Municipal also suggests that Sun equipment be stored in a secure room made of substantial brickwork, preferably above ground level and in the centre of the building.

  • The tendency of workers to forget passwords needed for logging-on to systems – or to compromise safety by writing names on Post-It Notes or other scraps of paper – has become a major problem area and expense for many blue chip firms.

    A study by US consultant Gartner suggests that 30% of Help Desk call volume can be attributed to password management requests from end users, and that such calls cost an average of £15 each to deal with.

    Thankfully, a British company – Pentasafe Security Technologies – is now offering a solution in the form of VigiLent User Manager (Password Management), which is described as a "security-rich solution for enterprise user account and self-service password management".

    Essentially, the system issues a new password once the identity of an applicant has been established.

    The basic VigiLent 'user manager engine' costs around £4,000. End users who would like more details on the system should call David Blackman (European marketing director) on 01252 823500.

    • Source

    SMT