Smart But Not Secure

As the latest edition to MS’ flagship productivity suite, Office XP, Smart Tags
ostensibly facilitate the next level of business automation.

According to
Microsoft VP Steve Sinofsky, Smart Tags will allow for a kind of
multi-dimensional version of a hyperlink to be inserted into data files.
Seemingly you could, for example, Smart Tag a company name to associate it
with a stock ticker, and regular, live updates of its stock price. When you’re
working with a Smart Tagged item you’d be presented with a number of
associations or automatically carried out actions in short, innovative
hyperlinks that can branch off in many different directions.

For reasons of security Smart Tags won’t contain executable code but because
they’re dependent on that code to run, the tags will include a ‘downloadURL’ to
click on in order to collect the relevant code.

Numerous security breaches have already occurred through the mechanisms of
code being included in e-mails – Smart Tags are no different in this regard.
If untold numbers of seemingly well-informed people can be induced to click on
an executable with the “I love you” virus as a payload, then they’d just as
surely click on an endearing URL. In the case of Smart Tags (which can be
made to look far more interesting and inviting) the work of viral programmers
could extend into new and hazardous new arenas.

A whole plethora of potential e-commerce applications may just add additional
privacy concerns to the mix. These stylish tags could provide an avenue for
viral marketers and other, more crooked, types to gather personal data about
users and their contacts. Code could just as easily be induced to spread virally
via address books in a similar fashion to the techniques employed by a number
of todays viruses.

By blocking over 39 different file types by default and by relying on differences
between trusted and untrusted, signed and unsigned apps Office XP Outlook
hopes to overcome these and other security problems. Nonetheless even a
signed and trusted document could contain a link to a very devious external
file.

Despite Microsoft’s continued efforts at honing out security holes in their
software the responsibility still lies heavy on the shoulders of users,
administrators, business partners, and suppliers alike to ensure that unsolicited
code doesn’t enter through the corporate back door. Given the tasty target
that Microsoft apps have made for generations of hackers and crackers the fun
is far from over.