[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Office 10 applications & flashdrives can be used to browse restricted drives

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Office 10 applications & flashdrives can be used to browse restricted drives
From: "Discini, Sonny" <Sonny.Discini@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 23 Feb 2005 13:58:22 -0500

************************************************************************
*************
Originally this issue was explained and patched here:
http://support.microsoft.com/?id=302753
 
SYMPTOMS
After you establish a group policy to restrict access to a drive by
selecting the Hide these specified drives in My Computer and Prevent
access to drives from My Computer options, you can use a Microsoft
Office program to browse and read the contents of the drive.

CAUSE
This problem occurs when your operating system is Microsoft Windows
2000. The problem occurs because of the way that policies are applied.
When you restrict access to a drive by establishing a group policy,
restrictions apply to users, but they do not apply to services and
programs. Because the browse feature is performed through a program such
as Microsoft Excel or Microsoft Word, the program is permitted to view
the drive. As a result, when you define a group policy and select the
Hide these specified drives in My Computer and Prevent access to drives
from My Computer options on a specific drive, the drive is read-only
with respect to Microsoft Office 2000 programs.

RESOLUTION
To resolve this problem, obtain Microsoft Office Service Pack 3 or
later.
************************************************************************
*************
 
This bug has been re-introduced in Office 10 (Word 2002,  Excel 2002,
etc.) SP3
 
It may also apply to Office 11 but we have not tested it. 
 
ADDITIONAL FINDINGS
The same condition occurs when you insert a flashdrive and a common
dialog box is presented asking you what you'd like to do. If you select
open drive you can then browse all of the hidden and restricted drives
the same way that you can using MS office.
 
HOST
Win XP Pro SP2, all available patches as of 2/23/05
Windows 2000 Server SP4, all available patches as of 2/23/05, running
Active Directory.
 
VENDOR RESPONSE
This issue was reported to Microsoft on Feb 11, 2005, acknowledged by
support, and as of today our best efforts to get a hotfix (or even a
commitment to produce a hotfix at some later date) have been fruitless.
 
Sonny Discini, Senior Network Security Engineer
Department of Technology Services
Enterprise Infrastructure Division
Montgomery County Government

Follow-Ups:
- Re: Office 10 applications & flashdrives can be used to browse restricted drives
  - From: Denis Jedig

Prev by Date: [Fwd: [arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue]
Next by Date: RE: Incorrect Classification of iDownload's Product as Spyware...
Previous by thread: [Fwd: [arkeia-announce] Release of Arkeia Network Backup 5.3.5 fixes security issue]
Next by thread: Re: Office 10 applications & flashdrives can be used to browse restricted drives
Index(es):
- Date
- Thread