Security problems with Compaq Windows 98 computers

Richard M. Smith (rms@pharlap.com)
Fri, 23 Jul 1999 23:20:34 -0400

Message-Id: <4.1.19990723232022.00930e40@mail.pharlap.com>
Date: Fri, 23 Jul 1999 23:20:34 -0400
To: java-security@web1.javasoft.com
From: "Richard M. Smith" <rms@pharlap.com>
Subject: Security problems with Compaq Windows 98 computers

Hello,

I just purchased a Compaq Presario 5304 computer system that
is running Windows 98. As part of an ongoing research project
into Internet security, I checked this machine for security
problems. In less than 2 hours I determined that this
system has the following major security holes that need to be
addressed immediately:

1. From a Web page or HTML Email message, it is very easy to
automatically run an arbitrary Windows or DOS programs using a "trusted"
Java applet that is pre-installed on the computer. This capability
allows the "bad guys" to do things like drop a virus on the computer,
delete files from the computer, or steal private files from the system
from an Email message or Web page.

2. The "trusted" Compaq Java applet can be "borrowed" by the bad guys and
put on a Web site and used to run DOS and Windows programs from a
Web page or HTML EMail message on any Windows 95, NT, or 98
computer that is running IE4 or IE5. In this case, a security
warning is presented to the user when the malicious page is viewed,
but the security warning says that the program being run is
the Selective Quickrestore program from Compaq Computer
and not a malicious piece of software.

3. Compaq has quietly turned on an option in Internet Explorer 4
which is part of the Windows 98 operating system to trust all
programs that come from Compaq. This allows Compaq to
silent run programs on this computer from an HTML Email
message or when visiting the Compaq Web site. This "backdoor"
is not disclosed to a customer as far as I can determine and
in my opinion represents a pretty serious privacy problem.

I suspect that these same security issues exist on other
Compaq computer models. I found the same Java applet,
for example, installed on about 10 other Compaq computer
models at 2 of my local computer stores. This applet
is dated December 1997, so one can guess that it has
been shipped on some Compaq computer models since
early 1998.

I hope to see Compaq address these problems right away.

In the meantime users of any Compaq system that has the
same security problems can fix them temporarily by
turning off Java support in IE4 or IE5.

These same security problems do not exist in Netscape Navigator.

Richard M. Smith