Slashdot Mirror
Office Assistant: Yet Another Security Hole
A lot of people have been submitting the news from ZD-Net concerning the security hole found in the Microsoft Office Assistant, Satan the Paper-Clip. Er...rather, "Clippy". Dildog, of @Stake, found the hole, which is quite similar to the recent Outlook security that allows for automatic scripting.
Yes, like just two weeks ago when ILOVEYOU was out, right? MS had the patch out "before serious exploits," right?
Let's be real here. Microsoft's concern for security could fit in one thimble along with Dilbert's enthusiasm. If they really cared about it they would have fixed the "every-user-is-root" problem years and years and years ago.
No company that says their latest software release will be bug-free (while having a list of 63,000 bugs they knew about at release time) can be taken seriously when it comes to security. No company that has to be goaded by bad press into fixing Outlook Express can be taken seriously. No company that denies that its customers care about bugs can be taken seriously.
DFL
Never send a human to do a machine's job.
It would be even funnier to have the Office Assistant explain why he is doing bad things to the system as the malicious code runs--let the user think that the clip is sick of being his secretary and that he will rebel against the glass cieling that prevents him from getting promoted by closing each document the user creates, without saving, after he has it open for 15 minutes.
ByteMyCode.com: A Web 2.0 code sharing community.
Most Linux/*NIX holes aren't so glaringly stupid, and are a hell of a lot harder to exploit. Why should arbitrary script code be able to affect the registry (only one of the most important files on a Windows 9x system), overwrite files, and e-mail itself without telling the user? And why in hell is the Office "assistant" usable in resetting security permissions?
/home/$USER would remain unaffected. This is assuming the user didn't bother to at least read through the script first, or find out what the heck it actually is.
"But, but, but, someone could write a script for Linux too! Ha, got ya there!"
No, you don't. If a user sets up sh to run scripts automatically in Netscape, or downloads and sets the executable bit, it would still only affect that user's files unless they were dumb enough to run Netscape or the script as root. The user would lose the files they own, but binaries and pretty much anything outside
"But, but, but, there are bugs in Linux! And some can lead to a root compromise!"
No denying that; they still require some level of actual skill, either in programming or ingenuity, to take advantage. Once again; arbitrary code should not be able to affect anything; it should be contained (like the Java sandbox), and never run as an administrator. NT at least takes steps in this direction, though a cursory look through the Attrition page crack archives should show how much NT is like Swiss cheese.
The point: Windows 9x, and to a lesser extent NT, is inherently insecure, allowing arbitrary code and even scripts to affect important system files and take actions without the user's knowledge. The Morris Worm forced *NIX to shape up; perhaps dragging Windows into the light will force Microsoft to do the right thing for once.
Someday, you're going to die. Get over it.
Found an article here, that ought to be good to print out and put on your CIO's desk. It's titled Microsoft: A Proven Danger to National Security. (Warning - it's a PDF file.) Microsoft ought to find it interesting reading, anyway.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
It's not an error in labelling; it's an error in design. The design called for "Show Me" to be implemented by scripting in so-called HTML-help pages. This required the Office Assistant to be marked as safe for scripting.
What Microsoft has done is truly interesting, and maybe a bit frightening: they have made a cute, vaguely helpful (but mostly interfering) figure a commonplace on the desktop. With Office 2000, you don't even have to be using an Office product to have the assistant sit on your desktop.
The Assistant uses up a lot of valuable system resources, and you can bet your bottom dollar that it doesn't just use them to render itself in stunning 3-d realtime graphics. We already know that Microsoft has a policy of blatantly, casually violating its users' privacy. What else is this Assistant doing? Perhaps it's logging keystrokes and sending them to Redmond. Perhaps it's analyzing user traffic and building a profile.
I suspect that MS is using the Assistant and other Office "features" to create extensive profiles on users around the world, for who knows what use in its own nefarious schemes. Perhaps that is why they seem openly contemptuous of the DoJ--they have the goods on Reno and her crowd and will use them when the time seems right.
www.alarmist.org
[Yes, please help me] or [No thanks] (greyed out)
What next, a picture of a ActiveX scripting component painted on a cat to pop up and go "Script kiddie detected." followed by another message saying "Your security settings have changed, please reboot for these settings to take effect" ?
When you are going to release a product that allows so much interoperability, one would assume that those very functions that allow that interoperability would be slammed, nuked, beaten and in every way imaginable explored, repaired, and THEN the software released.
/., maybe repeating some basic concepts will beat the idea into their brains...
But it appears that MS is relying on the general public to act as its beta testers, to search out and discover these holes. They are complacent, non-proactive, and basically riding on the assumption that people will continue to use their products no matter how low the quality level goes.
This is one area.. where the communities like Open Source can really shine. Because opening your code to peer review keeps you on your toes. It allows different minds to work together cooperatively to create a better software package. And in the end, everyone benefits.
I know this is a bit of a rehash of stuff I have said before, but since we all know that MS is paying very close attention to everything written here on
One can always hope...
Check out Magic Firesheep!
#define RANT
It seems like every day I read about another Microsoft security hole. When will it become obvious to the managers who force Micro$oft products down our throats that they are compromising their companies security? If I forced everyone at my office to use software that is full of security holes and we got hit bad by it, I would be fired. When are IT managers going to be forced to face the consequences of their decisions?
#undef RANT
Seriously though, I guess we can't expect the masses of ignorant users to give up their beloved paperclips and fancy email attachments. They want everything and Micro$oft tries to give it to them without regard to the security risks.
The patch is available at http://download.microsoft.com/download/office2000p ro/Uactlsec/2000/WIN98/EN-US/Ua ctlsec.exe, with instructions avaiable at http://officeup date.microsoft.com/2000/downloadDetails/Uactlsec.h tm
Microsoft states in their FAQ:
Sure. This time it's a simple error in labelling. What will it be next time? How many more simple marking errors lurk in Office or IE?Why doesn;t one of the OSS word processors include a Mr Hankey office assistant?
Every so often you'd get that slide guitar followed by,"Hidy ho! Hidy Ho guys!"
and a big brown jobbie wearing a hat would appear to guide you through the process.
"Seems to me that you're tryin' to type a letter!"
I'm out of my tree just now but please feel free to leave a banana.
Binky the Talking Paper Clip is Immortal!
I realized why when I analyzed my own behaviour.
In the good old days, when I asked for assistance on any Microsoft(tm) product, the help system was startlingly inept at providing same. So what would I do? Why, curse Microsoft and try and figure it out on my own, of course.
Now we have a modern, sleek, polished system, complete with a glorious cartoon character who's going to offer friendly assistance and tell us what to do.
A big improvement, of course! So, when I ask for help and get answers that are even worse than under the old system, what do I do?
Why, curse that (bleep) paper clip, of course! Microsoft is an Innocent Creator of Brilliant Software, it's Binky the talking paper clip I blame.
It's a neat emotional transformation, but I'm willing to bet it's worth millions to Microsoft.
Oh, by the way, I'd like to endorse the following link on Binky:
Binky on the Witness Stand
D
----