Slashdot Mirror

← Back to Stories (view on slashdot.org)

Office Assistant: Yet Another Security Hole

Posted by ryuzaki0 on from the just-so-damn-fitting dept.

A lot of people have been submitting the news from ZD-Net concerning the security hole found in the Microsoft Office Assistant, Satan the Paper-Clip. Er...rather, "Clippy". Dildog, of @Stake, found the hole, which is quite similar to the recent Outlook security that allows for automatic scripting.

6 of 181 comments (clear)

  1. Even Better by LaNMaN2000 · · Score: 5

    It would be even funnier to have the Office Assistant explain why he is doing bad things to the system as the malicious code runs--let the user think that the clip is sick of being his secretary and that he will rebel against the glass cieling that prevents him from getting promoted by closing each document the user creates, without saving, after he has it open for 15 minutes.

    --

    ByteMyCode.com: A Web 2.0 code sharing community.
  2. A risk to national security by phil+reed · · Score: 5

    Found an article here, that ought to be good to print out and put on your CIO's desk. It's titled Microsoft: A Proven Danger to National Security. (Warning - it's a PDF file.) Microsoft ought to find it interesting reading, anyway.


    ...phil

    --

    ...phil
    "For a list of the ways which technology has failed to improve our quality of life, press 3."
  3. Hrrm.. by Signal+11 · · Score: 5
    HI! I see that you are trying to surf the net. Would you like me to help give away all your private information and data?

    [Yes, please help me] or [No thanks] (greyed out)

    What next, a picture of a ActiveX scripting component painted on a cat to pop up and go "Script kiddie detected." followed by another message saying "Your security settings have changed, please reboot for these settings to take effect" ?

  4. Testing.... When are they going to? by wrenling · · Score: 5

    When you are going to release a product that allows so much interoperability, one would assume that those very functions that allow that interoperability would be slammed, nuked, beaten and in every way imaginable explored, repaired, and THEN the software released.

    But it appears that MS is relying on the general public to act as its beta testers, to search out and discover these holes. They are complacent, non-proactive, and basically riding on the assumption that people will continue to use their products no matter how low the quality level goes.

    This is one area.. where the communities like Open Source can really shine. Because opening your code to peer review keeps you on your toes. It allows different minds to work together cooperatively to create a better software package. And in the end, everyone benefits.

    I know this is a bit of a rehash of stuff I have said before, but since we all know that MS is paying very close attention to everything written here on /., maybe repeating some basic concepts will beat the idea into their brains...

    One can always hope...

    --
    Check out Magic Firesheep!
  5. From Microsoft by Silver+A · · Score: 5
    From:http://www.microsof t.com/technet/security/bulletin/ms00-034.asp
    Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsof t.com/technet/security/bulletin/fq00-034.asp
    Issue
    An ActiveX control that ships as part of Office 2000 is incorrectly marked as "safe for scripting". This control, the Office 2000 UA Control, is used by the "Show Me" function in Office Help, and allows Office functions to be scripted. A malicious web site operator could use the control to carry out Office functions on the machine of a user who visited his site.
    The control ships only as part of Office 2000 (and Office 2000 family members, as listed below). The patch removes all unsafe functionality, with the result that the "Show Me" function will be disabled in Office 2000.

    The patch is available at http://download.microsoft.com/download/office2000p ro/Uactlsec/2000/WIN98/EN-US/Ua ctlsec.exe, with instructions avaiable at http://officeup date.microsoft.com/2000/downloadDetails/Uactlsec.h tm

    Microsoft states in their FAQ:

    Is this a vulnerability in the ActiveX technology?
    No. This vulnerability results because of a manual error in marking the particular control at issue.
    Sure. This time it's a simple error in labelling. What will it be next time? How many more simple marking errors lurk in Office or IE?
  6. Re:What?? A patch?? by daviddennis · · Score: 5
    Never!

    Binky the Talking Paper Clip is Immortal!

    I realized why when I analyzed my own behaviour.

    In the good old days, when I asked for assistance on any Microsoft(tm) product, the help system was startlingly inept at providing same. So what would I do? Why, curse Microsoft and try and figure it out on my own, of course.

    Now we have a modern, sleek, polished system, complete with a glorious cartoon character who's going to offer friendly assistance and tell us what to do.

    A big improvement, of course! So, when I ask for help and get answers that are even worse than under the old system, what do I do?

    Why, curse that (bleep) paper clip, of course! Microsoft is an Innocent Creator of Brilliant Software, it's Binky the talking paper clip I blame.

    It's a neat emotional transformation, but I'm willing to bet it's worth millions to Microsoft.

    Oh, by the way, I'd like to endorse the following link on Binky:

    Binky on the Witness Stand

    D
    ----