Holes in PowerPoint and Excel

jeffy124 writes: "Looks like it's time for IIS and Outlook to make room on the pedestal of security holes. Just about every recent version of PowerPoint and Excel are vulnerable to being taken over to control the system remotely. The hole is a macro-related, as it's possible to bypass asking the user if they'd like a macro to run. Microsoft's advisory can be found here." Funny. I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?

Macs too

[liquide]

This vuln. works on Mac Office 2001 (and 98) too.

Re:Macs too

[liquide]

arr, stupid html checker, this message is plain old text!!! subverted link: http://www.microsoft.com/mac/download/office2001/p ptxlmacro.asp

Re:Macs too

[Maserati]

Lovely. When Mac users complain about feature parity with Office for Windows, this is not what we mean.

Re:Macs too

What's interesting is that this bug was fixed for Mac Office 98 in 1999! (This going by build numbers that are not affected by the update.)

Apparently, it was re-introduced in Office 2001 and never fixed or missed in Windows versions.

Re:Macs too

[toolman_nick]

I thought the most interesting thing about this is it was reintroduced, you think that they would have fived it once and for all... that is microsoft for ya.....

OpenOffice.org

[Troed]

This does fit in very nicely with stable betas of OpenOffice.org and of course Sun's version StarOffice. Talk to your manager, show them that you can do everything you need to do at work with free software, that as a side-benefit don't allow people to take over your computers.

It does work.

Re:OpenOffice.org

[Tom7]

What makes us think that Open Office and Star Office are immune from similar attacks, or things like buffer overflows?

I like free software, but I think it's just urban legend that software not written by microsoft is somehow magically secure. (Witness: BIND, wu_ftpd, sendmail, rpc.*, etc...)

Re:OpenOffice.org

[Troed]

Microsoft sat on this fix for two months - does the opensource community do the same?

I haven't evaluated scripting in OpenOffice though, can someone comment on the possibility for malicious code being run there at all?

Re:OpenOffice.org

[Tom7]

OK, that's fair -- I suppose the corporate machine is typically slower at responding to a bug than the free software community. (Though, if you read bugtraq, you'll know that there have frequently been cases of much longer delays in commercial and free software alike!)

However, I think a better metric than how quickly things are patched is the number of holes in the default install. Most users don't install patches, anyway, so this is what really matters for them.

Re:OpenOffice.org

[yota]

> I like free software, but I think it's just urban legend that software not written by microsoft is somehow magically secure. (Witness: BIND, wu_ftpd, sendmail, rpc.*, etc...)

Nobody ever said that Free is magically secure, only that is easier to fix the holes since everybody can modify the source

Re:OpenOffice.org

[Jebus_the_spork]

i bet it is magically secure because nobody uses it! far more people use microsoft office products than star office, or similar suites. If nobody uses it, the security is not tested nearly as much.

Re:OpenOffice.org

The best protection is to keep your
eye on the security bulletins and
refrain from using "known" exploitable
versions of any software commercial
or opensourced. Additionally, if
you have the resources, evaluate the
source code of the software you use and
it's behavior on a network. Keep
enough surplus in your systems that
you can painlessly install (e.g. BIND 9)
without affecting service.

But where do you turn when your locked
into a single vendor, who is not only
slow in responding to security problems,
but seems to refute the idea of
security at all ala dotNet.
(or as I prefer to call it the hole in your NET, get it the dots a hole)

Re:OpenOffice.org

I haven't evaluated scripting in OpenOffice though, can someone comment on the possibility for malicious code being run there at all?

Sure, but it's sandboxed.

Re:OpenOffice.org

[Joseppi+Blauinski]

Well said/written. Come on in, Anonymous Coward, and be known to /.

Air Force Come and Dey Flatten Your Home

Re:OpenOffice.org

[Joseph+Goebbels]

The USA killed ~7000 innocent Somalian civilians in -93 while failing to kill one single warlord.

That's horrible! As a more developed species it is our responsibility to make sure that the little critters can live undisturbed in their natural habitat, fulfilling their role in the ecosystem.

Can you even imagine the damage that's been done? The Somali soil lost input of fertilizer from 7000 individuals of the negro species, the khat-plant lost a great number of its grazers, and predators like lion, leopard, cheeta, hyena and Ethiopian negroes lost a substantial amount of prey in a very short time.

However, there really is something we can do to help achieving balance again. In Europe there are millions of Somali negroes roaming freely. If these could be caught and implanted into their natural habitat again, and if we could prevent their species from spreading outside that habitat (e.g. by means of electrified fences, automatic machine guns etc. surrounding the entire African continent) I'd say there's a good chance of recovery for every affected species in both Europe and Africa.

As the message I'm replying to points out, we are lucky that no alpha-males, or "warlords", were killed. They are essential for reproduction in the negro flocks.

Re:OpenOffice.org

[Error27]

Buffer overflows are one thing... I can't really blame Microsoft for Code Red, for example.

But Microsoft's scripting bugs are a different story. As a general rule, computers should not execute foreign code without asking. That's just common sense to anyone except Microsoft. :(

Ah well... At least no one has written a really harmful virus so far.

Re:OpenOffice.org

I just hope it didn't take 10 seconds for it to appear on my screen.

Re:OpenOffice.org

[Tony-A]

It's not that software not written by Microsoft is somehow magically secure. It's that software written by Microsoft is magically insecure.
I doubt that Open/Star Office are immune, but they are unlikely to be so riduculously susceptible.
There have been bugs in sendmail &co. There are probably a few left, but they are getting harder and harder to find. If anything, Microsoft is getting easier to exploit.

Re:OpenOffice.org

[*nix_rules]

At least it is not as buggy as Microsoft products. Look at the amount of security loopholes in M$ products and compare them with the open source alternatives.

Re:OpenOffice.org

[Stephan+Schulz]

What makes us think that Open Office and Star Office are immune from similar attacks, or things like buffer overflows?

I like free software, but I think it's just urban legend that software not written by microsoft is somehow magically secure. (Witness: BIND, wu_ftpd, sendmail, rpc.*, etc...)

There are two aspects here. First, while you are right that other groups also have written buggy and insecure software, Microsoft's record is particularly abysmal. Most of the big holes in free software were found early on, at the time the internet just started booming and noone had experience with security. We may not yet be perfect, but we have been learning a lot.

The second aspect is even more important. A monoculture is always more suspectible to attack than a diverse ecosystem. If we use more different tools, we will survive viruses and worms a lot better. Consider Code Red: If it hit a host with Apache, it did not use this host for further propagation. Not only did the server stay up, the spread of the virus also slowed down.

So having many different (but preferable interoperable) software systems is inherently beneficial. And yes, this applies to BIND just as well as to Microsoft.

Re:OpenOffice.org

I'd like to make such an evaluation.

Unfortunatley there's not a big enough population sample of people running the 'open source alternatives' for it to be a statistically meaningful comparison.

We will have to come back for this comparison when Open Source isn't a room full of twisty passages leading in all directions. If that day ever arrives.

it was inevitable

I would expect nothing less from Microsoft. A secure program never gets released because you might never need to upgrade, and you won't need patches. In fact, I wonder if they maybe don't actually make sure that stuff isn't totally secure and bug free.

Windows and Macintosh

[dafoomie]

Customers using Microsoft® Excel or PowerPoint for Windows® or Macintosh® I guess Mac uses can stop complaining that they don't get all the features of the Windows version.

Re:Windows and Macintosh

[Microsift]

Actually, I prefer the Mac version (I run 2000 on my PC at work and 98 on my Mac at Home) Since the development cycle for both products is not synched, Mac Users get some features before Windows users and vice versa. (Unfortunately, we both got this "feature" at the same time)

Re:Windows and Macintosh

[sharlskdy]

I thought it was interesting that Microsoft has achieved a significant milestone with this particular security problem: It's entirely cross-platform. Is this a clue, perhaps, as to why they disdain Java?

One more hole

[entrox]

Is this really a surprise? I was under the impression, that all macro-enabled applications under windows (office suite) shared such vulnerabilities, because they most probably use the same scripting engine.

One exploit serves all ;)

Re:One more hole

[dougmc]

Actually, any macro-enabled application written by anybody could have these sorts of vulnerabilities, depending on how powerful the macro language is.

If you run untrusted code, then you get what you deserve. It does *ask* for permission to run the macro, right?

Re:One more hole

[Darby]

If you run untrusted code, then you get what you deserve. It does *ask* for permission to run the macro, right?

Of course not.
*That* is the exploit.
Read first then post.

Re:One more hole

[PingXao]

You obviously haven't read the article.

Mod points! Mod points! My Knigdom for some mod points!

Can somebody please knock this down a point or 2? TIA.

Re:One more hole

[zerocool^]

One exploit to rule them all
One hacker to find them
One macro to bring them all
And in the darkness bind them.

Re:One more hole

[rhammack]

....In the land of Redmond where the darkness lies

Re:One more hole

[jimbolaya]

What I think Microsoft, or anybody who has a macro language for their application, needs to implement is a "sandbox" or different security levels. Right now, it's all or nothing; Office may warn that the document contains a macro, and ask for permission to run it, but from there it becomes an "all or nothing" deal. The majority of legitimate macros will work only with the document in which they reside. They'll change the formatting, move paragraphs around maybe. It doesn't seem likely that a legitimate virus will need access to the file system, but if it does, the user should be prompted for permission. There should be a series of questions; i.e., "This document contains a macro. Do you want to grant it permission to run?" "...Do you want to grant it permission to delete the file 'whatever.doc' from you computer?" "...Do you want to grant it permission to access your address book?" While it might sound like an endless stream of such questions would get cumbersome, I maintain that the majority of legitimate macros will operate only within the current document, and won't want to access the file system or address book, so the annoyance would be infrequent. Compare this to signed applets in Java. They work much the same way.

Re:One more hole

And how much is your 'knigdom' worth?

Re:One more hole

Actually, the way I read it, this hole exists because the security framework is not implemented in the shared macro processor, but separately for each application.

Thus, you can fool the application-specific macro detector into thinking the document does not have any macros even though it does, and the default "run everything" takes care of the rest.

If the macro processor actually asked for explicit permissions before running, this particular hole wouldn't exist.

Disclaimer: I haven't read the source or even WinAPI docs. This is an educated guess.

//Too lazy to log in

Re:One more hole

[Tony-A]

>>It does *ask* for permission to run the macro, right? How naive.
The linked Microsoft site. It asks if I want to run scripts. I say NO. Several times I say NO. It still makes a run-time error in a script and asks if I want to debug. The CodeRed page gives me two run-time errors without running scripts.
Oh, it will ask for some. But it will run several without thinking of asking. Any, anytime, anyhow, anywhere is enough to breach security.

Opening Microsoft File Formats

How can the free software community ask Microsoft to open up their file formats, when they don't even know them well enough themselves to properly scan for macros?

Re:Opening Microsoft File Formats

[mjfgates]

Excel's file format is open. The documentation for it is found in... gah... I can't remember the name of the blasted book, but it is freely available (it's from MS Press, of course). Of course, that documentation is wrong in a few places, and it doesn't include some things like the new mixed ANSI/Unicode string table format used in Excel 98 and later versions, but it's possible to figure all that stuff out.

How do I know? I wrote the file converters to go between the desktop and Windows CE versions of Excel, and what I used was the book.

What are you amazed of? It's just the tradition...

[alcachofo]

Well, I hope that with this problem more guys think about switching to KOffice or StarOffice ;)

Renegades for ever and the funk never dies...

damn microsoft

well it looks like yet another round of updates and constant examination of network logs where i work at RIT

Star Office + linux

[linux_warp]

Now I can try to finally convince people that, although it may not be quite as userfriendly or have as good of features, star office in most cases wont compromise their systems.

Mindwarp

Re:Star Office + linux

[Tom7]

Not to burst your bubble, but don't forget that Redhat (and many other linux distributions) install with numerous remote root holes. The solution problem is not germane to Microsoft. (You might successfully argue it is a result of poor administration, though.)

Re:Star Office + linux

'may not', '(doesn't) have good as features',
'most cases won't'.

I AM SOLD!

Re:Star Office + linux

I'll have to burst your bubble..

This was true like over a year ago. Now Redhat installs with a firewall (denying all incomming connections by default), and many of the servers that are installed need to be activated manually. The result is that redhat is now has one of the most secure default installs of Linux out there.

Re:Star Office + linux

Tom7 said....

Not to burst your bubble, but don't forget that Redhat (and many other linux distributions) install with numerous
remote root holes. The solution problem is not germane to Microsoft. (You might successfully argue it is a result of
poor administration, though.)

Well, not to burst Tom7's bubble, but linux has
been shipping pretty locked down for over a year now, and easy to lock down before that. I don't
know what root exploits Tom is referring to but obviously they don't affect any linux machines connected to the Internet or we would have heard about all the compromised machines by now. And yet we hear nothing!

Funny that Linux is supposedly more vulnerable, and has more Internet servers, and yet they never suffer the the viruses that take down MS servers almost weekly now.

Re:Star Office + linux

[Black+Copter+Control]

Linux installs don't seem to be as stupid as Microsoft. Even though the Linux is generally described by Microsoft geeks as a server system, the default setup for Redhat 7.1 Linux does NOT have the kinds of things enabled that would allow the Nimda virus to run. You have to explicitly tell it that you're going to be running a web server.

Even presuming that Apache was as horridly insecure as IIS is, a user would actually know that (s)he was running a web server. Then you have things like Microsoft quietly replacing unstuffit on the Mac with their own version which has an extremely glaring security hole of automatically executing binhex binaries.

Microsoft has shown every sign of not giving a rat's ass about security. From what I'm hearing, patches that might have protected users from Nimda were uninstalled by later Microsoft patches(!).. then you have that Microsoft execuive who was pooh-poohing people (re) downloading the patch as being "unnecessary".

Yeah.. but Microsoft's line is that it's all the users' fault.
That sort of attitude is consistent with a being psychopath, if the company were a person. If Microsoft is unwilling to take responsiblity for it's lax attitude towards security, people are going to continue to get goat-sexed by their software. Given that they refuse to give general users access to their source code, it shouldn't be the user's responsibility to test every patch to see if it undoes a previous security fix.

Microsoft demands that users place themselves at the mercy of Microsoft, then blames the user when due dilligence results in software being installed that's horribly insecure -- even after religiously installing every general and/or security patch as Microsoft releases them. That's why I prefer to do my real work on Linux boxes.

At least with Linux, people have the ability to chech the changes that are being made by a patch. It only takes a couple of people to find the problems in a patch.. then they can pass the information on to the rest of the user community. With Microsoft's normal licensing limitations, those people who do have access to the source code still can't tell people that Microsoft has shafted them (once again).

Re:Star Office + linux

You Have Been Trolled.

Even then, linux exploits are different. Some of them (like most buffer overflows) are true if the hacker has a telnet account and gets root. Others are vunerabilities of network servers.

But obviously, the one who wants to use linux as a home PC for document processing and secretary work, will not run the network servers or even more give telnet accounts to the students.

Have I Been Trolled ?

Re:Star Office + linux

[Black+Copter+Control]

harumph! I didn't intend it as flamebait. I think that calling it a flame would have been more accurate. I really do think that it's time for us to take off the kid gloves when it comes to dealing with, and describing, Microsofts slack-ass attitude towards security.

Put some heat under Bill Gates' royal butt. Perhaps that will cause some movement.

Suits? No. Teachers? Yes.

[keesh]

I've not seen a suit fiddle with a presentation. I have, however, seen five hours (yes, 5) wasted by several teachers at my school in putting together a few crappy slides for an assembly. They could have made a better job of them by hand in a tenth of the time.

But now... I could, erm, improve the content. Say, replace the word 'Ethos' with something less buzzwords, and add a few more interesting graphics...

*must*... resist... urge... to put in goatse comment...

Re:Suits? No. Teachers? Yes.

[luckykaa]

I did a presentation skills course. One of the
rules was not to use slides at all
unless you really need them.
You simply don't need a slide that says we sold
100 000 units if you can just tell them.

Powerpoint - like a lot of modern software -
reverses this rule by making th euser subordinate to
the software.

Re:Suits? No. Teachers? Yes.

[Waffle+Iron]

In my day, every teacher was proficient in cranking out mimeographs with purple ink. They used a big heavy machine with a crank on the side, and wasted no time doing it. Typing mistakes were corrected with hand scribbles.

We didn't need no friggin PowerPoint presentations. I wouldn't want to view a presentation that doesn't have that distinctive purple ink smell.

Re:Suits? No. Teachers? Yes.

[Hast]

Not sure if I agree with that.

If the fact that you sold 100 000 units is central to the presentation then make it a slide. I would bet that if you do make a slide then many more will remember the message afterwards. (A lot of the stuff I have seen on slides have however not been worthy of beeing remembered though.)

A lot of people would need a lesson in how to use slides. (A good general rule that I learned in a course about presentation technique is that the information content of a speech is inversely proportional to the amount of animated gimmicks in the slides.)

Re:Suits? No. Teachers? Yes.

[Black+Parrot]

> I did a presentation skills course. One of the rules was not to use slides at all unless you really need them. You simply don't need a slide that says we sold 100 000 units if you can just tell them.

I disagree. Some people absorb what they hear better than they absorb what they see, but for others it is just the opposite.

> Powerpoint - like a lot of modern software - reverses this rule by making the user subordinate to the software.

Yes. In particular, PP tempts presenters to add piles of useless and distracting bells and whistles to their presentations, with the result that the audience's comprehension goes down.

Comes to mind the story from last(?) year, where the Pentagon cracked down on presentations because all the audio files for machinegun fire in the background of PP presentations was eating up all their disk space. I have difficulty imagining any presentation that would be helped by the sound of machinegun fire.

However, the problem is not so much PowerPoint, but rather the stupidity of the average PP user.

Re:Suits? No. Teachers? Yes.

and don't forget the "OHP cramp", where the drawn out pose required to write and not block the projection caused the teacher to fall on the screaming in a hideous mess.

...or the kids making rabbits with their hands.

Re:Suits? No. Teachers? Yes.

[unitron]

Ah, mimeograph fluid. Long before we were old enough to realize that "getting high" had nothing to do with aviation, the next best thing to Weekly Reader day was taking a deep breath as the handouts went 'round. :-)

Re:Suits? No. Teachers? Yes.

[unitron]

"You simply don't need a slide ... if you can just tell them."

You are obviously an infidel who does not worship at the Holy Shrine of Charts and Graphs. Heathen.

Re:Suits? No. Teachers? Yes.

[_Quinn]

Many people /do/ have different learning styles, but the purpose of a presentation is almost never teaching. That aside, if you use slides, your audience must choose to pay attention to you or to your slides; PowerPoint encourages the latter to the detriment of any presentation. Finally, if your slides can carry the presentation, why are you bothering with doing a presentation?

I'll also note that I have /never/ seen a presentation use slides to its overall benefit, though the best of them had good reasons for having slides.

-_Quinn

Re:Suits? No. Teachers? Yes.

[IronChef]

I have difficulty imagining any presentation that would be helped by the sound of machinegun fire.

I have been to many presentations that would have been improved were I there with an actual machine gun, making noises with it.

Macros and scripting

[Alsee]

Hasn't anyone at Microsoft noticed yet that macros and scripting are a very dangerous features? They are executable code! They should be avoided if possible. When implemented they should have restricted functionality (why the hell does a macro need to be able to delete files?!?), and they need to be scrutinized for bugs and holes more closely than almost any other piece of code.

Re:Macros and scripting

[entrox]

Macros and scripting are a very useful thing. I wouldn't want to miss them. The only thing, which Microsoft should avoid is letting simple documents contain (pot. dangerous) macros. They should be cleanly separated. This would eliminate most of the recent macro attacks.

Re:Macros and scripting

[reynaert]

It isn't the scripting per se. It's the fact that the scripts are actually stored in the document files. In other words, they mix data and code.

On Unix, lots of applications have extremely powerfull scripting languages. Just think about the stuff you can do with Emacs (elisp) and the Gimp (which uses guile, a full Scheme interpreter). But the user has to explicitly install them. They aren't hidden away in some document.

Re:Macros and scripting

[Ian+Bicking]

Emacs does include some features that are equivalent to these sort of macros. They are disabled by default, but I don't believe there is any other security -- i.e., you can't turn them on and have them run in a sandbox or anything.

I can't remember the exact syntax, but you can put elisp statements in a comment section of the file and have Emacs execute them when opening the document. Since it's not that easy to turn the feature on (I can't remember how), it's unlikely to ever be used widely enough to become a vector. For Emacs' problem space, there are a number of non-scripting solutions that mostly fill the need.

Re:Macros and scripting

[cybaea]

It isn't the scripting per se. It's the fact that the scripts are actually stored in the document files. In other words, they mix data and code.

On Unix, lots of applications have extremely powerfull scripting languages. Just think about the stuff you can do with Emacs (elisp)...

Actually, Emacs mixes data and code in the same way. Check the File Variables section in the info system, and in particular the enable-local-eval variable. Basically, you can set buffer local variables by embedding the commands for this at the end of the file. One of these variables is 'eval' :-). Thus spake RMS:

The `eval' "variable," and certain actual variables, create a special risk; when you visit someone else's file, local variable specifications for these could affect your Emacs in arbitrary ways. Therefore, the option `enable-local-eval' controls whether Emacs processes `eval' variables, as well variables with names that end in `-hook', `-hooks', `-function' or `-functions', and certain other variables. The three possibilities for the option's value are `t', `nil', and anything else, just as for `enable-local-variables'. The default is `maybe', which is neither `t' nor `nil', so normally Emacs does ask for confirmation about file settings for these variables.

In this sense Emacs is just as guilty as Microsoft Office. Just because it's Free doesn't mean it is without security free. (But the fact that the average person using Emacs is more clued in than you Power Point suit, does help...)

Re:Macros and scripting

[dvdeug]

Emacs also has the advantage that you can scroll down to the bottom of the page and see the virus in plain text. Even the most computer ignorant people will know something's wrong when the bottom of the document is filled with computer code.

Re:Macros and scripting

[ianezz]

so normally Emacs does ask for confirmation about file settings for these variables

Conceptually, it is similar, but there is a difference worth noting: the elisp code in an eval file variable has obviously to be in cleartext within the document, and with the `maybe' default option, the code is expressely shown before asking confirmation for execution. To confirm you have to type ``yes <enter>'' in order to execute it, while the default answer is ``no'', and everything else just make the confirmation request appear again.

Basically, what I am saying is that Emacs at least do a good job in attracting the user attention and make people think twice before confirming, or al least discourages the casual user (which is ironic, I believe, since there are probably vastly more Office casual users out there than Emacs casual users).

BTW, once I heard a story about a sysadmin tired of having to ``fix'' a departmental network printer because it has just run out of paper.

Eventually, he managed to make appear on the users' screen a dialog window when things went wrong. The message explained that one should check the paper before calling the tech support.

Calls to tech support for this printer greately decreased after that, but still there were calls for the empty paper tray.

So he changed the message (and the code displaying it), and it would read like ``The printer has not printed your documnent, please check if it just run out of paper before calling tech support. In this message there is a typo: press the letter of the typo to close this window.'', and finally calls to tech support just to fill the paper tray finally went to zero.

If there is a moral to this story (probably fictional, but who knows), it is that things that are not important should look as non important and things that are important (security, wink, wink) should look as important, and not as something you can dismiss just with a click on one of the buttons (to make the problem ``go away'').

Re:Macros and scripting

Incorrect. There's no such thing as a "simple document". They should run them in a sandbox. They shouldn't get the entire systems resources to play with.

Re:Macros and scripting

[pnutjam]

Macros in Office are really just VB script, so they have all the functionality of VB.

Re:Macros and scripting

[Tony-A]

Yep, you could sure make some interesting viruses for emacs. Lisp-based, real interesting. Only problem is, you have to convince all these people to arrange things the same way. You'll have better luck convincing the vi-people to use emacs and the emacs-people to use vi. Ever see a blind man run through a room where the furniture has been "re-arranged"? Pity the poor would-be virus.

Re:Macros and scripting

[Tony-A]

>>In this message there is a typo: press the letter of the typo to close this window.
Cruel, but effective. They have to actually read the message. Otherwise, who has time?

Re:Macros and scripting

If we think about it, this is a whole new field opening for extreme "hacker activities" (actually "cracker" or better "intruder who runs her code on your PC"). Let us think of the implications:
- A new industry for security. Lots of $$$
- Paranoia can be proved true with many examples. So don't trust anybody but your beloved corporation.
- Now, at last, NSA can really use those features to spread innocent viruses which don't do any harm, except open an innocent backdoor into your system.
- The net will really become a marvellous world of information!

Just don't force me to use windoze, by means of closed-spec hardware.

Re:Macros and scripting

[soboroff]

Well, yes, but I remember when the Melissa virus first went around. There was a big discussion on the Gnus mailing list (Gnus is the flagship email client for Emacs, but of course there are 4 or 5 others ;-) about whether one could use Elisp in messages to Gnus to circulate a virus.

There were a lot of honest attempts, and some great snippets that really showed the power of Elisp, but in the end, we just couldn't do it. You couldn't actually get the code to do anything malicious.

I still make an effort to read the macro virii I get sent via email (Gnus displays them nicely as text). Funnier than the morning news.

Educate the users

[Red+Aardvark+House]

At my job, the IT tech gave instructions to all users to disable macros on all incoming attachments in Excel and Word, or not to even open them at all if they're not sure.

It's not foolproof but it does make the people at my job aware of one of the many ways that viruses are spread.

Re:Educate the users

[pnutjam]

Wouldn't help here, the whole point of this hole is that it is possible for the programmer to hide the Macro so that it runs without asking the user's permision, kinda' like that annoying kid in the neighborhood who follows you in the house when your unloading your groceries.

Re:Educate the users

[equalize]

Where I work, we have some neat templates that use Macros so having them completely disabled isn't an option. Luckily before we switched to word97, the Melissa virus came out and we were alerted to problems with the macros so we have a box that comes up and allows users to enable Macros if they think its necessary. It looks very microsoftish, maybe it comes with word and you can set it via something as easy as security levels but I'm sure it's quite easy to either make or enable.

We have educated users to think that if they click yes and its not a template that we have provided them that they could a. lose work, b. give access to confidential documents to people who should not have access to them. We have not had any problem with macro viruses with people who are regular employees. We have had trouble with visitors using someone else's computer, but I guess that comes with the territory a bit.

We also spread similar information about opening Outlook attachments or going to websites that could be considered inappropriate.

It seems to work and since we give users guidelines on what not to do with the computer they feel safer (as we do) about using the computer.

MS Choice, No Accident By Corporate IT

[joel_archer]

I wonder how many Corportate IT Dept's have deployed Microsoft products precisely BECAUSE they are so full of vulnerabilities. It offers ongoing access to CEO, CFO, and BOD computers! Hard to keep a secret about future corporate plans. In addition, its a way of doing constant ongoing survielance of employees.

This hole could be in more versions that listed!

[Troed]

Taken from Microsofts website:

Tested Versions:
Microsoft tested the following products to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Office 98 for Macintosh

Office 2001 for Macintosh

Office 2000 for Windows

Office 2002 for Windows

Do note - just because older versions aren't supported Microsoft won't check if the whole is there!

next worm

[Harbinjer]

anyone wanna wager how long it will take for some worm to exploit this? I know it can' t spread as easily as an outlook worm, because excel doen't do communication like outlook, but still, this could be nasty. If paired with the next outlook/IIS security hole, if could be just as bad.

Is the hole exploitable in Mac OS X? Does the unix architecture and security prevent this from being a problem?

Re:next worm

[TheMidget]

anyone wanna wager how long it will take for some worm to exploit this?

How about Sunday October 14th, 16h27 GMT? In a way, it would be kinda counterpart for Nimda, if you see what I mean...

Must be a slow news day...

[Microsift]

If a story about a vulnerability in Microsoft created software is considered news.:)

Re:Must be a slow news day...

Yep ... slow news day. Nothing going on. Bored ...

Re:Must be a slow news day...

[Black+Parrot]

> If a story about a vulnerability in Microsoft created software is considered news.:)

Yeah, I've been trying to get Rob to just provide a "Top 10 Microsoft Exploits" slashbox, to free up the headlines for stuff that matters.

Re:Must be a slow news day...

[Tony-A]

Vulnerability: not news.
Microsoft attempting to do something about it: news.
Microsoft fixing vulnerability in old versions: would really be news.

So what?

[reynaert]

These things first appeared in 1996 or so. Word.Concept or what was it called. Microsoft responded by disabling the AutoLoad macro (or whatever it's called). Now somebody found a new way to make Excel/etc. execute stuff when loading a file. Big deal.

I wonder why virus writes bother at all. They can just put a button labeled "Click here" on the page, and 95% of the lusers will click it. The only defense against that is just disabling all macro support. And everybody knows that isn't going to happen.

Re:So what?

[hackerhue]

They would get more people clicking if they labelled the button "Don't click here."

Re:So what?

[Lumpy]

Sorry, but corperate last week send down an order ro disable all scripting and macros in all office apps.

The response from the 2.2 million users on our network was 20 people whined. Corperates response was protecting 2.2 users from viruses while disabling useless features was worth it. Those 20 will have to live with it or find employment elsewhere. This is the same group that set up the firewall and email servers to strip all attchments and to begin a no-attachment polocy for email. Internal users are required to use FTP and Server shares for file transfers external users are required to use password protected FTP downloads.

It's about time too.. I was getting sick of people sending everyone 50Meg presentations and images that are "cute". by forcing people to put efort behind sending a file it reduces the amount of crap clogging the corperate bandwidth.

Now If I could convince them that outlook and exchange need to be changed to at least CC:Mail or some stable and secure groupware suite.

Re:So what?

[zerocool^]

Corperates response was protecting 2.2 users from viruses...

Sounds like windows update.

~z

Re:So what?

>This is the same group that set up the firewall and email servers to strip all attchments and to begin a no-attachment polocy for email.

I wonder if it can detect and strip uu-encoded files pasted into the body of the email?

If I ever work there I'm going to find out...

And with 2.2 million users, you can bet someone already thought of that (and the rest) and is doing it right now. Check for binaries starting with uuencode on your system. I'll bet I'm right...

>Those 20 will have to live with it or find employment elsewhere.

Or they will whine to their bosses. If they are high up enough they'll get their own laptop and 'net connection. Or at least that's what happens when we block stuff at my workplace.

Hello security, bye bye cash!

>It's about time too.. I was getting sick of people sending everyone 50Meg presentations and images that are "cute". by forcing people to put efort behind sending a file it reduces the amount of crap clogging the corperate bandwidth.

Why not just auto-delete any email larger than, oh, say, 100 k?

There's also a good chance there's a user doing what I did when there was too much security where I worked: Install a secure tunnel to another machine. Feel free to firewall my home machine, I'll just use the IP-over-DNS hack that someone invented a couple of years ago. Failing that I'll just get a dial up account and therefore a new IP all the time. I find it unlikely that you'd firewall an entire netblock.

The only way you can really prevent these things is through education. Either that or you can try to ferret out users like me. Good luck!

Re:So what?

[evbergen]

Hm. I'd say that there should be a very explicit question answered by the luser before a "document" can even make a "Click here" button (with a nasty action resulting from it) appear at all.

It should only be possible to cross the border between 'data' and 'program' after the user is presented with a very clear message about what he/she is about to do: allowing a new *program*, that's embedded in a *document*, to really do anything it wants with his/her computer.

Any attempt at stopping these worms without enforcing that border is futile, IMHO.

Re:So what?

[Lumpy]

Dial-up account... Nada, no modems buddy, and you would have to order a phone line installed to get an analog line anywhere near your desk, The phone system filters out all non-voice communications, so an acoustical coupler or a converter will not work. You'll run the line from the fax machine you say? good luck. The fax machine IS on an analog line, but it is placed in a media center that has no cubes near it, you'd have to run your own line up to the ceiling and over to your cube,good luck doing that during business hours without others seeing you and knowing what you are doing. All work must be done with prior approval and a security guard must be with the workmen at all times.. Pop a celing tile without a work order and Out the chute you go.

Everything is either NT or Linux based, so you need to crack the admin password to install a modem. No W2000 here, that ensures no USB devices can work. (See NT4.0 does have security!)

Corperate went overboard this past month on security, it's really really tight. You cant do what you say you can here......

Except... for one small thing, and they say 128Bit encryption is unbreakable......

The 802.11b wireless network, sit in your car and crack the network like an egg in 23 minutes.
All because the security guys think they know everything.... Oh well, I have my "I told you so" already on file :-)

BOD?

[jeffy124]

Care to explain?

Re:BOD?

[caseydk]

Board of Directors.

Re:BOD?

[trentfoley]

That would either be: Black Orifice of Death, or perhaps, Board of Directors.

Re:BOD?

[unitron]

BSOD

Bored Sick Of Directors

Fixes on Office Update

http://office.microsoft.com/ProductUpdates/

.EXE Patches are also available. They can be distributed to client machines using sign-on scripts and some custom coding. They're not nearly as automated as I'd like, but they're getting better.

proof?

[kwallace01]

I didn't see any proof of concept. Can anyone point me in the right direction?

Really?

[Zero__Kelvin]

" Funny. I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?"

Funny ... I always thought it was the 'Ones.' I have always found that 'suits' have less difficulty managing streams with an inordinate number of 'Zeroes' in them. Too many ones and it gives the poster of this article a marked advantage in his/her efforts to over-generalize.

Scripting and office suites

[gimmie_prozac]

The article does not address this question, so I'll ask it here.

This does not seem to be a problem unique to Miscrosoft Office. Wouldn't this type of security hole be possible in any office suite with scripting/macro capabilities? Do KOffice or StarOffice not support macros (I've never used them, so I don't know)?

Kudos to MSFT for making a patch immediately available, but I must say that MSFT's constantly having to play catch-up with secuirty holes does not make me real confident in .NET's data safeguard capabilities.

Re:Scripting and office suites

[jeffy124]

i dont know about K or Star Office, I've never used them either.

My guess (just a guess, dont flame if I'm wrong) is they do use macros, but those macros dont have the same priviliges as MS's macros do. For example, does a macro really need complete access to the filesystem of the machine? That's one of the things a macro virus exploiting this hole can do and start deleting files.

I think KOffice's and SO's developers learned from MS and would decide to not allow such possibilities.

Re:Scripting and office suites

[tshak]

Actually, .NET has a better chance of being secure for two reasons:

1) Microsoft has said (real developers not marketing drones) that security was a huge focus of .NET.

2) .NET is a brand new platform that is built from the ground-up. Running a .NET EXE is not like running a VB or C++/MFC EXE. It stands on it's own, and is closer to a Java-like model when it comes to application execution (ala "Sandbox Security", etc.).

Now, this doesn't mean that it's "airtight", but I believe that it will prove to be more resiliant from a security standpoint.

Re:Scripting and office suites

[innocent_white_lamb]

Kudos to MSFT for making a patch immediately available, ----> "immediate" being two months after the problem was first discovered and reported, according to the article. That's two months where everyone EXCEPT the "good guys" (that's you and me, bub) knew about this hole.

I don't know about you, but that doesn't give me a warm fuzzy feeling.

Re:Scripting and office suites

[grammar+nazi]

It stands on it's own, and is closer to a Java-like model

Wow! That is particularly innovative of Mircrosoft to innovate Java's security model like that. After innovative years of claiming that Java's model was too complicated for innovative programmers, Microsoft has finally innovated upon their word and embraced the model. Now that's what I call real innovation!! Thank you Justics Department!

Re:Scripting and office suites

[JabberWokky]

KOffice uses external scripting rather than internal scripting - that is to say, the document contains no scripting information, but is a valid XML document, and the application has hooks for external programs to script internally. The concept is that any language, perl, python, ruby, C, C++, etc, can then access the document inside the KPart (and any embedded document inside that, or embed the document into itself). As far as this conversation goes, this flips the security problem back into the "open" - you're responsible for the applications you run, and they just all talk back and forth, there is no document based scripting as of now.

--
Evan

Re:Scripting and office suites

[Darby]

Kudos to MSFT for making a patch immediately available

This word you use, I do not think it means what you think it means.
From the article:
The vulnerablity was first brought to Microsoft's notice about two months ago by Symantec.

Re:Scripting and office suites

[Tony-A]

Better chance, yeah. But is it a better enough chance?

>>Now, this doesn't mean that it's "airtight", but I believe that it will prove to be more resiliant from a security standpoint.
Yeah, like with the available patches, IIS and outlook are now more secure than they were a few months ago.

Re:Scripting and office suites

[jeffy124]

kool! thanks for the clarification!

Re:Scripting and office suites

[Cato]

Autoload macros are the real issue - I have never understood why Microsoft didn't simply disable these completely. I can't see a valid use for autoload macros that couldn't be substituted by a button within the document that says 'click here to start'. Since 99% of Word, Excel and PPT docs would never have such buttons, it would be much more obvious to the user that something odd was going on. This wouldn't remove the problem but it would make it much harder for such viruses to propagate.

Re:Scripting and office suites

[edremy]

And putting "Click here to see Pamela Anderson nekkid!" on the button wouldn't act the same as an autoload macro?

Re:Scripting and office suites

[Cato]

Yes, a button would be similar to autoload (as I mentioned), but at least a certain proportion of people would realise 'clicking a button means something will happen, maybe something bad' - most people don't expect viewing a document to cause something other than the doc appearing on screen.

People abused by powerpoint

[victim]

I was attending a presentation by some state officials last week. The presenter's Powerpoint presentation was set to autoadvance every 30 seconds or so and apparently they couldn't make it stop, so she had an assistant sit at the computer and backup the slide everytime it jumped ahead prematurely.

So who else has watched someone by victimized by powerpoint? Add your anectdote as a reply.

Re:People abused by powerpoint

no, but we might expect people using powerpoint to at least know how to use it. it's not microsoft's fault the dumbass didn't know how to use the program. linux dick up your ass again?

Re:People abused by powerpoint

Maybee the person just had no idea how to use powerpoint.... that is more common and likely then someone hacking the thing....

Re:People abused by powerpoint

[thrig]

Sure, PowerPoint 98 (that's the Mac OS version) defaults to printing everything in "Black and White" until you find the stupid default hidden under the PowerPoint menu in the print dialog box. Don't know how many times an irate user has wandered in trying to get their color document to print color to the color printer. And due to the damnable binary preferences file format, you have to muck with the GUI on each client to fix the stupid default.

Besides that, for fun, generate a .ppt on version X of powerpoint, then take it over to version Y, and see how different the "WYSIWYG" document looks between the two. We get a lot of similar printing/display problems in our heterogeneous environment.

Excel worm seems unlikely

[Adam+Jenkins]

I don't understand how if as you say, Excel can't do communication like Outlook, that it can be so nasty? There have been viruses with payloads around forever.. Word macro viruses for what, about 6 years?

Outlook/IIS have many holes; it is very rare that someone has bothered to write a worm that uses them. I personally won't be holding my breath for these exploits to be used in one. You aren't a reporter or AV person are you? :)

That Microsoft advisory states that Macintosh versions are affected, yes. I doubt the OS matters much with viruses that rely on a macro language within an application rather than using the OS itself or its services to propagate.

powerpoint

[LazyDawg]

Powerpoint is about the only part of Microsoft Office worth keeping around. It used to be a mac app made by a third party, and for making up posters on Windows with a shoestring budget, you can't top it.

More than Word or Excel, Powerpoint is the killer app for office. Once Linux makes up something as tidy, fast and easy to use, corporate acceptance will go through the roof, just BECAUSE suits like to spend time playing with their slides.

Re:Powerpoint

[BroadbandBradley]

star office has ...I think it's called presenter... and it's got templates and walks you right through the whole thing. Koffice has something similar but I haven't tried it. IMHO both are acceptable alternatives to powerpoint.

Re:Powerpoint

[peccary]

magic markers.

Three colors: red, black, and green.

With these and a stack of blank transparencies, I can go anywhere, and present a topic to any size audience, on any topic which I am knowledgeable about.

The only thing this approach lacks is the VERY OCCASIONALLY useful photograph or map.

Re:powerpoint

[grammar+nazi]

Actually, the spreadsheet program *is* the killer ap that put the desktop computer into the corporation to begin with. Powerpoint is nice and is a value-added component of any computer office suite, but I believe that the spreadsheet application is a *necessary* component, thus Excel is the killer ap of the MS Office suite.

Re:Powerpoint

[grammar+nazi]

The only thing this approach lacks is the VERY OCCASIONALLY useful photograph or map.

Althoug h I agree about the occasional use of images/graphics/tables/charts, I think that markers and transparencies take longer to make presentations with.

I can sit down and fire out a PowerPoint presentation in about 20 minutes. After that, I only need to make content related revisions until I give the presentation. Writing transparencies by hand would take much longer.

Re:Powerpoint

I work for a company that does a *lot* of Powerpoint work for some major companies (and the reason we're in demand is that we can make Powerpoint shows that don't _look_ like Powerpoint shows). We've looked into a lot of other presentation software, everything from Scala to Astound, and Powerpoint is the only one that is universally compatible with Office (:P), is fast to use (can get a hundred slides into a presentation within a reasonable amount of time), and has the features we need. Linux, unfortunately, is still a geek toy. I'd love to use it, but when it comes to graphics apps, it just ain't there yet.

If I could, I'd drop Powerpoint in a heartbeat, but there just anything else around that has just those few specific features we need :(

Re:Powerpoint

A complaint about Linux being a toy... from somewhere that makes electronic slideshows. Now that's irony.

Re:powerpoint

The unspoken marketing of Microsoft Office used to be "Buy Word and Excel, get PowerPoint for free". Word Processors and spreadsheets where universally deployed long before presentation software.

Re:Powerpoint

[txsable]

Have you tried WordPerfect Presentations? It's in the WP Office 2K for Linux that came out several years ago, but works just fine....

Re:Powerpoint

[DarkPlatinum]

Have you just never given any presentations that you needed to develop rapidly, or do you have some secret?

In the rare instance I have to develop a presentation, I put my photoshop skills to work, and create slides to view in ACDsee. (when I'm using the Windows NT environment.) In the Linux environment, I use GIMP and Kwrite to quickly HTML presentation shows. After this, I usually use a web browser in full screen.

For those who have no HTML skills, use Netscape Composer to place and link images. I've often thought of writing a C++/PHP script to preprocess a directory into a slideshow in HTML Form. That would be sufficient for me. Anything more than that, can't be "quickly" developed imho. (short of having mad multimedia skills, and doing no other job function.)

Re:Powerpoint

[peccary]

Well, actually, I only do this for stuff I'm making up on the fly.

But that's only for presentations I don't have to give more than once. If I'm making a canned presentation to use repeatedly, I usually do that in HTML. The nice thing about HTML is I can edit it on a PDA. I try not to carry a laptop anymore, too much hassle.

Re:This hole could be in more versions that listed

[Chanc_Gorkon]

If you have Office 97 or 95, their should be no Powerpoint hole because powerpoint does not have macros until Office 2000 and then Office XP. Just checked the help file cuz I happen to have Office 95 (it does what I want and is not as bloated as the new stuff....it's still bloated, just not as bloated as the latest stuff....).

Gork

Now *that's* a security "hole"...

couldn't resist ;)

Gerenal security bug rant

[mgkimsal2]

Others have said it in the past, and I'm starting to believe it more myself. I really think that many at large companies use default installs of Office as job security. No one can blame them entirely if there's a problem - after all, the IT guys themselves didn't write the viruses. Failing to keep up with patches released months earlier can be cause for problems, but if a virus just came out recently, or there's just no patch for it, then "It's not my fault!" is a very valid point.

The 'job security' aspect comes in because *someone* has to go around and patch every machine. *Someone* has to go round and install/test new virus software. I think it's past being 'common knowledge' that *by default* most MS products install themselves pretty insecurely. So someone has to learn about how to lock down those products - then actually do it. It's job security, choosing products which you KNOW will require you to always be updating them.

Yeah, I'm a bit overly cynical about this. I've met some people who really just think this is how computers are supposed to be - you're always playing 'catch up' to virus writers. The concept of prevention to them is installing the latest 'Norton' utility. Proactively analyzing the systems they have for potential vulnerabilities (turn off scripting on machines that don't need it, etc) just doesn't occur to them.

I'll be the first to admit that StarOffice/OpenOffice have not been up to snuff in the past, and even the current versions may not be up to snuff for everyone, but they're getting better. SO6 and the next OO may in fact be solid enough to let *many* in an organization use those as their primary or only Office applications, and let the few people that need the MS-specific features keep using MS Office. Yes, there'd be some relearning costs - figure that gets covered by the savings in upgrade licensing for those people.

Re:Gerenal security bug rant

[reynaert]

The sad thing is the majority of the people (especially the people in charge) don't really know anything about computers. They think it's normal computers crash once in a while. They think it's normal script kiddies, err, hackers can bring down their networks. For them Microsoft eq good and everything else is inferior. After all, we all use Windows, don't we?

Re:Gerenal security bug rant

[mgkimsal2]

Well, actually I do, but I don't use it exclusively. There are things better done in Windows than Linux, and vice versa - at least when you have a budget to work within. :)

So, what do you use for presentations?

cat? less? banner?

Come on, Powerpoint is the de facto standard.. Don't expect millions of business users to jump through hoops just because 'M$ sux0rs'

Re:So, what do you use for presentations?

[sjames]

Come on, Powerpoint is the de facto standard.. Don't expect millions of business users to jump through hoops just because 'M$ sux0rs'

Unfortunatly, you ahave a point. Apparently, the billions of dollars wasted on cleanup after the MS exploit of the day haven't convinced enough people.

Perhaps macro viruses need to touch on corperate hotbutton issues in order for the suits to start thinking.

Perhaps the sexual harassment virus. You get it and it starts sending sexually harrasing email to your coworkers. If done well, the courts could be tied up for decades.

The IP virus, looks for documents containing trade secrets, and quietly posts them to random usenet groups.

Porn virus: Quietly downloads porn into your browser cache. Bonus points if the porn is illegal where you live.

Carnivore virus. Sends suspicious emails to the targets of FBI investigations.

Rootkit virus: Deploys a rootkit from your machine against a bank or government website. Instant felony.

Please note! I don't condone any of these, I just recognise that so far the holes in MS products have been used primarily for childish pranks rather than for real damage.

The least MS could do is at least TRY to limit the damage by putting macros in some sort of sandbox.

Re:So, what do you use for presentations?

[AtrN]

The IP virus, looks for documents containing trade secrets, and quietly posts them to random usenet groups.

We've already had that one. It's called SirCam. It's been mailing out corporate IP for a whlie now. Unfortunately I mustn't appear in enough Outlook address books, the most interesting thing I got was some poetry that had been submitted to a publisher (in a western state of the USA). After conducting some free "market research" for them my advice is, "Don't publish that crap poetry!"

Re:So, what do you use for presentations?

[victim]

Whoa there AC! I don't recall saying people should not use Powerpoint. I was just asking about anecdotes of people failing to use it well.

As a software developer, if large numbers of my customers can't figure out how to use my software, I have failed. I should review my interface or documentation and address it.

As a presenter, if my presentation tool is distracting people from the message, it is failing.

In the example of the `phantom forwarding presentation' the user was probably faced with a much more complicated tool than they really needed. That may point to the need for a default `simple' mode in the software.

(I myself never using anything more than text bullets, and embedded diagrams that I generate elsewhere in a presentation. I use a presentation for communicating, not entertaining. And to be specific. I use AppleWorks. It is relatively feature free, but it does everything I've ever needed in an office suite except for log scales on graphs and its free (as in beer).)

Re:So, what do you use for presentations?

[gimmie_prozac]

Someone could develop a virus that gets into PowerPoint and obliterates those little stick figure illustrations (the lightbulb guy, the bomb guy, etc. - there's a word for them, but I forget what it is) that everyone uses to illustrate their slides and documents (our HR dept. used to stick those things on every handout, regardless of whether the stick figure picture had anything to do with the text).

Corporate communications systems would be brought to their knees! That would get people's attention.

Re:So, what do you use for presentations?

I do consumer tech support, and when they find that clipart isn't installed by default in some OEM setups, they shit a brick.

"WHAT??!?"

"HOWEVER WILL I DO MY PRESENTATION?!!??"

:/

Re:So, what do you use for presentations?

...the holes in MS products have been used primarily for childish pranks rather than for real damage.

Indeed, and sadly so. I have no idea why virus writers are so unimaginative. It's too easy is probably the reason. Like script kiddies defacing a web site... ok, we're in, now what? Uh, yeah, greetz to b0b. Idiots.

Re:So, what do you use for presentations?

[huckda]

The least MS could do is at least TRY to limit the damage by putting macros in some sort of sandbox

Yes, and then they should cover up the shit like a cat does in it's sandbox.

Time to use the wizard

[Bender+Unit+22]

Time to use the "bad news" powerpoint presentations wizard. heh :-)

Re:This hole could be in more versions that listed

[rde]

powerpoint does not have macros until Office 2000 and then Office XP
I was writing powerpoint macros in Office 97 (possibly 95; not sure about that one).

StarOffice NOW.

[NetJunkie]

Sun needs to get StarOffice 6.0 out the door NOW. Do it while Microsoft keeps getting bad press. I'm a Network Admin at a company with 200 employees and the guys before me never kept licensing info. So, I'm doing a license audit right now. We're either going to be buying a lot of Microsoft Office licenses, or looking for an alternative. I sure wouldn't mind bringing up StarOffice, if a real usable and supported version was out there.

With the recent change in MS licensing policy NOW is the time for Sun to act and get their product in the door..

Re:StarOffice NOW.

[snoozerdss]

I'd much rather have Sun wait untill StarOffice is a finished product rather then releasing it now while it is unfinished just to grab some M$ Office users.

Re:StarOffice NOW.

[motherhead]

if this keeps up staroffice is going to start selling for $600... but the good news is the upgrade will be only half that... put a little sticker on the side saying, "no talking paperclips/ no hidden remote access booby traps"... isn't it amazing how much people pay for shelfware with huge honking vulnerablities built right in? how much has office made from people that never even bothered to install Access...

Re:StarOffice NOW.

[nusuth]

"Do it while Microsoft keeps getting bad press." Don't worry microsoft has been getting bad press for years and probably will for the forseeable future.

Re:StarOffice NOW.

StarOffice 6.0 beta is based on OpenOffice the GPL release from StarOffice 5.2

This way, we can assure that for Sun is very difficult to get some money for StarOffice without a very good product (dictionaries, help, templates...) nor a very good support.

So, if StarOffice will earn money for this, the quality of the product would be lot of times better than M$ crap office suite

What really f***k people is still keeping paying for nothing but a standard with no quality

Re:StarOffice NOW.

[Tony-A]

Bad press where the suits read it.
The cognoscenti have long known that Microsoft is full of holes, several of which will not be fixed.
Quick, how many people think that Code Red has been fixed and resolved?

shocked!

I am SHOCKED! SHOCKED I tell you! Microsoft products have holes? How can this be, when Microsoft has always only hired the most intelligent programmers, and the most talented engineers!?!? Clearly someone has made a mistake somewhere here, and it is clearly not Microsoft, as they are the most innovative (ie: best) corporation to ever exist. This slashdot place should be ashamed of itself for propogating these lies and mistruths clearly funded by the likes of Sun and IBM, those terrosist corporations.

Powerpoint

[Tom7]

I know it's popular to bash Powerpoint, but I have to say that's one product without any acceptable replacements on the linux side. ("Impress" does not. ;)) Have you just never given any presentations that you needed to develop rapidly, or do you have some secret?

Oh goody...

[allism]

Now I have an excuse for my mistakes..."The baddies took over my computer and messed with the data!" I can't wait!

Sun Problem

There's a fairly serious new exploit against Solaris machines. Read about it at SecurityFocus.Com (been there since Oct 4). Why do these never get reported here?

Obviously...

[Balinares]

You know, I think that if the former versions aren't vulnerable, they're not gonna tell you. They just can't take the risk to have people want to revert to older versions on the basis that they "work better", not when their business relies so much on people upgrading over and over...

Linus likes PowerPoint

I know I've read it somewhere, I believe in an interview in Linux Journal from a few years back. Linus stated at the time that PowerPoint was one of the Microsoft products that he liked using.

Not that it matters to me, but go ahead and knot up your undies in angst.

Productivity

[Phroggy]

I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?

How does that hurt productivity? You seem to be implying that the suit would be doing something productive if he weren't using PowerPoint.

Re:Productivity

The suit is gonna come to you, seeking help with every single idiotic nuisance of PowerPoint, Office, Windows, PC and computing in general...
See, it's not *him* wasting *his* productive time, it's *him* wasting *your* productive time.

Is this piece of news interesting?

[Ipsilon]

All of us DO know that Micro$oft's programs are full of bugs and security holes, but I don't think we should post every security hole on slashdot. Everyone know that M$ sucks, but please: don't post more stuff like this and concentrate on improving whatever is your open source operating system (Linux, FreeBSD, NetBSD, OpenBSD, etc.) because they have security holes too.

Re:This hole could be in more versions that listed

[Chanc_Gorkon]

Maybe something like recording keystrokes, but I was pretty sure there was no VBA in PowerPoint 95 and 97. The macro languages in Word and Excel were also incompatabile because of minor differences in each. At least for the 95 version. In the 95 version, there was WordBasic for Word (subset of VB) and VBA in Excel (Visual Basic for Applications...another subset of VB). In Office 2000 (it could be 97, but I thought it was 2000) everything got a compatible macro language. Thus the recent blossoming of macro virii. Personally, I have PowerPoint installed, but don't use it much. Only people I have ever seen use this are suits and sales monkey's.

Re:OFFTOPIC but important

mouses?

I don't get it

[vrt3]

This is so f*cking stupid (excuse me lame language, but that's just how I feel about it). If I understand it correctly, the code that is responsible for executing the macros can find them, but the code that it is responsible for finding them (in order to be able to ignore them), cannot find them.

I could rant on and on, but I'm not going to because, in fact, there just are no words to say how braindead this is.

Re:I don't get it

[hearingaid]

you are quite right. how could this happen?

Execute-Macro-Code is written by Committee A (well probably Committee J through M, but you know :)

Detect-Nasty-Macro-Code is written by Committee B.

Closed source doesn't just apply to not letting outsiders see the source. With large projects like this, the philosophy is competitive: Manager A wants to look Better than Manager B. Thus, Manager A's techies are not allowed to talk to Manager B's techies. Result? Nobody gets to share code.

One of the great benefits of open source is that it wipes out this kind of stupid, anti-productive competitiveness.

Re:OFFTOPIC but important

You have been looking at too much porn if you see a woman's butt in those two mice! How do you know it wasn't a man's butt?

geez!

Re:OFFTOPIC but important

[tijnbraun]

Eduard III: "Honi soit qui mal y pense"

An idea for Microsoft

[AnimeFreak]

Have a group of people proof-read the code before compiling it.

Should I mod this funny or troll

enough said.

Re:Should I mod this funny or troll

[joel_archer]

Perhaps you should mod it as both. Or how about "food for thought." In any event, mod'ing it as "flamebait" omly lends credibility to the comments underlying truth.

try HTTP

[dragonfrog]

Build a web page, using some suitably cookie cutter format. Put it on some server that your audience will have access to at home.

Then, instead of having all this text, and forcing people to pretty much choose between writing it down, or listening to you, you can just say, "This is all on the web, at this address, so you don't need to write it down." I had a couple of profs do that, and it was sooo much better than all this powerpoint nonsense.

Plus, with a browser, you can scroll back half a page, and let the slow writer in the room get that last figure, while you go on with the talk. With ppt, it's back the whole page, and wait for the one slow guy, or the hell with the slow guy and go ahead with the talk

Re:try HTTP

goddamn, maybe they would rather have you read to gather data and also discuss what you are reading with you. oh wait, you are another socially retarded slashdot fag. KUDOS TO YOU.

Re:try HTTP

[willis]

In my recent experience, I found lectures presented off of long web pages to be very annoying. It was hard to figure out the position on the page, and it just bothered me. Don't know how to explain it.

We also had a presentation/book that was based off of some framemarker something-or-other, and it was excellent...

Re:try HTTP

[pne]

Plus, with a browser, you can scroll back half a page, and let the slow writer in the room get that last figure, while you go on with the talk. With ppt, it's back the whole page, and wait for the one slow guy, or the hell with the slow guy and go ahead with the talk

Depends... a lot of presentations on the web are basically a converted slide show, so you'd have the same problems.

Which reminds me how much I dislike documentation only coming in "slideshow" format where I have to keep clicking "next section" (I believe latex2html, or some such, is a popular culprit). Having everything in one big long page can be quite a bit easier to read IMO.

It's amazing!

[famazza]

The most amazing thing of all these virii it that they all exist only due to one (and no more than one) function in the whole VBA language:

• CopyMacro

Maybe it has another name today, but it means exactly the same, copy a macro from a document to another. THAT'S AMAZING!!! Erradicating all these dam virii is much more easy to erradicate malaria from a non-tropical country, kill all the vectors.

That's wright we don't even need to kill the vector, all we need is to avoid the vectors to infect the host. This dam macro must not exist anymore!!!

Simple as that, and M$ doesn't seems to want to solve the problem.

What I really want to know is...

[BroadbandBradley]

what makes a macro hidden? is it a malformed tag?

Re:What I really want to know is...

[MarkLR]

This is what's happening. Documents with macros have a flag set when they are saved. If the user has Load Documents with Macros turned off Excel etc. will not load the documents. But if the documents has macros and the flag is reset using a hex editor the macros will load because only the flag is checked. You cannot assume that the only way to change the contents of a document is via an application, a hex editor works just as well.

Office Updater

[alanjstr]

For versions of Office 2000+: Office Update Wizard.

Be forwarned, though, that even WindowsUpdate doesn't list ALL of the patches that are out.

Re:Office Updater

[adam6]

Could you tell me where I can get all of the patches listed?

REAL pornography on slashdot advertisement

The rackspace ad. Blatant group sex, guy inserting a dildo into a woman's mouth, nothing less.

Re:REAL pornography on slashdot advertisement

I particularly like the caption that goes along with that ad: "You never cease to amaze me with your speed and flexibility!"

LOL

Re:This hole could be in more versions that listed

[grammar+nazi]

Only people I have ever seen use this are suits and sales monkey's.

...and students, engineers, IT management, teachers, , researchers, training staff, etc.

Just because you haven't seen people use PowerPoint doesn't mean that it doesn't get used. I can't help that your job/experiences don't include presenting/being presented information to/from others.

Good presentation software is invaluable to business and education. Just because some people waste hours with screen swipes, cheesy clip-art, and other useless crap doesn't mean that it's not useful. Once I have my content finalized, I can whip up a decent looking presentation in PowerPoint in about 1/2 hour... faster than I could ever do it by hand.

Openoffice scripting ?

[hack0rama]

Does OpenOffice support a scripting similar to the macros in MSOffice ? If so would it be possible to see similar issues with OpenOffice as well ?

It may not be as bad on Linux/Unix because of the user processes not getting access privilages to do anything nsty, but OpenOffice has a windows version as well.

If there is a sizable installed base of OpenOffice , then maybe you can imagine OpenOffice script worms doing annoying stuff with user files/mails.
And if your friendly Mozilla/Kmail/Evolution/PINE mail tool has the MIME type set to open with OpenOffice then it can spread the worm around.

Slashdot = Bin Laden for Geek's

[WildBeast]

Really I mean, Bin Laden is jealous of the U.S. because it's a successfull and powerfull country that made a few mistakes (which he keeps on talking about) yet doesn't do much to help his people. Same goes for Slashdot, they're afraid of MS because it's a successfull and powerfull company who happened to make a few mistakes (they keep on talking about them) and do very little in order to help with Linux issues. If you look closely you'll see that very few of their articles talk about Linux.

Re:Slashdot = Bin Laden for Geek's

[Boing]

Godwin's Law Revisited

As any Usenet or Slashdot dicussion thread created after September 11, 2001 grows longer, the probability of a comparison involving Nazis, Hitler, or Osama Bin Laden approaches one.

Somebody tell the suits what this costs

[BroadbandBradley]

I work for a BIG company, (fortune 500) that runs MS Exchange server for mail. We recently upgraded from 95 to 2000 just a few months ago. (support for our working Win95 system having been discontinued by MS) The overhead created by all the security stuff running on the network has created lots of problems. Email is no longer 'realtimeish' meaning it may take 1/2 hour to recieve a message sent across our network. When right clicking in my browser window, it takes about 5 seconds for a menu to open (pentium III 500 128meg ram). My home pc runs Linux, and outperfoms my work computer at about half the hardware (PII 266)
IT has been trying to figure out how to fix the mail delays for a few months now with no progress, and I don't think they even care that it takes me so long to perform functions in the browser, but most of my work is done in web-based tools. MS has the world by the nuts, and they're milking us all!!! at least in my home I still have a choice.

Re:Somebody tell the suits what this costs

Poorly configured software/inadequate hardware is your tech people's fault.

Re:Somebody tell the suits what this costs

[BroadbandBradley]

I agree, (it shouldn't be that hard) but it just illustrates that using MS means running all kinds of extra tools to detect virus and this overhead not only slows things down but complicates things. setting up your windows network migh seem easy, but keeping it running with all those 3rd party security apps is where it isn't worth it.

Re:Somebody tell the suits what this costs

You really can't blame Microsoft when even you admit that it's 3rd party apps that are causing the problem.

Hint: turn off your virus scanner's "auto-protect" or whatever it's called. You'll notice a 50% speed increase, easy. And demand at least 256MB of RAM if you're doing development work -- 128 isn't reasonable for Windows 2000, as the OS takes 64MB and Outlook takes 32MB. Add Word and 5 browser windows into that and you're caching constantly.

Re:Somebody tell the suits what this costs

The solution is just not to let retards who dont have a clue handle MS Exchange. You probably know how to set up a sendmail cluster to handle 500 persons mail or at least I hope so. Just because you know how to make a mess of a 2000 set of machine doesnt prove the product is crap. Plus... whose idea was it to run a corporate network on 95 machines ? Is NT4 foreign to you ? Using a gaming OS to run a corporate network sure was a smart idea.

Re:Somebody tell the suits what this costs

[ville]

In my previous work place, the day an anti-virus program was installed to my computer IE started to take really long time to display the right-click menu.

Removing the anti-virus program brought back the speed. I think the program we used was F-Secure Anti-Virus.

// ville

Re:Somebody tell the suits what this costs

[BroadbandBradley]

what has happened is that most people (end users trying to get work done) just turn off the virus scanner. it's not worth it, I'd rather get a virus. and along those lines, the only mail I get is from others in the corp, through exchange, which should remove virus anyhow, (most of them are powerpoint). I keep telling them I'd like to switch to linux, and they say "yeah that'd be nice" ...not this year, but I'll keep asking.

Emacs security flaws.

[Ungrounded+Lightning]

Emacs does include some features that are equivalent to these sort of macros. They are disabled by default

And they used to be enabled by default - which was a big vulnerability if you used them as a mail reader or netnews reader. A simple string embedded in the letter or posting could do anything YOU could do in emacs - which means anything you could do from a shell, too.

Fortunately the first well-known public exploit was a netnews posting demoing the bug by popping up a window and telling you how to turn it off. The default was changed in the next release.

The days of the MIT AI lab were a more innocent time. To keep the students from crashing the machine they made it trivial - with a well-documented command to do it. The idea being that if there were no reputation points to be earned by "finding a way to crash the machine" but lots of negative ones to be had by annoying the other students, everybody would get bored with it quickly. Stallman continued the tradition later by having no root password on his personal machine for quite a while.

Unfortunately, about one person in a hundred (one in 50 to one in 200) is a psychopath - a person with a brain problem analogous to color blindness that amounts to "no concience". Some fraction of these don't compensate by learning that hurting others is bad for number one and becoming "good" by deliberate effort.

So when you have hundreds of millions of people on the internet, you end up with a few "black hat" hackers and a host of script kiddies. So the days of innocence (and Stallman's open root account) are long over.

Now internet-connected computers hold information of value that can be stolen and run mission-critical functions for businesses with cutthroat competitors. So a management order to install mass-market stoftware with a history of well-known major security holes has graduated from administrative cluelessness to a severe breach of fiduciary duty.

Patch kills Keyboard?

[dragons_flight]

For the moment, I'm choosing to believe this is some freaky coincidence, but here's what happened.

I shut down extraneous programs, installed the new patches and several others from office.microsoft.com. After installing the patches it tells me I need to reboot, so I click on the happy little button. In the process of rebooting stuff starts to misbehave and hang. After killing several "not responding" processes, the computer does manage to shut itself down.

When it comes back on, I find that my keyboard is dead! Not only will the computer not accept keyboard input, but it appears like it has no power at all. The little Caps Lock, Num Lock, etc indicator lights are off and won't respond. Mouse and everything else appears to work fine. So now I shut down my computer entirely, unplug and replug the keyboard, and power it all back up. This time everything works with no problems.

Little freaky I must say. Never had anything quite like this happen before.

Re:Patch kills Keyboard?

[shepd]

You don't happen to have an A7A266 motherboard do you? This happens with mine whenever it doesn't reboot properly...

It doesn't happen on the scores of other win systems I've toyed with. Methinks its a BIOS thing.

Re:Patch kills Keyboard?

This happens to me occasionally too, just by rebooting. Sometimes the keyboard will not be functional. A reset is all that's needed to get it back, but it's annoying, and, frankly, like you said, freaky, just shouldn't happen. The mouse, which is plugged into the keyboard (all USB) never has any problems...

MicroSoft?

[icedcool]

Well geez.. these guys are there own worst enemies, with all the virii going around taking down IIS servers and people advicating to go to apache for your server. They've now hit apon the common users desktop. I wonder what the new desktop they will suggest ;). Go microsoft!

What I find interesting are...

[Qwaz]

NASCAR forums!!

Source of Lax Security

[_Sprocket_]

I really think that many at large companies use default installs of Office as job security.

I have done infosec in both a large funding-limited US government agency, and a well-funded network-savvy corporation. I'd like to suggest different reason lax security exists: funding.

In both cases, I saw that the IT support infrastructure (sysadmins, architects, desktop support, etc) were underfunded compared to the amount of new tasks and upkeep they were presented. These folks worked tirelessly just to keep their heads above the workflow. Security often added additional effort / steps / work to their already overwhelming load.

In the Gov't environment, this meant security practices were often ignored. Security was considered an additional effort, and the IT groups were not funded for it. Furthermore, there were few security experts (again - they were not funded for and rarely sought out). Often IT workers were oblivious to security practices to begin with.

In the well-funded corporate environment, implementing security practices involves a great deal of fighting and compromise. There was a well-funded infosec group who championed good security practices. However, the actual admin groups (who were otherwise excellent admins) were rarely knowledgable (or focused) on security issues. Their focus was simply to get things working. Thus, sometimes good security practices went in to place... sometimes security practices were compromised away... sometimes security practices were completely ignored.

It might be worth making another observation. I used to believe good security practices are just a part of being a good admin. I've changed my mind. It is a sign of an exceptional admin. A good unserstanding of infosec issues requires additional training and understanding that goes beyond the usual realm of administration. Infosec is a specialized skill. As such, those with knowledgeable admins should count themselves lucky. Most organizations will need to hire (or contract) infosec specialists who's focus is on secure (and workable - that's sometimes a tough tradeoff) implementations.

Why the hell is this getting posted

Who the hells cares if there is some security flaw in powerpoint and excel? Who cares about 90% of the microsoft stories that get posted here? They aren't getting posted so that people are informed and can go patch their system, that is for sure. Near as I can tell the only reason any of this ever gets posted is so that the Linux community can point and laugh. Are we so insecure about our operating system that we have to point out every single problem with the competition. Microsoft hasn't fallen that low yet, and the sad truth is that linux has its share of flaws as well. Now before I go I am going to fill all of you in on a little secret. Microsoft has written more code then any other company on earth, its only logical that thus they would have the most bugs. Now go back and post actual news for nerds instead of every Microsoft entry on BugTraq. I am tired of this crap.

Re:Why the hell is this getting posted

[Qwaz]

I'd rather read about that then the billion "Linux is going to be on next TI 4000 calculator" stories that this place has become.

What about the viewers?

[Brett+Glass]

Microsoft publishes free viewers for PowerPoint and Excel files. There's no mention in the advisory of whether these are vulnerable or not. Are the viewers safe?

Re:StarOffice NOW. I just got the beta and love it

SO 6.0 beta is released and I am impressed. Previous Excel and Word documents that SO 5.2 could not handle are no longer a problem. Speed improvements too, since individual applications start independently. I am converting my company (70 users) over to Star Office in the very near future.

Great job, Sun.

Re:This hole could be in more versions that listed

[TheMidget]

Only people I have ever seen use this are suits and sales monkey's.

...and students, engineers, IT management, teachers, , researchers, training staff, etc.

• Students, maybe, especially if they are marketing students...
• Engineers? Maybe, the same kind of engineers that build schools out of cardboard.
• IT Management? Yes, that's IT management, i.e. suits. I doubt that the developers, system engineers, designers etc would use that piece of shite.
• Researchers? Nope, those use latex or slitex.
• Training staff? Suits too.

I can't help that your job/experiences don't include presenting/being presented information to/from others.

Just because you need to do a presentation does not mean that you have to do it using crappy software.

Good presentation software is invaluable to business and education.

Yes, good presentation software is invaluable.

Ummm... yeah

[mickeyreznor]

Ever think that this article might be useful for those readers on /. who use windows that don't have the time to sift through microsoft press releases, or other news sites. Sure, lots of MS bashing results from articles like this, but some people will actually get informed and will download the necessary patches because of it.

As for the lack of linux articles, i think i disagree.

YABFU (Yet Another Bill Fuckup)

[PingXao]

Once again we have MS telling its "customers" that older versions are no longer supported. IOW, Bill says: Fuck You

They refuse to address the problems associated with older versions of PowerPoint and Excel. They are saying: "If you don't pay us money to upgrade then it's your fault if you get burned."

At some point someone should investigate whether this is a pre-meditated strategy on Bill's part. They know there are security holes - they may actually put them in there on purpose - and they refuse to fix them unless they are paid. Unacceptable.

Re:This hole could be in more versions that listed

[grammar+nazi]

On your point about Systems Engineers, I was a systems engineer within Lockheed Martin and we used Powerpoint for presenations AND for drawing flowcharts, requirement diagrams, requirement analysis charts. I wasn't a suit either. I was a peon systems engineer and it wasn't my choice as to whether we used powerpoint or Dia (my preference) or some other package.

Most researchers don't use LaTeX for presentations. I would venture to guess that most Physics and Math professors don't even use LaTeX for presentations. I've seen some LaTeX presentations and I've even made one. It is my opinion that WYSIWYG is much more important for creating slides than it is for creating a document.

Is this quote from Symantec or Microsoft?

[pjrc]

My favorite quote in the article is:

It would require an attacker with a good understanding of the software and how Microsoft file formats are structured to exploit the hole

Somehow I suspect that line came from a Microsoft PR guy and not Symantec. After all, they know that any script kiddie will be able to easily exploit the hole once a single expert writes the script/program to generate or modify a XLS or PPT file that skirts the security checks. Even Microsoft should know this, but a PR guy's job is to gloss over how serious the problem really is.

My second favorite quote, immediately after it, reads:

The vulnerablity was first brought to Microsoft's notice about two months ago by Symantec.

TWO MONTHS!. I suppose Microsoft had their hands full with all these other worms/virii. Two months to respond to a major hole and write the patch is a great indication of how seriously (not!) Microsoft takes the security of their customers.

Re:Is this quote from Symantec or Microsoft?

[c4thy]

Or maybe its Symantec saying that ppl from Microsoft are using it for a backdoor

This is what I found most interesting...

[nullnvoid]

From the story:

"The vulnerablity was first brought to Microsoft's notice about two months ago by Symantec."

Microsoft has known about this vulnerability and has taken two full months to warn users? Disturbing, if not surprising.

Re:This hole could be in more versions that listed

Just because you haven't seen people use PowerPoint doesn't mean that it doesn't get used.

Yes it does!

I can't help that your job/experiences don't include presenting/being presented information to/from others.

Yes you can!

Once I have my content finalized, I can whip up a decent looking presentation in PowerPoint in about 1/2 hour... faster than I could ever do it by hand

He-Man and the Web Masters of the Universe go to battle ObviousVore -- who will win?!?!?

A minor observation

[Scoria]

Usually, a "Microsoft _______ has holes" story would have 400 to 700 comments by now.

Is it possible that the Slashdot community is actually more interested in today's attack on the Taliban/Osama bin Laden than a security vulnerability in a Microsoft application?

Re:This hole could be in more versions that listed

[grammar+nazi]

I stand corrected.

parent == funny!

LOL! Great idea, I *hate* those stupid puppets...

Re:This hole could be in more versions that listed

[skuenzli]

I am a Systems/Software Engineer at Motorola and we use presentation software for things like:

• project overviews
• design reviews
• status updates
• presentation of findings to other engineers, mgmt, users

As an engineering student, I used Powerpoint for the same tasks. I would suspect that a great many engineers use presentation software like Powerpoint for the same things I do.

Access is fairly braindead, Word auto-mangles my documents, and Outlook is just dreadful IMO in terms of efficient correspondence, but I'm quite productive in Powerpoint and Excel as long as I keep the paperclip at bay (this is the '97 suite -- keep 2000 far, far away except for Outlook).

You seem to have a very narrow view of the responsibilities given to an engineer, researcher, trainer, etc. In today's world, engineers (and the rest of the people you listed) are asked to 'do it all' and that includes communicate with others.

Regards,
Stephen

P.S. On-topic content: IT should turn off macro capabilities as a matter of course. The functionality should not even exist in Word/Ppt/Excel installations. It's probably necessary in Access given the limitations of BillGSQL.

ImPress, MagicPoint, KPresenter, PSSlides,

[nilonaut]

OperaShow ....
I have to choose a way to make several presentations, using material that's now in TeX, HTML, jpg. Any qualified recommendation (somebody
who actually tried some of the above would be highly appreciated.

staroffice

[sewagemaster]

will this affect staroffice users?

Whoa there, logged-in brave one!

Microsoft, as a software company, has been on the forefront of trying to make adaptive, intuitive software for many years. Unfortunately they have failed, miserably.

From menus where unused items 'go away', to modal paperclips that take over your screen, they really haven't come up with a good idea for UI.

Of course this just proves how tough it is to make software that is truly nice to use. While MS has its faults, it would be naive to say that they don't spend the most money and time on researching software that is easier to use.

perhaps a new category?

[hearingaid]

many /. readers are in tech support, maintaining M$ machines at work. these articles are useful: they serve a practical purpose.

however, maybe a new category for tech-support issues would be good.

HTML presentations are good and right

[yerricde]

Once I have my content finalized, I can whip up a decent looking presentation in PowerPoint in about 1/2 hour... faster than I could ever do it by hand.

Once I have my content finalized, I can whip up a decent stylesheet using the CSS features of IE 6 or Mozilla and then put your slides in one HTML page with a 10 inch BR between slides and an A NAME on each slide for navigation. HTML+CSS is by nature a WYSIWYM system (wyat you say is what you mean), but tabbing from emacs/vi/notepad to mozilla and then clicking refresh gives you instant WYSIWYG feedback. No proprietary crap (w3c's proposed policy will NOT turn core elements such as html and css into RAND patented standards), no viruses, less disk footprint, network transparency (view your presentation from anywhere), and easy conversion to handouts (just change stylesheets).

Re:HTML presentations are good and right

[grammar+nazi]

That's a good way to do it. What about printing? Can you print those onto transparencies without the 10"
screwing things up?

I'm not trying to say that you have a bad idea. I am genuinely interested in doing what you said, but I want to make sure that I can print a copy of the slides in case I can't use the computer during the presentation.

Re:HTML presentations are good and right

[Nater]

What about printing? Can you print those onto transparencies without the 10"
screwing things up?

Sure, just make up a stylesheet that causes your presentation to be printable, call it "printable.css" and then switch that one occurence of the string "presentable.css" to "printable.css" in your presentation when you want to print it.

Re:HTML presentations are good and right

[unapersson]

Sure, just make up a stylesheet that causes your presentation to be printable, call it "printable.css" and then switch that one occurence of the string "presentable.css" to "printable.css" in your presentation when you want to print it.

Wouldn't:

<link rel="stylesheet" type="text/css" media="screen" href="presentable.css">

<link rel="stylesheet" type="text/css" media="print" href="printable.css">

Be a lot easier. When it's viewed on screen you get one stylesheet, when it's printed it uses the other.

Re:HTML presentations are good and right

I'm curious if you actually did this or are just thinking about it. Because, in my experence trying to get any control over printing from current web browsers is fraught with huge problems.

Re:HTML presentations are good and right

[Nater]

Just musing... I very rarely print anything. Maybe two or three pages per year.

Re:fnp!

[Joseph+Goebbels]

That's... that's... beautiful!
Thank you.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Moron?

[srichman]

I would expect nothing less from Microsoft. A secure program never gets released because you might never need to upgrade, and you won't need patches. In fact, I wonder if they maybe don't actually make sure that stuff isn't totally secure and bug free.

I would have dismissed this as a troll, but it's been modded up, so now I feel compelled to reply.

How is it advantageous to Microsoft to get people to download free patches? Why would they willfully leave security holes in their software to force people to download free patches? They like incurring extra development expense, extra load on their servers, and paying for extra bandwidth?

Re:Moron?

[unitron]

Wasn't Microsoft one of those companies that used to address some bugs in their software by saying that it would be fixed in the next release? In other words, if SuperPackage Version 2.0 that you spent a lot of money for doesn't work right or if you upgraded to 2.3 to fix it and that broke something else, you should rush out and spend more money as soon as SuperPackage 3.0 hits the shelves in order to correct the problem 'cause you done got all the tender lovin' care you're gonna out of us 'til we get some more of your money.

Re:Moron?

I noticed that MS free patches don't support fairly recent versions of Excel and Power Point. What's the recommend fix for those users? Upgrade of course

Re:Moron?

I bet if I were to go into the Slackware newsgroup and start carping and whining about the significant bugs in Slackware 3.6 (i.e. the fact that it doesn't install a Root password or even inform the user that s/he should HAVE a root password) that I would be told to shut up and use a newer release.

Re:Moron?

[knorthern+knight]

Two questions...
1) How much would it cost you to legally obtain the latest version of Windows (XP)?
2) How much would it cost you to legally obtain the latest version of Slackware ?

'nuff said

Re:This hole could be in more versions that listed

Once you have your content finalized, all you can do is subtract value by imposing one linear graphical rendering over what could have been a useful document.

Re:This hole could be in more versions that listed

[nihilogos]

I can't speak for other fields but powerpoint is becoming very popular in the physics community, and I have seen some damn good presentations done on it. Most of them done by people who have forgotten more about *nix than you'll ever know.

I would love to hear about alternatives, but right now powerpoint is the best presentation software I've seen and I have a win2000 partition especially for it.

Re:Microsoft!

Well geez.. these guys
Well gee, these guys
or
Well, gee. These guys

there
their

virii
viruses

advicating
advocating

apache
Apache

apon
upon (but it's superfluous in that sentence)

users
user's or users'

what the new desktop they
which new desktop they

Go microsoft!
Begone, Crimo$oft!

icedcool (jchurch@linuxmail.org)
troglodyte (is not allowed to use textual media)

It hurts when I see a language abused like in the parent message, and English isn't even my native language.

Not Moron - They also want you to upgrade

[brassrat77]

Many people may have held off upgrading because Office 97 does everything they need. MS states in their bulleting that Office 97 is an unsupported product. So to get "support" for any fixes to this bug, they must buy Office XP now. (and then download the patch.)

Re:fnp!

[Joseph+Goebbels]

...but you have to learn how to spell "Wessel".

Modifying Asimov's first law of robotics

[NZheretic]

Microsoft design choice not to include restrictive mode execution enviroments ( also known as "sandboxing" ) simliar to Javascript or Java's applets for Microsoft's embedded scripting puts users at risk when veiwing almost any disributed Microsoft document format.

I posted the following in various usenet groups last year. Given the recent events it is well worth the read...

Subject: Microsoft Applications Security
Date: 2000/05/28

http://groups.google.com/groups?selm=slrn8j2cen. pn s.heretic@localhost.localdomain

"This continued virus threat is not ONLY an email or Outlook problem it extends to all Microsoft Office products, Microsofts internet explorer as well as a lot of third party software for the Microsoft OS platforms."

Even with all the patches, anti-virus scanners and proxy firewall, it will not stop the average user clicking on an embedded https:// URL link in an email and downloading and opening a Microsoft format document with an embedded script containing a new "unknown" virus/malware.

Office users share documents over the net all the time, the inclusion of executable blocking, "run script" dialogs and digital script "signing" is a big improvement, but it all can be circumvented by a little social engineering.

Yes. StarOffice NOW.

[wirefarm]

Sun should be shipping this puppy AOL-style - Glue it in the back of every computer magazine out there. Load up the Windows version and the Linux version on the CD and pump them out into the hands of the public. For now, even the latest betas - they seem rock solid - plus, I'm sure people wouldn't mind updating in a few months, if they need.
Why exactly isn't this on the CDs of every distro, too? This should be there, as well as Mozilla.
Those two programs probably make Linux more desktop-worthy than any others, at least for people coming from a Windows environment.
If you're not really familiar with them, I wrote some pages on the subject - click my sig.
Cheers,
Jim in Tokyo

Job security, overload, and the scope of the prob.

[sharlskdy]

One of the sources of insecurity is the fact that many of these programs run at the same security level. The security model in Windows NT is a pretty good one, but how useful is the system if you run as a normal user? How many of us run with Administrative priviledges on the system? How much work is it to set up a new application to work as its own user and then communicate with other applications running as services, authenticated as other users? It's not simple, because many applications seem to assume that they have the right to run as Administrator.

It's a good idea to run things as Least Priviledge, where a process only has enough rights on the system to do what it needs to, and nothing more. The downside to this is that you have to understand everything the application does. That takes a lot of time and effort, and how often in your average-sized business is there a computer geek on staff who has the time to devote to figuring out how to install the app with just enough priviledges so it will run, but not so many that it is a security risk? Seriously, how much time does something like this take?

I know it took me years of thinking about it to understand the guts of Windows 9x, and understand and appreciate how it worked so I could get it to do what I wanted it to. Not because I'm not smart enough to figure it out, but just because there was so much other stuff going on that was urgently needed that I didn't have the time to sit down and figure it out. Gradually, bit by bit, I did figure it out. Not just what the software does, but how it works, why it does what it does, what the implications are for configuring it in a certain way and then deciding how to implement it. A similar scenario was encountered with Windows NT and 2000. Just in time for the Windows XP system to come along, with a new set of rules.

There is a hideous amount of complexity involved with these operating systems, each with their own quirks and behaviors, and understanding everything well enough to be able to dig around in the guts and know what's going on and know how to lock it down is way more than one person can comfortably do if they are doing anything else on the job.

I don't believe there is any magic bullet solution to this, either. There are common practices and techniques that help with securing your network, but there is no lock-n-load solution. We have found tools that help us along the way, but they only help to implement the strategy - they are not the strategy themselves.

It's easy to blame Microsoft, because everyone is running their software. That's their own fault - they've monopolized the marketplace such that everyone uses the same platform. Consequently pretty much everyone is vulnerable to the exact same set of vulnerabilities. Any other common platform will likely have vulnerabilities that can be exploited. I'm not convinced that there isn't a code-red like vulnerability out there for Apache, but Microsoft has been targetted. (On the other hand, it's clear that there are significant problems inside IIS, and as a manager I wonder if they shouldn't dump the source code and start from scratch with better coding practices.) I can recall that Apache *did* have a number of exploits a number of years ago, but many of these have been dealt with in the intervening years.

In any case, I don't think it's either carelessness or incompetence, but marketing. Software under Windows tends to be devastatingly easy to install (compared to Linux, Unix, NetWare and other environments). Mac may be easier. But, just because the software installs easily, does not mean it installs securely. Currently, ease-of-use, ease-to-install and security are at odds with each other.

The argument has been made to get applications to install with least priviledge by default. It's a good design goal, but I wonder if application developers will ever have that as a fundamental design goal for their software. Usually it's a major accomplishment when the silly thing compiles!

97 is Unsupported?!?!?

[wirefarm]

I'll admit that I haven't used Windows in a while, but I can't imagine that Office 97 is really unsupported.
People put up with that crap?

OK... Here goes...

<LOUD> Listen here! Open Office is FREE. It probably does what you need. You don't need to break the law to use it at home. It does not currently have any of the virus problems that Office does. </LOUD>

Office 97 seemed like a pretty good product, once you installed it on a machine a couple generations later that a current PC at the time of release.
Personally, I'd be happy with Word 6. That was a good release, still-compatable file formats, nearly universal readability.
Open Office is a nice package that exceeds my modest needs. After having used it a bit, there is no way I'd even consider installing Office XP or whatever it is.

Sometimes, I just don't *get* people...
Cheers,
Jim in Tokyo

Re:97 is Unsupported?!?!?

I didn't have to break the law to run Office 97 at home.

In fact, early this spring, I bought a SCSI hard drive from somebody on eBay, to put in a Sparc box I'd bought on eBay. I didn't notice until the bidding was over that there was mention that the bundle included a copy of Office 97. So for $40 I got an 8 GIG SCSI drive and a free copy of Office 97, which is a legal copy since I bought it as part of an OEM bundle.

Re:97 is Unsupported?!?!?

Of course, that copy of Office 97 can only be legally installed on your Sparc :)

(As a side note, why do people feel better about themselves for illegally using 'legal' OEM bundles. Just burn a copy from someone you know - same fucking difference.)

Re:Job security, overload, and the scope of the pr

I've been running as non-admin on NT/2000 for many years now. I just don't install software everyday and use SU.exe/Run As when appropriate.

Of course in this day-and-age, the real value is the user data and not the easily replacable OS configuration. That's why both Unix's and NT's security model is deficient and we need to move to a Java/NET-like capabilities system where all code is sandboxed (except when absolutely necessary for speed or whatever).

PowerPoint spam

[MegaFur]

"Funny. I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?"

That's nothing. I work at the help desk for a large computer lab for college students. Many of the professors put their class notes (in the form of MS PowerPoint files) on a campus-wide shared network drive.

When the students want the notes for a given class, they come into the lab, find the relevant files and print them. The problem is that MS defaults to printing "Slides" and this means that it will print one PowerPoint slide per page... many of the PowerPoint files have between 30-60 slides in them. The printer gets spammed. Of course, if things were actually set up properly, there would be a limit on how many pages people could print--but there isn't. Of course, if the lusers were a little more clueful, they wouldn't send 40-60 page print jobs--but their not.

MS is really only one large part in the general web of stupidity that makes daily computing suck.

Re:This hole could be in more versions that listed

[TheMidget]

You seem to have a very narrow view of the responsibilities given to an engineer, researcher, trainer, etc.

How, where are you getting that from? Where exactly was I implying that all the professionals I named would only have one narrow task? Or do you mean my comment about bad engineers building schools out of cardboard? Hey, that comment was tongue in cheek. I was not implying that engineers only build schools... this was just an example of one kind of activity among zillions.

In today's world, engineers (and the rest of the people you listed) are asked to 'do it all' and that includes communicate with others.

Yeah. The old "Unix users don't get well along with people" canard. Hey Softie, I'll tell you something: people "communicated" with each other since humanity exists. They didn't need to wait for Uncle Bill to do so. And guess what: even today, they still don't need Uncle Bill to do so. There are zillions of ways to make presentation, including Latex, Slitex, Dia (which you mentioned yourself), Star Office, HTML, or even plain old markers on transparencies.

Re:This hole could be in more versions that listed

[TheMidget]

I would love to hear about alternatives, but right now powerpoint is the best presentation software I've seen

I suggest you take a look at Dia, Star Office, LaTex, Slitex, etc.

Re:This hole could be in more versions that listed

[TheMidget]

...Dia (which you mentioned yourself)...

Oops, confused this with another reply. It was actually grammar nazi who mentioned prefering dia. Sorry.

Re:This hole could be in more versions that listed

[TheMidget]

I was a peon systems engineer and it wasn't my choice as to whether we used powerpoint or Dia (my preference) or some other package.

In a past job, I was also forced to use Powerpoint, Word, Excel, etc. I guess that's why it is a past job...

It is my opinion that WYSIWYG is much more important for creating slides than it is for creating a document.

It is my opinion that actually having something to say, and expressing it clearly if much more important for creating slides than what software you use. Hey, if you need, you may even use transparency pens, I've seen some very good presentations done that way.

Service Pack

[carrier+lost]

How is it advantageous to Microsoft to get people to download free patches?

I don't think it was planned. &nbsp I think they rush to market on every release. &nbsp I believe it to be the company's modus operandi - get it out the door, fix the problems in a Service Pack.

Service Pack. &nbsp There's an awesome piece of marketing. &nbsp Microsoft calls 'patches' 'Service Packs' and averts contaminating the perception of The Product. &nbsp A patch is something you apply to something that's broken. &nbsp A 'Service Pack' is like getting something extra. &nbsp Genius.

It all seems so obvious. &nbsp Microsoft wanted to offer complete connectivity between products. &nbsp And they did. &nbsp And they rushed it to market without realizing how all this inter-process functionality could be exploited. &nbsp I'm sure it was the furthest thing from their minds - "Why would anyone want to use The Product to do anything bad? &nbsp We're just trying to provide solutions.&nbsp Why the hell are people using our 'Solutions' to cause problems?"

Spoing!

MjM

Patch Downloads

[sc00ch]

The patches total ~10mb, downloadable as 2 seperate files, one for excel and one for powerpoint. I can imagine those on 56k modems will be complaining about this.

Lobotomized Marketers

[CaptainZapp]

It's even worse, when those marketing geezers working for big companies are convinced, that their 4.8 Mb PowerPoint presentation about the new and revolutionary Realtime Widget Deployer, is of great interest to half the company.

When you're on the road a lot and your only access is 28.8k modem via a crappy phone line, you could kill those fscking morons; literally.

Off Topic: Irresponisble sig

[Denito]

I wish there were a way to contact you directly instead of making an off topic post, but your sig is pretty weak. Where are you getting that number?? Somalia was obviously a fiasco, but I've NEVER heard the claim that the US killed 7000 Somalians. See for example the Frontline website for reference. If you are going to say something so controversial, you should point to a link with some info.

Why PowerPoint is really bad for productivity

[fedos]

People use it for everything. And I'm not making this up: at the Air Force base that I work at every summer, even a single-page there's-gonna-be-a-banquet-for-Colonel-Smith's-ret irement notice gets done in PowerPoint and then emailed to everyone on base. Just thinking of the bandwidth waste makes my head hurt.

You get no email for half the day sometimes because a high-up sent a base-wide email with a PowerPoint attachment that he thought everyone could need when he should have just given to the folks in his office. This makes it difficult when part of your job is to email reports to supported agencies and reimbursement vouchers to customers.

It doesn't help that when someone makes a PowerPoint project, they go all out and put lots of pictures and animations on every page.

user override

[psych031337]

From the link:

To deal with this threat, Microsoft has for sometime included a functionality in both applications that scans for the presence of macros in all PowerPoint and Excel documents. The feature alerts users if a macro is detected, allowing the user to decide whether to permit the macro to be executed.

Last time i checked, most worms were also executed manually by dimwit users...

Or use Perl to break it up for printing

[yerricde]

switch that one occurence of the string "presentable.css" to "printable.css" in your presentation

As unapersson pointed out, you can do this automatically. However, some browsers do not support CSS2 paged media; for them, you can write a short Perl script that recognizes the special style you used for slide breaks and breaks the slides into separate HTML pages for printing. Only one person has to do this; the rest can just download the presentation tools off OSDN Freshmeat.

but... they call it a patch...

"Customers using affected versions of Excel and/or PowerPoint should apply the patch immediately."

"Patch availability"

"Download locations for this patch "

"Additional information about this patch"

... I'm not how your attack is relevant, or even accurate. You're claiming that they use the term "Service Pack" instead of "Patch", when it's plain as day that they use the term "Patch" all the time. The only point where they mention "Service Pack" in this advisory is: "The fix for this issue will be included in Office XP Service Pack 1."

Re: Excel 97

[Lawrence_Bird]

from the website this wonderful nugget of microsloth support advising an upgrade (spend $$$) to a more secure (ha!) version:

I'm running Excel 97 and/or PowerPoint 97, does this issue affect me?
First, it's important to understand that Excel and PowerPoint 97 do not have the same macro security framework as Excel and PowerPoint 2000 and 2002. The Excel and PowerPoint 97 macro security framework lacks many key features that the 2000 and 2002 macro security framework has, including a digital signature trust model that allows trusted, signed macros to be differentiated from untrusted, unsigned macros. Under this older framework, it is difficult for a user to make an informed decision regarding the trustworthiness of macros.

In addition, as noted under "Tested Versions", Excel and PowerPoint 97 are no longer supported products.

Because of these two issues, customers who are concerned about macro security are urged to upgrade to a support version with a more robust macro security model.

Re:This hole could be in more versions that listed

[slashdot2.2sucks]

Unfortunately I see many (not the majority) mathematicians, physicists, and scientists in general using PowerPoint. While this is nothing bad in itself, PowerPoint allows them to make a presentation worse than if they just used transparencies.

Without font AA on, the equations look bad in Windows.

PowerPoint lets people put text and equations on colored background so they are hard to see.

Equation fonts don't ever seem to use the correct size or weight font and are always more difficult to read than LaTeX slides.

People seem to have a difficult time going back and forth through slides.

In fact the only thing of value that I have ever seen are animations and media type things, but nothing that can't be done with HTML.

So 97 is not supported, eh...

Sigh. I support over 300 systems. Most of them have Office 97, since the organization I support has not (and I have not) discerned any benefit for moving to Office 2000 to justify the horrendous expense.

If I had my way, I would move everyone to Corel/WordPerfect Office or StarOffice, but I know that I would not survive the howls of dismay if I seperated people from their beloved Excel and PowerPoint (I suspect that I could wean them off of Word - it might take time, but it could be done).

Me? I use WP. I have Office on my machine, because I have to be able to support the people who can't live without it. My attempts to plead, cajole, and bully people into other options have not worked, and, I suspect will not work. Needless to say, I also have a fair amount of my time taken up with fixing the damage caused by people opening MacroViruses, too. At least (mercifully!), we don't use IIS, Exchange, and most of us don't use Outlook (and the ones who do have been told by those who control the purse-strings that they are on their own!)!

The sad fact is the most people in environments like mine will not leave what they perceive as a comfortable place (despite their cursing everytime I have to fix the M$ problems or patch their system) until something drastic (I mean costing them serious money or losing valuable research) happens. So far, the ones that have lost their research have been deemed "unimportant" and "dumb". I can only bide my time for the "important" folk to do the same (the two most important are high on my list of virus-openers - they just haven't opened the right ones - yet)

Meanwhile, I tweak my linux boxes, so that I can show them an alternative when the ask for it...

Politically Incorrect?

[d-man]

Have you ever noticed how awkwardly some writers alter their writing to use "she" or "he/she" instead of "he", to seem cool and PC-savvy and inclusive, to the point of making their writing unreadable? Go re-read M$'s vulnerability report. The user is always referred to as "he", and the attacker is always referred to as "she". How subvertive! What are they trying to tell us?

Unix: Where /sbin/init is always Job 1.

Re:Job security, overload, and the scope of the pr

You bring up a good point that is sorely neglected by people advocating the Unix security model. In ye olde Unix days, many people shared the same system. A major vulerability of the system was users who could touch or manipulate system resources.

As a result of this legacy, just about the only thing that can be easily and immediately destroyed by a user logged onto a Unix system is all the important data in the User's home directory. As you mention, that's precisely the ONLY important information on the system (you sysadmin types please just shut up. go change that toner cartridge up on the third floor you've been neglecting all morning, kay?). Anything else can be ghosted onto a well designed system in a matter of minutes.

Clearly a coarse grained security model that almost entirely ignores the vulnerability of the data in the user's home directory is a deficient one.

This isn't the '70's anymore, people. I like listening to my Jefferson Airplane albums, too, but I don't pretend Nine Inch Nails doesn't exist.

You could say that...

[dave-fu]

...or more accurately, you could say that while people's eyes are well opened to the fact that MS puts out buggy software, their eyes haven't been opened to a better alternative to what they've currently got, because there is none.
Until one of these holes actually affects their bottom line or someone puts out a product that can actually compare in terms of ease of use, they won't be losing any sleep (or money) over their latest hole.

Safety in prehistory

[daviddennis]

These macros were written for Visual Basic for Applications (VBA), which I think was introduced in the 1997 versions of the products. If you could dig up an earlier version, they used a macro language that was almost entirely incompatible with current scripts. (I know because this caused me enormous pain in trying to make a macro package compatible with both versions - it was all but impossible).

So if you have that ancient version lying around, you may want to use it. Or use programs with Word or Excel import filters instead of the real thing.

Anyone know if StarOffice is affected? When I checked it a few years back, it looked like it had a pretty complete emulation of VBA.

D

Re:Safety in prehistory

[MrBogus]

Excel supported VBA going back to version 5.0 (Office 4.2). It was later expanded to the other products in the suite.

There's also other vendors like Corel WordPerfect that have licenced VBA from Microsoft. It's unclear if this is a problem in the VBA runtime or the Excel/PowerPoint fileformats though.

Yeah, you're right

[carrier+lost]

I got off track.

What I was trying to express was that Microsoft came up with this great "spin" on regular patches, - Service Packs - but that the unending stream of emergency fixes they've been forced to provide has them reverting to using "patch" lest they lose the perceptive effect of that brilliant marketing move.

Or something to that effect...

MjM

Re:This hole could be in more versions that listed

[daviddennis]

I don't think he was saying that you shouldn't do presentations, just that PowerPoint is lame software.

I have never used PowerPoint, but I can certainly say it is responsible for incredible numbers of terrifyingly bad presentations, so I think there are ample good reasons behind the prejudice.

I used Macromedia Flash for my last presentation - as cross-platform as it gets, and I was amazed at how flexible it was and how (comparatively) gentle the learning curve. It's well worth checking out in my view.

D

There is a better presentation program

[ewiser]

I have used for 8 years software called Scala. http;//www.scala.com It is so far above what Powerpoint can do it is silly. the only reason that Powerpoint would be used is that it comes in the Office suite. Scala has scripting and transistions that Powerpoint doesn't even come close too. I started using it on the Amiga and then it was ported to the Windows platform. Its biggest software package IC200 runs cable networks. For really professional presentations Scala is the only choice out there.

PowerPoint MINIMIZES corp. problems

[behindthewall]

Keeping a suit tied up tweeking his (gender intended) presentation prevents him from sticking his nose into real decisions and mucking them up.

the date on the patch is May 12, 2000...

[Holgrave]

Just for the benefit of anyone who went rushing to get the patch like I did, the patch was released in May of 2000, which means it is over a year old, and they have released SP2 since then which apparently incorporates this fix.

Now I know why we keep having computer probs...

[allism]

I sent the network admin for my company a link to the Computer World article...just got an e-mail back saying it was irrelevant...

One question:

[thejake316]

What bug in PowerPoint changed the "we should stop thinking that Linux servers will sell themselves" slide to a "we should get out of the hardware business" slide in a certain somewhat recent VA Linux presentation?

Easier to fix?

[driehuis]

Hrm. Fixing a bug in a product as complex as OpenOffice is not particularly easy -- especially if it is not a crashing bug so you don't have a starting point in the debugger. Learning your way around such a huge source tree is a major undertaking.

It took me months to find my first crashing bug in Mozilla (and that bugfix was obsolete by the time I got the patch to the developers).

The coolest thing about having the source is that when you disagree with the developers, you can Just Hack It. This doesn't buy you much if you then rely on your hacked copy (and have to maintain your hack), but it gives a much more level playing field if you want to discuss why making such a change would be a good thing, because you can show them how your proposal would behave.

In the case of MS Office, first thing I would have done years ago if I had the source is instrument the binary just to find out who is using macros and what for. I hate being told by users that they need dangerous feature X, only to learn later that they don't know how to use it if their lives depended on it.

Virus scanner overhead

[driehuis]

You really can't blame Microsoft when even you admit that it's 3rd party apps that are causing the problem.

Of course I can. There used to be a time when a virus checker only had to care about accesses to .EXE, .COM and .DLL. If you disable the "scan all file types" feature nowadays, you're vulnerable to macro attacks, and of course to the brilliant feature that allows files with the .CMD and a slew of other extensions to have an MZ magic header and be treated as a binary.

Those are design problems, that a virus checker has no speedy workaround for. It has to treat every file as hostile.

I don't want to know how many of our virus infections have a user who "optimized" his virus checker as the root cause.

Re:This hole could be in more versions that listed

>Do note - just because older versions aren't >supported Microsoft won't check if the whole is
>there!

Isnt that the definition of "not supported" ?

In a perfect world....

Excuse me if my post is complete bollocks.

Not thinking straight because of a bad headcold.. :-( but....

Wouldn't it be great if the W3C had the ability to enforce some kind of ownership/copyright of HTTP?

Just in the way that MS can force software vendors to submit their code in order to get that 'Windows Compatible' sticker on the box, the W3C would have had the ability to audit (inc. security checks) any commerically released code using the protocol (which would include servers and browsers) before granting a license to the vendor. Any unlicensed releases by a company triggering legal action for copyright infringement....

This might have stopped vendors polluting the net with substandard releases?

It's too late now I suppose, and I almost certainly haven't thought it through, so flame away... :-)

Who holds the copyright for HTTP anyway?
Is it Tim Berners-Lee himself, CERN, the W3C...?