Slashdot Mirror
Holes in PowerPoint and Excel
jeffy124 writes: "Looks like it's time for IIS and Outlook to make room on the pedestal of security holes. Just about every recent version of PowerPoint and Excel are vulnerable to being taken over to control the system remotely. The hole is a macro-related, as it's possible to bypass asking the user if they'd like a macro to run. Microsoft's advisory can be found here."
Funny. I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?
Is this really a surprise? I was under the impression, that all macro-enabled applications under windows (office suite) shared such vulnerabilities, because they most probably use the same scripting engine.
;)
One exploit serves all
-- The plural of 'anecdote' is not 'data'.
These things first appeared in 1996 or so. Word.Concept or what was it called. Microsoft responded by disabling the AutoLoad macro (or whatever it's called). Now somebody found a new way to make Excel/etc. execute stuff when loading a file. Big deal.
I wonder why virus writes bother at all. They can just put a button labeled "Click here" on the page, and 95% of the lusers will click it. The only defense against that is just disabling all macro support. And everybody knows that isn't going to happen.
It isn't the scripting per se. It's the fact that the scripts are actually stored in the document files. In other words, they mix data and code.
On Unix, lots of applications have extremely powerfull scripting languages. Just think about the stuff you can do with Emacs (elisp) and the Gimp (which uses guile, a full Scheme interpreter). But the user has to explicitly install them. They aren't hidden away in some document.
Actually, Emacs mixes data and code in the same way. Check the File Variables section in the info system, and in particular the enable-local-eval variable. Basically, you can set buffer local variables by embedding the commands for this at the end of the file. One of these variables is 'eval' :-). Thus spake RMS:
In this sense Emacs is just as guilty as Microsoft Office. Just because it's Free doesn't mean it is without security free. (But the fact that the average person using Emacs is more clued in than you Power Point suit, does help...)
Hi!
You know, I think that if the former versions aren't vulnerable, they're not gonna tell you. They just can't take the risk to have people want to revert to older versions on the basis that they "work better", not when their business relies so much on people upgrading over and over...
-- B.
This sig does in fact not have the property it claims not to have.
Come on, Powerpoint is the de facto standard.. Don't expect millions of business users to jump through hoops just because 'M$ sux0rs'
Unfortunatly, you ahave a point. Apparently, the billions of dollars wasted on cleanup after the MS exploit of the day haven't convinced enough people.
Perhaps macro viruses need to touch on corperate hotbutton issues in order for the suits to start thinking.
Perhaps the sexual harassment virus. You get it and it starts sending sexually harrasing email to your coworkers. If done well, the courts could be tied up for decades.
The IP virus, looks for documents containing trade secrets, and quietly posts them to random usenet groups.
Porn virus: Quietly downloads porn into your browser cache. Bonus points if the porn is illegal where you live.
Carnivore virus. Sends suspicious emails to the targets of FBI investigations.
Rootkit virus: Deploys a rootkit from your machine against a bank or government website. Instant felony.
Please note! I don't condone any of these, I just recognise that so far the holes in MS products have been used primarily for childish pranks rather than for real damage.
The least MS could do is at least TRY to limit the damage by putting macros in some sort of sandbox.