Slashdot Mirror
Holes in PowerPoint and Excel
jeffy124 writes: "Looks like it's time for IIS and Outlook to make room on the pedestal of security holes. Just about every recent version of PowerPoint and Excel are vulnerable to being taken over to control the system remotely. The hole is a macro-related, as it's possible to bypass asking the user if they'd like a macro to run. Microsoft's advisory can be found here."
Funny. I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?
Customers using Microsoft® Excel or PowerPoint for Windows® or Macintosh® I guess Mac uses can stop complaining that they don't get all the features of the Windows version.
Is this really a surprise? I was under the impression, that all macro-enabled applications under windows (office suite) shared such vulnerabilities, because they most probably use the same scripting engine.
;)
One exploit serves all
-- The plural of 'anecdote' is not 'data'.
Hasn't anyone at Microsoft noticed yet that macros and scripting are a very dangerous features? They are executable code! They should be avoided if possible. When implemented they should have restricted functionality (why the hell does a macro need to be able to delete files?!?), and they need to be scrutinized for bugs and holes more closely than almost any other piece of code.
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
At my job, the IT tech gave instructions to all users to disable macros on all incoming attachments in Excel and Word, or not to even open them at all if they're not sure.
It's not foolproof but it does make the people at my job aware of one of the many ways that viruses are spread.
I like fire ants. They are very spicy!
Tested Versions:
Microsoft tested the following products to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Office 98 for Macintosh
Office 2001 for Macintosh
Office 2000 for Windows
Office 2002 for Windows
Do note - just because older versions aren't supported Microsoft won't check if the whole is there!
it's in my head
If a story about a vulnerability in Microsoft created software is considered news.:)
My other sig is extremely clever...
These things first appeared in 1996 or so. Word.Concept or what was it called. Microsoft responded by disabling the AutoLoad macro (or whatever it's called). Now somebody found a new way to make Excel/etc. execute stuff when loading a file. Big deal.
I wonder why virus writes bother at all. They can just put a button labeled "Click here" on the page, and 95% of the lusers will click it. The only defense against that is just disabling all macro support. And everybody knows that isn't going to happen.
Others have said it in the past, and I'm starting to believe it more myself. I really think that many at large companies use default installs of Office as job security. No one can blame them entirely if there's a problem - after all, the IT guys themselves didn't write the viruses. Failing to keep up with patches released months earlier can be cause for problems, but if a virus just came out recently, or there's just no patch for it, then "It's not my fault!" is a very valid point.
The 'job security' aspect comes in because *someone* has to go around and patch every machine. *Someone* has to go round and install/test new virus software. I think it's past being 'common knowledge' that *by default* most MS products install themselves pretty insecurely. So someone has to learn about how to lock down those products - then actually do it. It's job security, choosing products which you KNOW will require you to always be updating them.
Yeah, I'm a bit overly cynical about this. I've met some people who really just think this is how computers are supposed to be - you're always playing 'catch up' to virus writers. The concept of prevention to them is installing the latest 'Norton' utility. Proactively analyzing the systems they have for potential vulnerabilities (turn off scripting on machines that don't need it, etc) just doesn't occur to them.
I'll be the first to admit that StarOffice/OpenOffice have not been up to snuff in the past, and even the current versions may not be up to snuff for everyone, but they're getting better. SO6 and the next OO may in fact be solid enough to let *many* in an organization use those as their primary or only Office applications, and let the few people that need the MS-specific features keep using MS Office. Yes, there'd be some relearning costs - figure that gets covered by the savings in upgrade licensing for those people.
creation science book
I did a presentation skills course. One of the
rules was not to use slides at all
unless you really need them.
You simply don't need a slide that says we sold
100 000 units if you can just tell them.
Powerpoint - like a lot of modern software -
reverses this rule by making th euser subordinate to
the software.
What makes us think that Open Office and Star Office are immune from similar attacks, or things like buffer overflows?
I like free software, but I think it's just urban legend that software not written by microsoft is somehow magically secure. (Witness: BIND, wu_ftpd, sendmail, rpc.*, etc...)
Not to burst your bubble, but don't forget that Redhat (and many other linux distributions) install with numerous remote root holes. The solution problem is not germane to Microsoft. (You might successfully argue it is a result of poor administration, though.)
You know, I think that if the former versions aren't vulnerable, they're not gonna tell you. They just can't take the risk to have people want to revert to older versions on the basis that they "work better", not when their business relies so much on people upgrading over and over...
-- B.
This sig does in fact not have the property it claims not to have.
I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?
How does that hurt productivity? You seem to be implying that the suit would be doing something productive if he weren't using PowerPoint.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Maybe something like recording keystrokes, but I was pretty sure there was no VBA in PowerPoint 95 and 97. The macro languages in Word and Excel were also incompatabile because of minor differences in each. At least for the 95 version. In the 95 version, there was WordBasic for Word (subset of VB) and VBA in Excel (Visual Basic for Applications...another subset of VB). In Office 2000 (it could be 97, but I thought it was 2000) everything got a compatible macro language. Thus the recent blossoming of macro virii. Personally, I have PowerPoint installed, but don't use it much. Only people I have ever seen use this are suits and sales monkey's.
Gorkman
Come on, Powerpoint is the de facto standard.. Don't expect millions of business users to jump through hoops just because 'M$ sux0rs'
Unfortunatly, you ahave a point. Apparently, the billions of dollars wasted on cleanup after the MS exploit of the day haven't convinced enough people.
Perhaps macro viruses need to touch on corperate hotbutton issues in order for the suits to start thinking.
Perhaps the sexual harassment virus. You get it and it starts sending sexually harrasing email to your coworkers. If done well, the courts could be tied up for decades.
The IP virus, looks for documents containing trade secrets, and quietly posts them to random usenet groups.
Porn virus: Quietly downloads porn into your browser cache. Bonus points if the porn is illegal where you live.
Carnivore virus. Sends suspicious emails to the targets of FBI investigations.
Rootkit virus: Deploys a rootkit from your machine against a bank or government website. Instant felony.
Please note! I don't condone any of these, I just recognise that so far the holes in MS products have been used primarily for childish pranks rather than for real damage.
The least MS could do is at least TRY to limit the damage by putting macros in some sort of sandbox.
I work for a BIG company, (fortune 500) that runs MS Exchange server for mail. We recently upgraded from 95 to 2000 just a few months ago. (support for our working Win95 system having been discontinued by MS) The overhead created by all the security stuff running on the network has created lots of problems. Email is no longer 'realtimeish' meaning it may take 1/2 hour to recieve a message sent across our network. When right clicking in my browser window, it takes about 5 seconds for a menu to open (pentium III 500 128meg ram). My home pc runs Linux, and outperfoms my work computer at about half the hardware (PII 266)
IT has been trying to figure out how to fix the mail delays for a few months now with no progress, and I don't think they even care that it takes me so long to perform functions in the browser, but most of my work is done in web-based tools. MS has the world by the nuts, and they're milking us all!!! at least in my home I still have a choice.
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
Emacs does include some features that are equivalent to these sort of macros. They are disabled by default
And they used to be enabled by default - which was a big vulnerability if you used them as a mail reader or netnews reader. A simple string embedded in the letter or posting could do anything YOU could do in emacs - which means anything you could do from a shell, too.
Fortunately the first well-known public exploit was a netnews posting demoing the bug by popping up a window and telling you how to turn it off. The default was changed in the next release.
The days of the MIT AI lab were a more innocent time. To keep the students from crashing the machine they made it trivial - with a well-documented command to do it. The idea being that if there were no reputation points to be earned by "finding a way to crash the machine" but lots of negative ones to be had by annoying the other students, everybody would get bored with it quickly. Stallman continued the tradition later by having no root password on his personal machine for quite a while.
Unfortunately, about one person in a hundred (one in 50 to one in 200) is a psychopath - a person with a brain problem analogous to color blindness that amounts to "no concience". Some fraction of these don't compensate by learning that hurting others is bad for number one and becoming "good" by deliberate effort.
So when you have hundreds of millions of people on the internet, you end up with a few "black hat" hackers and a host of script kiddies. So the days of innocence (and Stallman's open root account) are long over.
Now internet-connected computers hold information of value that can be stolen and run mission-critical functions for businesses with cutthroat competitors. So a management order to install mass-market stoftware with a history of well-known major security holes has graduated from administrative cluelessness to a severe breach of fiduciary duty.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I have done infosec in both a large funding-limited US government agency, and a well-funded network-savvy corporation. I'd like to suggest different reason lax security exists: funding.
In both cases, I saw that the IT support infrastructure (sysadmins, architects, desktop support, etc) were underfunded compared to the amount of new tasks and upkeep they were presented. These folks worked tirelessly just to keep their heads above the workflow. Security often added additional effort / steps / work to their already overwhelming load.
In the Gov't environment, this meant security practices were often ignored. Security was considered an additional effort, and the IT groups were not funded for it. Furthermore, there were few security experts (again - they were not funded for and rarely sought out). Often IT workers were oblivious to security practices to begin with.
In the well-funded corporate environment, implementing security practices involves a great deal of fighting and compromise. There was a well-funded infosec group who championed good security practices. However, the actual admin groups (who were otherwise excellent admins) were rarely knowledgable (or focused) on security issues. Their focus was simply to get things working. Thus, sometimes good security practices went in to place... sometimes security practices were compromised away... sometimes security practices were completely ignored.
It might be worth making another observation. I used to believe good security practices are just a part of being a good admin. I've changed my mind. It is a sign of an exceptional admin. A good unserstanding of infosec issues requires additional training and understanding that goes beyond the usual realm of administration. Infosec is a specialized skill. As such, those with knowledgeable admins should count themselves lucky. Most organizations will need to hire (or contract) infosec specialists who's focus is on secure (and workable - that's sometimes a tough tradeoff) implementations.
--
Evan
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Sun should be shipping this puppy AOL-style - Glue it in the back of every computer magazine out there. Load up the Windows version and the Linux version on the CD and pump them out into the hands of the public. For now, even the latest betas - they seem rock solid - plus, I'm sure people wouldn't mind updating in a few months, if they need.
Why exactly isn't this on the CDs of every distro, too? This should be there, as well as Mozilla.
Those two programs probably make Linux more desktop-worthy than any others, at least for people coming from a Windows environment.
If you're not really familiar with them, I wrote some pages on the subject - click my sig.
Cheers,
Jim in Tokyo
-- My Weblog.
I don't think it was planned.   I think they rush to market on every release.   I believe it to be the company's modus operandi - get it out the door, fix the problems in a Service Pack.
Service Pack.   There's an awesome piece of marketing.   Microsoft calls 'patches' 'Service Packs' and averts contaminating the perception of The Product.   A patch is something you apply to something that's broken.   A 'Service Pack' is like getting something extra.   Genius.
It all seems so obvious.   Microsoft wanted to offer complete connectivity between products.   And they did.   And they rushed it to market without realizing how all this inter-process functionality could be exploited.   I'm sure it was the furthest thing from their minds - "Why would anyone want to use The Product to do anything bad?   We're just trying to provide solutions.  Why the hell are people using our 'Solutions' to cause problems?"
Spoing!
MjM
XKCD:Xeric Knowledge Comically Dispen
There are two aspects here. First, while you are right that other groups also have written buggy and insecure software, Microsoft's record is particularly abysmal. Most of the big holes in free software were found early on, at the time the internet just started booming and noone had experience with security. We may not yet be perfect, but we have been learning a lot.
The second aspect is even more important. A monoculture is always more suspectible to attack than a diverse ecosystem. If we use more different tools, we will survive viruses and worms a lot better. Consider Code Red: If it hit a host with Apache, it did not use this host for further propagation. Not only did the server stay up, the spread of the virus also slowed down.
So having many different (but preferable interoperable) software systems is inherently beneficial. And yes, this applies to BIND just as well as to Microsoft.
Stephan