Slashdot Mirror
Microsoft Word Security Flaw
JWL-23 writes: "cnn.com is reporting that a Microsoft Word flaw may allow file theft. Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold. Yet another reason to try OpenOffice.org." It still takes more than running Word to expose the contents of your hard drive though.
It is a shame that software development companies do not have a legal obligation to fix significant flaws for a certain amount of time. Or if they do not wish to fix a flaw they could offer a free upgrade to customers who currently hold the flawed version.
You masturbate with your pants on? Why?
There are most definatly over 100 million users of MS office, I don't see why its not consevable why 1% of those users are using 97. Millions of people are still using windows 95 afterall. Hell I used Wordperfect 5.0 for Dos the other day! :) (Man I forgot what a pain in that ass having to use = to get the file menu open was, and that fact is dug pretty deep in the documentation)
My Mom and Dad are still using MS office '97, even though I keep telling them OpenOffice is better. But if they can't keep up with the thousands of dollars that M$ wants, they will move to OppenOffice.org.
"microsoft(.*)" may allow file theft... thats a little more accurate.
MARIJUANA, SHROOMS, X: ONLINE?! - E
Thank god I downloaded openoffice last night.
My sister's entire school district is switching to it, it's cheap and open source, so theres no "were not going to fix it" crap.
Schools have been sold on the idea that students need to learn the microsoft products for the business world. But I say if you learn open office you'll be able to use office 2000 should an employer some day down the road still be using it.
Chicago2600.net more than a lifestyle, its a survival trait.
" If an attacker can persuade a target to open, modify and then return a document to him he can snaffle sensitive files on a user's PC. "
This isn't a huge bug with office it's a huge bug with USERS.
I loved this one:
"It's incredible to me that Microsoft would turn its back on Word 97 users," said Woody Leonhard, who has written books on Microsoft's Word and Office software. "They bought the package with full faith in Microsoft and its ability to protect them from this kind of exploit."
To paraphrase Douglas Adams, "Bill says, 'I refuse to fix bugs, for patches deny faith, and without faith I am nothing.' "
I know of quite a few businesses that dont feel the need to pay for an upgrade when Word 97 does everything they need. There's no incentive to upgrade. (Even now, because they don't use the document protection features)
Seriously, I would like to hear one compelling reason to upgrade from Word 97 to a newer version if all you use word for is word processing and basic mail merge.
You would still have been (rejected).
Timothy steals all the stories he posts.
-- www.globaltics.net
Political discussion for a new world
that qualcomm (maker of the eudora PIM/email client) was the company that found the bug? not that I like microsoft, but somehow this was a sneaky way to undermine microsoft by releasing to the public such a huge bug.
I just wonder... did qualcomm try to blackmail microsoft first, before releasing the "scoop" on the bug?
OpenOffice, that can't be the reccomended microsoft way. More like shell out $500 for the newest DRM junk bloated Office XP. You knew that timothy :-)
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
I'm sure, though I have no evidence to back it up, that there are other companies who have found huge bugs in programs and not fixed the older ones.
Of course, not fixing it for the "most susceptible" (quoting the article) version is kind of asking for negative publicity.
But MS is no stranger to having people not like them, so I doubt they'll suddenly change gears because Word 97 users are brassed off.
This is more or less not as exploitable as some of their other bugs, though. From the article, you have to open and modify the document, then send it back. Not only that, but apparently they have to pick and choose a file, because "When the document is changed and sent back, the file the attacker wants to steal is attached."
So this has nothing on the recent security problems in which simply using a program(Outlook) opens you up to a barrage of exploits.
is he one of the slashdot censor nazis i keep reading about?
"That decision -- still left largely up in the air by Microsoft engineers -- may leave millions of users of Word 97 without a fix. All versions of Word are susceptible to the flaw, but the problem is most severe in Word 97."
Up in the air. May. Key words and phrases that denote that no final decision to "screw" users of '97 have been made.
Of course, 'bugged' documents could easily be captured by any number of third party virus scanning suites, which I would surely hope any use in an office environment who opens e-mails with reckless abandon would use.
I don't need no instructions to know how to rock!!!!
It is a shame that software development companies do not have a legal obligation to fix significant flaws...
This lack of responsibility on the part of proprietary software developers is one of the main selling points of open source software. It's so difficult to define what constitutes a "major" problem, and what the seller should be obligated to fix.
Allowing users to steal files obviously falls on the major problem side of the line, but many other problems are in a gray area that is difficult to define. Besides this, most users find that the bugs they consider to be "major" are different than those other users might consider important, based on the way they happen to use the software.
Just another argument for using open-source software whenever you possibly can. If you discover a bug like this and the author isn't willing to fix it, you can always fix it yourself. Why would you ever want to leave this decision to someone else?
Ummm, so you don't get your files stolen...
But seriously, I agree wholehartedly. Office functionality has gotten way out of hand. If they were to release a Home, Business, and Editor version, with increasing features and price, they might be able to squeeze every dollar out of revalations like this.
I guess it breaks down to how many features the average user needs...
You think that I'm crazy, you should see this guy!
Timmmmmmm-ay!
Sorry... couldn't resist.
This space for rent.
finally, word is catching up to emacs 1988!
2 1337 4 u!
Why don't you just wait a week and submit it anyway? It'll end up on the front page!
No trees were harmed in posting this message. However, a large number of electrons were terribly inconvenienced
Note that most people aren't bitching, but more or less praising open office or pointing and laughing.
However, next time you're in a traffic jam and bitch about the highways, I have this to say to you:
Don't like it? Don't use it! STOP FUCKING BITCHING!!!
MS is in the business of SELLING, or now RENTING software. They do not guarentee that they will fix past broken software. Personally, I agree with MS. If you want their support, pay them. Rent their most recent software, which will upgrade you to a current fixed software.
BTW, there are decent options to MS Office and MS windows. I would even encourage you to buy the CDs from Sun (for StarOffice) or from a Linux Distro (for open office).
"Users of the local Redmond Winword 6.0 Users Group rejoice that their obsolete software does not have the "stolen file" security flaw."
Bill Gates was unavailable for comment as he was working with lawyers regarding changing the verbage of the end user license agreement for the soon-to-be-announced Word 97 patch.
This space for rent.
Yet another reason why MS Word is not a document exchange format. That rant is also avaible in other formats
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
Analyst Laura DiDio of the Yankee Group said companies are taking a risk by using such old software, but Microsoft should correct the problem because of its severity.
I am having a hard time getting my head around the concept that newer software equals software with "less risk". I do not understand why a product, open or closed, is inherently more "risky" due to its age. Perhaps she means un-patched old software? Is she advising users of a genuine risk, or is she making the case for a revenue stream and saying that IS Managers who do not stay "less old" in their application selections are jeopardizing their companies? Although she admonishes Microsoft to fix the problem, it seems her implication is that said managers are negligent, as opposed to the software vendor who may or may not patch the hole they wrote.
word
"They bought the package with full faith in Microsoft and its ability to protect them from this kind of exploit."
Faith what faith? I better sell my sould to devil other than trusting Microsoft on security.
Ohhh right they are just not designed for security according to Ms execs.
Never learn by your mistakes, if you do you may never dare to try again
Microsoft? Macrotheft!
Why is everyone so jazzed up OpenOffice. Yes it does a great job of working with Microsoft Office products, but it is still extremely slow to startup. I am glad that it is here for now but I am less than impressed with the office suite. I think that GobeProductive will over shadow OpenOffice when it is finally released. The pre-alpha handles Microsoft Office files great and is much faster than OpenOffice
and stop beating the open source drum. I dont think there is anyone here left who needs to be convinced.
"Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold."
That's not entirely true. It is true that before this story broke, Microsoft had no plans on updating or offering any new fixes for anything '97.
However, CNN and AP reported this morning that Micorsoft hasn't ruled out a fix and that they are in the process of determining what it would take to make a fix available.
quote from the article:
"Microsoft suggests users view hidden codes in every document they open"
Most people I know don't even like looking at non-printable characters...
While they're at it, they may as well suggest that everyone examine binaries manually before they run them.
"I bet I'll get blamed for this." --Mayor Quimby
Maybe that's what Steve Ballmer was jumping up and down about, shouting "Developers Developers Developers Developers!". According to Microsoft, bad code is GOOD.
Foist bad code onto the public, make money. When public complains about the Bad code, make them pay MORE to upgrade to slightly better bad code.
And so on.
Bad code is good, because with good code, you only get paid ONCE. With bad code, you get paid FOREVER.
If telephones are outlawed, then only outlaws will have telephones.
Is there any way we can make a filesharing protocol based on this, and have gateway machines that mirror files that are behind facist firewalls that block gnutella ports to gnutella ? A kind of really long latency email server ?
Satirizing this stuff is almost obsolete. Your word processor can send confidential files without you knowing it? What's next, your email client and movie player? Oh
See? That's hardly even funny anymore - people expect it. Timothy's right, though - the rubber meets the road with the IT manager. When users come to you asking for an office suite for home, play up what a nightmare Microsoft malware is, and how easy and free OS software is. People are starting to get this, and OS software is going to empower them.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
Hey, new feature in Word!
"It still takes more than running Word to expose the contents of your hard drive though." He's right. You don't need to run Word to expose the contents of your hard drive... that feature is already built into Windows. :)
Unfortunately, to myself, it is not all that surprizing that MicroSoft is not going to patch Office 97 to correct the security hole. With my experience it's either buy the latest greatest from Microsoft, or be stuck with the older bugs. Essentially updating to Office 2K makes little difference as it won't be long before more bugs are found within that software to exploit, by which point Microsoft will have released their next version and no longer supporting 2K.
This kind of treatment for customers is fundamently wrong when it comes to customer service, while excellent business strategy. A company should support a product when customer's have taken the time and money to purchase it. Rather than tell them they're out of luck and need to purchase the latest version to get any support. Such customer service would not last long now, were it not for the fact that MS already has the customer base and usage that customer's can't afford to just give if up. And insted must abid by their ways.
-- Never monkey with another Monkey's monkey
one day IF OpenOffice ever comes close to having a significant amount of market share people will dig deep and find security holes like this. it's ignorant to believe that open source software will never have security problems
The auto industry is required to make parts available for 10 years past the model year. Makes sense.
Why not apply the same rule to software security fixes? Sure would do a lot to motivate better design.
You can't fault Microsoft for gullible people being susceptable to social engineering. If I get a document from someone I don't know, asking me to revise it and send it back to them, I know better.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
I believe something like 70% of Office 97 users never upgraded to Office 2000.
Now that Office XP has been out a while, I don't what that situation is. But, yes, there is still a HUGE number of 97 users still out there.
1) IMHO the emphasis on Word97 is wrong. I originally tested this on Word2000 and it worked perfectly.
2) I was not out to find yet another M$ bug. I was using Word for my daily work when I stumbled onto this. It was one of those "I wonder what this button does" things.
3) The vulnerability is actually a lot more serious than the AP and bugtraq posts reveal. There is actually a way to skip the last step where the victim returns the bugged file. In other words, just editing and saving (or printing) the bugged file is sufficient. Look for a new bugtraq post early next week.
The corporation I work for (which is huge, BTW) still uses Office 97 and Outlook 98 on Windows 2000 as our desktop configuration.
We are currently planning to upgrade to Windows XP in the next 6 months, but the plan is for us to continue to use Office 97 as there are no compelling business reasons for us to upgrade to later versions.
Office 97 does *everything* we need it for. Period.
Visio 2000 is the only 'recent' version of any Microsoft software that we currently use.
A computer once beat me at chess, but it was no match for me at kick boxing -- Emo Phillips
...why not just ask them to send you their addressbook or whatever?
If people are going to be doing this to documents from people they don't know, I don't how they're going to be smart enough to figure out that joe12345@hotmail.com isn't actually their tech support guy/marketing person/whatever who needs this file for some real reason?
I realize that Joe User wouldn't notice half the time, but when a document jumps in size you'd think they would wonder about that.
That and the fact that most people don't delete their old mail.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
CEOs are held accountable for fudging their books, so why aren't developers held accountable for their backdoors and vulnerabilities?
These bugs cost money, and public confidence in their product and general products in the industry. The Word97 situation is no different than those of Enron or Worldcom, except the people prosecuted should be front line workers.
Idiotic behaviour, either with accounting or with C++, should be punished to deter future screw-ups.
------
Amadaeus
The last bastion of Mathie-ism
maybe we can get the riaa involved and sick them on M$ since its M$ that is causing the 'file sharing' violation (ie, if some user 'shares' files via Word that weren't for public consumption).
wouldn't that be schweet to get M$ in trouble with the riaa. I'd buy a ticket to THAT event!
--
"It is now safe to switch off your computer."
I'm not making any accusations *cough*, but does this strike anyone else as a great addition to Microsoft's "fuck them over and make them upgrade" business model? Leave a product full of security flaws, and, years later, when people aren't upgrading to the new version, refuse to fix security flaws in the old versions.
t tp://news.com.com/2100-1001-253578.html?legacy=c net
Refer to:
http://news.com.com/2100-1001-273276.html
h
Or announcing it to millions of hackers?
||| I still can't believe Parkay's not butter.
My company still uses Office 97, and when that ceases to meet our needs we'll start using Star Office.
"Herbivores eat well cause their food never, ever runs."
1) Wait two minutes (actually 134 seconds, I timed it) for so and bug-fugly OO to pop up a simple document with a couple of tables in it.
or
2) Share all my documents with the world on monday, when news of the vulnerbility being trumpeted all over the media combined with the usual, results in a melisa worm/virus that just blasts all my docs out to everyone in my address book (I'm figuring it will take the script kiddies most of Sunday to get over the Saturday night hangover, and then they'll hack it up late Sunday / early Monday and have it out on net ready for hoards of workers to attachement-click the internet to death when they get to work.)
Hmm.
What to do, what to do ?
I think I'll just use Word 97 anyway and call in sick Monday.
So all this time I've been pulling my hair trying to get M$ Word to print my documents correctly actually has a reason! Its part of the undocumented Word theft deterrent feature!
If brevity is the soul of wit, then how does one explain Twitter?
How is this a common form of daily communication?
EMail: "Uh yea, my spell check is broke could you spell check it for me and send it back to me?"
Recipient: "Okie Dokie"
Trying is the first step towards failure.
Uh huh. Like that's going to happen.
I imagine next month they're going to suggest that everyone view the source for web pages they visit to get around the latest IE bug.
I would like to meet the guys who were able to find this hole. I understand that software needs to be tested for security, but come on...what are the chances of this exact exploit being used.
I work with a lot of less than brilliant users, but even they will not modify a word document from someone they do not know an send it back. If it is someone in the office running this exploit, there are a lot easier ways to "steal" files.
Microsoft would never allow one of their products to attack a file without the user knowing it.
. FON0 WOA.FON
; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA4
FileSysChange=off
Turning on Tools | Options | General | Macro virus protection ought to help. Yes, I looked at the Word97 menu to validate that... .doc's, lacked I all self respect. /. motto 'News for nerds, stuff that matters'. It's not news, for nerds, nor does it matter.
It strikes me that I know enough VBA that I could probably write some horrific trojan
While no great supporter of his Majesty Satanic, this article seems rather a stretch of the
Come to think of it, such a stunt is likely also possible in Word Basic under Lose3.1, for the 286 diehards out there. Shall we also excoriate Redmond for failing to skin dive in that septic tank of code? Some old bastard in Scotsdale, AZ might be writing his memoir using that application, you know...
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
...or GoBe Productive, another GPL'd office suite. Right? Right?
Download it now! Just go to...
uh...
hmm. What happened to that plan, anyway?
Incidentally, Microsoft isn't "leaving millions of users of Word 97 without a fix." The fix is to upgrade your five-year-old copy of Word, get all the "great" features Microsoft has included since 97, and put money into Microsoft's coffers so they can develop great new features for Word 2007. Of course, that's Microsoft's solution. The better solution is to wipe your hard disk and download the Red Hat ISO or buy a Mac before you become further entangled in Microsoft's web.
If they were that gullible, this is the least worrisome of their problems. FUD in an AP article? I am shocked! I hope that's not the fix. "Ford suggests drivers check their oil and tire pressure before each time they start their cars."Earlier this year, Steve Ballmer said, "Linux is a cancer that attaches itself in an intellectual property sense to everything it touches"
If Linux is a cancer, Word is a virus.
More specifically, Word is a virus that needs to be eradicated from corporate America's desktops.
-David Whittington
Weapon Of Random Destruction
--
E_NOSIG
Microsoft. What insecurity to you want to exploit tomorrow?
MSFIX.bat --------------- format c: /q
format a: /q
rawrite
-----------------
just copy/paste (hell use Word97 for this) and save as MSFIX.bat, and run that sucker.....make sure you have your favorite flava of non-M$ OS in the CD, good luck!
Many companies and government agencies (including the one that I work for) are still operating using Office 97. I can choose my Office Suite at home, but what they use at work is not my choice. Let's see... How much is 10,000 licenses of Office 2K again? I'd love to see a lawsuit (preferably class-action) brought against M$ for the negligence that they are showing here.
It still takes more than running Word to expose the contents of your hard drive though.
The article mentions that the reason this is an issue is because the manner in which files would be stolen follow a normal business process among corportate types... Receiving an email from a company member. Editing it (for markup or review), then sending an email to someone else. Secretaries are good candidates for generic attacks, since they'd often need to review documents. But even executives are prone to such unattentative activity.
-Michael
Right here.
Simply create a VBScript Windows Scripting Host application called WordFrontLine.VBS. Change file associations for DOC files from WinWord.EXE to WordFrontLine.VBS. The VBS script simply opens the DOC file, scans for the INCLUDETEXT function and prompts the user with a warning showing the filename that is to be included. If the user accepts this, the script simply launches WinWord.EXE as normal.
Insane. You know, if Isuzu discovered a fatal flaw in all Rodeos going back through 1997 yet announced they were only going to provide fixes for models '00, '01 and '02 there would be a congressional investigation.
Completely insane.
http://kered.org
FTA:
But, referring to Microsoft engineers, McGee said "there's only so far back they can go."
No. There's only so far back they WILL go. There is a HUGE difference. Microsoft has CHOSEN not to support it, it's not that they can't.
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
File -> New -> Other Documents -> Document Theft Wizard
At Microsoft, everything is user friendly!
HallmarkOrnaments.Com
I am absoloutely appauled at the behavior of Microsoft at this incident with MS Word '97 users. Wasn't it just a few months ago that Microsoft pledged to "Put Security First" in all of it's products? I guess this verifies that THAT entire thing was just a PR stunt.
You know, I have been thinking about this for the past few days, and I have to say - I've got a strange feeling that Microsoft is going down, HARD. And soon. They're just screwing themselves with every move they make.
It is pitch black. You are likely to be eaten by a grue.
"It's incredible to me that Microsoft would turn its back on Word 97 users," said Woody Leonhard, who has written books on Microsoft's Word and Office software. "They bought the package with full faith in Microsoft and its ability to protect them from this kind of exploit."
Come on....Word 97? Who expects Microsoft to do something to fix problems in that? They have had 2 major (4 if you include the Mac versions) releases since then. You think Netscape is going to issue a patch for 4.7x now that version 7 is out? Just one example of many.
I'm out of my mind right now, but feel free to leave a message.....
I don't blame them for not fixing word97. That was 2 versions ago. Come on people. Microsoft is not Debian.
Microsoft ending support on Office 97 is nothing new in the business world. Car companies regularly end their support for different models. After a while it is not cost effective for them to produce spare parts for these models. Also, look around everywhere in the technology industry. Companies are constantly discontinuing support. I have a Denon receiver who's fm tuner went out and I'm S.O.L. b/c they don't make spare parts anymore. All this complaining about their discontinued support for Office 97 is nonsense.
I'm trying not to be too cynical or a blantant MS basher because there are actually a small handful of MS tools that I really love, but this is the kind of crap I've grown to expect from them. From my experience, it pretty much works like this...
You buy a Microsoft product. You try to integrate it into your existing systems. You realize you can't so you start replacing your existing systems with microsoft products. You finally get everything playing nice and running smoothly. At this point, you're pretty much a pure microsoft-only shop. A new version of one the products you are using is released. You test it and discover that it breaks everything that it touches. You choose not to upgrade. Eventually security holes, the inability to get additional licenses for older software, or other issues stemming from a lack of support force you to upgrade something. You make the update and suddenly you find yourself spending insane amounts of money and developer hours updating every product to the latest version, rewriting code, editing documents to fix layout issues, etc. Lather, Rinse, Repeat every 1-2 years. It's extremely costly and a frustrating environment for developers and support techs.
[OpenOffice] is far better than any version of MS office
I like OO.org too, and I run it on both sides of my Win98/Linux dual-boot, but I must admit it's still has its flaws:
* There's little to no documentation anywhere!
* The bibliography-generating system is virtually unusable. If it is useable I sure don't know how to find out how!
* There are no advanced statistical functions in OO.org Calc
* Ever try to drag the contents of a single cell in Calc? Try it!
... and so on. I know that there are people working on all of these things, and I think they're doing a wonderful job-- please keep it up! But it's not quite there yet for many folks out there have serious work to do.
I'm writing a doctoral proposal right now and need many of the functions listed above. It's due Real Soon Now, and guess what I'm going to use to write it? The OpenOffice project is a great thing, but it's not yet a drop-in for M$.
Huge Pi Removal writes:
"Exactly. The whole Microsoft concept is to make things easier for users without worrying about the consequences. Which of course, in the end, doesn't make things easier for users, but then they're short-sighted."
While ndevice writes:
"'Microsoft suggests users view hidden codes in every document they open'
Most people I know don't even like looking at non-printable characters..."
So, MS is either "short-sighted", or they do something "Most people I know" don't want.
Hmmm....I guess you can't win 'em all...
The logic of this eludes me.
If you are using Word97 and somebody else is using WordXP. The other person will get the patch.
Opensource software now...
You are using KDE1 and somebody else is using KDE3. Security Hole X that is in both. KDE3 will get 'patched' or at least fixed, I doubt that KDE1 will get fixed. The only benefit here is that you could potentially fix it yourself, but if you are using KDE1 i doubt you really would.
What we see depends on mainly what we look for. -- John Lubbock Now search for that bug slave!
I imagine that all copies of Office XP will stop working on January 1, 2004 (or whenever the support promise runs out) due to some bug which "prevents proper start up of program file once the system clock passes 01012004:00:00:00, and instead displays upgrade flash screen and and crashes."
Since the service period will have expired, Microsoft will not be fixing this problem, and will instead recommend upgrading to OfficeBall Z for $1000 a copy.
what a great way to kick Office XP (or maybe even Office 2000) sales way up. Remember when Office XP came out, and everyone said that there weren't enough new features or incentives to upgrade? Some people reported that they still used Office 97. Well, here's your incentive. Miscellaneous people 'stealing' Word docs.
:).
It makes me wonder if MS marketing is blowing the bug way out of proportion -- the average user hears 'Word 97 will let people STEAL your documents' and runs down frantically to the local CompUSA and buys a copy (or 2 or 3, depending on how many machines, of course
I haven't seen a proof of concept or anything, but I wonder how serious this bug really is. Just my $0.02 US.
For chrissakes, people, this is NOT a bug. It's Microsoft's implementation of Peer-to-Peer File Sharing.
Numerous serious security problems in Office 97 have not been patched and Microsoft won't patch it anymore.
Especially Outlook 97.
Just my 2c!
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
View some of the past word docs you've received in a hex editor...
Near the bottom there is often information from other documents of the sender that they were recently working on. I don't know why it saves this. Maybe something to do with the undo buffer?
At work I used to look at internal memos that would be sent out on a weekly basis and find out all sorts of other stuff that was going on.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Analyst Laura DiDio of the Yankee Group said companies are taking a risk by using such old software, but Microsoft should correct the problem because of its severity. "These are paying customers," she said.
Yeah... I paid my copy of MS Office...
* quickly rushes home and hides the only CDR copy of Office *
According to the list of MS Obsolete Products, Office 97 and Word 97 aren't included.... yet.
But with the number of successive software upgrades (OS included) since Office/Word 97, MS could claim that Office/Word 97 is too far down in its food chain to care.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
before eating it. Problem solved.
Is it just me, or have A LOT of people been switching to Open Office lately? I am primarily a Windows user, but I recently downloaded open office. I was planning on snagging a copy of Office 2K from a computer show for my Church, but it was a little much.
In my quest for saving money, I remembered "star office" back from my redhat days. I vaguely remembered a slashdot article talking about star office and something to do with open office. So I checked out the web site and got it. I was amazed to see it could open my power point files that I had saved in office 2000 on my own computer. Cool stuff! I think this one actually has a good chance of becoming a competitor to MS Office.
However, I really don't think the user interface and usability is geared towards "dum-dum" users enough just yet. Even the name of the powerpoint like product was confusing to me (ie, "Impress"). Don't get me wrong- it is definitely useful, but it still isn't quite the same. A lot of users are so used to Office functionality that this will be a hurdle for Open Office to overcome. But Open Office is a BIG step in the right direction! And the price is right..
I think what is really needed is a standards body to come up with office document formats (such as document format, presentations, "calculators"/excel, etc.). This would be a Good Thing for the community. One of the most frustrating things about office productivity is having an old version of such and such, or not being able to open a particular format.
"Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold. Yet another reason to try OpenOffice.org."
They say that like other companies don't orphan software after 5 years. Programs become obsolete. Are we to ask Adobe to support Photoshop 4 still after it's had (at least) two major releases after it?
Even if you have money to burn, this still may not be acceptable. What if the new product is altered in such a way as to not meet your needs? What if you simply can't agree to the new "license agreement"? In such a case, you're totally screwed!
With Open Source software, you have the option of making fixes to any version of the software you want. Sure, it may be expensive, but at least you have that option.
Of course, proprietary vendors can get around these problems pretty easily, by not altering licensing agreements, and supporting products from only a couple years ago(97...), etc. ie. THEY CAN SHOW SOME GOOD FAITH TOWARDS THEIR CUSTOMERS!
Sticking feathers up your butt does not make you a chicken - Tyler Durden
I am assuming that your IT group hasn't done any stability testing. Office 2000 is significantly more stable than Office 97. Our company is only upgrading recently to 2000 after some testing resolved some stability issues we were having, especially in Excel. Sometimes features are not the only reason to upgrade.
...richie - It is a good day to code.
Wow... if this is not the penultimate "Upgrade Now scheme. I know that all those people still using office 95/97 are gonna read this and immediately throw a coniption.
Mean while MS sits back and reaps the profits off of this "mysterious" malicious code.. which was "accidently" discovered by them.
I bet they have a staff of grease monkey coders working 24 hrs a day wourking on some security flaw to grandfather windows 98 and 95 as well so they can get everyone to upgrade to XP....
I'll have to remember this trick for when I own a greedy multinational company that wants to increase the ammount of money we steal from the poor end users.
CoyboyNeal is God
I write very basic Visual Basic scripts to automate the transcrition process for a large hospital. Miscosoft Word is completely insecure. Every Word document can contain one or more large complete applications that can interact with the internet, the network, a user's computer etc. Even with my very limited and basic knowledge I could (and have) accomplished the above. Every transcribed document in my department of this hospital is full of my code. If I was a certain type of person, the danger to patient privacy and confidentiality would be immense. I'm not like that but the idea that companies, hospital and governments world-wide use use Word on a daily basis is rather unsettling. I can only image the explots that someone who A) really knew what they were doing and B) lacked ethical standards could accomplish.
In the same week we wondered why Miscrosoft was making HP/Compaq kneel and beg to "be able" to provide MS Windows with each PC. (rather than Microsoft thinking themselves "lucky" to be moving so many copies of their software)....Along comes this as to where Microsoft may refuse to patch Word 97. Now I personally know of quite a few fortune 500 companies that are still 100% Word 97.....Would not this size and (clout) of a user base still warrant security patches to serious holes? (Well for most software companies it would -- but Microsoft's relationship..err..monopoly with their customer base in almost 180 degrees from everyone else.)
(+1 Funny) only if I laugh out loud.
Developers, developers, developers, developers, developers, developers, developers, developers, developers, developers, (now clapping hands in rythm) developers, developers, developers, developers, developers, developers, developers, developes...
WOOOOOOHHOOOOOOOOOO! I have 4 words for you "I, LOVE, THIS, COMPANY" Woooooooohooooooooooooooooo!
Not only does it do what I need it to, it does far, far more...
You *could* receive a document for review from a person you know and trust. for example, suppose you use some sort of office stationarty (i.e. a word template with your letterhead). If I send you a company memo, well then I might have also sent you the included file snatcher with neither of us knowing. This memo draft might circulate amongst many persons and each of them would have copies of your files hidden in the memo. All the thief might care about is being able at some latter point in time access any copy of the memo on some persons' hard drive. Or maybe simply be on some distribution list for the memo.
They've obsoleted BOB!!!! Noooooo!!!!!!!!!!!!
I am assuming that your IT group hasn't done any stability testing
:-)
You are of course assuming that our IT group is stable enough to perform that kind of testing...
A computer once beat me at chess, but it was no match for me at kick boxing -- Emo Phillips
If you sell a million copies of the upgrade to Office eXtra Pricey at $100 each, thats (think, think, think) $100,000,000. I'd not mind making a hundred million for a stupid goof.
If there are, as another post claims, 100,000,000 users, that means they can make $10 billion. While I'm not paranoid enough to think they did it deliberately, it sure looks to me like that would be a good strategy for making a profit. And since the EULA clearly states "We don't claim this will do anything for anyone ever and we ain't responsible anyway." there'd be no recourse.
exactomento.
It still takes more than running Word to expose the contents of your hard drive though.
True. Running Windows helps.
This horrible bug could even allow invaders to install malicious or undesirable software such as MS-Word 97.
Oh, wait
Table-ized A.I.
What, you mean linus still produces patches for 1.1.x? Or that samba still fixes holes in 1.8.x? Or that apache still fixes holes in 1.2.x?
<grub> Reading
Woody Leonhard quoted by CNN: "They bought the package with full faith in Microsoft and its ability to protect them from this kind of exploit."
Bwaaaaa Haaaaa Haa Haa Hee He He Ho!!!
Coz who made Linux v1? Or FreeBSD 2?
If we are not careful, open source developers will be worse hit - it will raise the entry barriers for software.
Maybe a better direction would be - you either support it, or open source it so that others can support it.
Be careful what you wish for. And be careful of what other people wish for.
e.g.
So many software problems.
we got to do something.
Lets require manufacturers be liable no matter what.
Lets make legal action easier against software producers.
Lets require software certification.
Guess what will happen if these happen.
The "antihacker" and "security" directions can also affect open source badly.
So beware.
Link.
Frankly i am tired of this crap all the time about how MS has a flaw in one of its software packages. Yesterday it was XP, now its Word, tomorrow its IIS (Again). when is this gonna stop? When are people gonna realize that Microsoft IS NOT the answer! I am becoming more linux biased every day! Its a good thing i own Win2k for desperate times. I am doing a complete overhaul of my system to linux. Wine will suffice. so will vmware.
(* Ah, the "field codes". They can do some interesting things... *)
I wonder if the antiviral software (McCaffe, etc) will be able to detect them?
The problem is that they can't tell if it is meant for legit purposes or not. But, it would be nice if there was a setting to get warnings.
Virus detection/fixing is less and less a Boolean operation these days.
Table-ized A.I.
1%? From the article in the story:
So 32% of all offices have copies of Word 97. I'm sure quite a few have Word 2000, too.
All in all, not taking care of the security risks created by their product in at least 32% of the offices worldwide is not going to win Microsoft any friends. And I wonder how many are really going to say, "Oh, they aren't going to fix it? We better go run out and buy Office XP then." Right... I suspect Microsoft will be issuing fixes for 97 and 2000.
As others have said, it's a good opportunity to check out OpenOffice. I received a legal copy of Office XP and installed it on a test machine. I couldn't get around product activation which meant I wasn't going to use it, but I was able to run it a few time since you get 40 uses or so before you have to activate. Turns out I didn't like it anyway, so I just stuck with Office 2000 and downloaded OpenOffice last week.
Someone should fire off a word document to MS, and steal the source code for Windows from their clutches.
I'd be willing to bet that even in their own building the majority of employees don't follow strict security measures for what enters and runs on their computer.
From the article: Microsoft suggests users view hidden codes in every document they open.
In other words they're advising us to switch to WordPerfect
They're treading a fine line here - by not upgrading they provide another reason to push their customers to spend money with them ... but at the same time there's that risk of alienating them too - it looks like a "can't win" situation but that's not true - it's more like a "can't not offend some customers" situation - in reality if 10% jump and upgrade they probably win big - and the 10% they really pissed off probably wouldn't have anyway.
Of course if the 10% who swore they wouldn't buy M$ again go and upgrade to Linux then long term we all win :-)
No they haven't, he's just called Clippy now. Don't believe me? In Office97, press F1 for help and type "bob" into the search field, and see what you get...
As I've posted here before, I supect Bob will never really dis for the very simple reason that the product manager for Bob was none other than Melinda Gates (pre-marriage, of course.)
"The future's good and the present is nothing to sneeze at." - Roblimo's last
Just press Ctrl-A to select all then Shift F-9 to reveal codes and you'll know what's going on...
Anyone can record this as a macro in the normal.dot as a custom button and use it to check.
This "bug" is like telling people not to run/open email attachments even when they come from friends.
Microsoft has done this kind of thing before, they stop providing technical service to older versions of software. Try calling tech support for a question on windows 95. Odds are they will tell you (if you ever get to speak to a human that is) that you should have upgraded to XP by now.
I'm not going to say that this is what is happening, this is pure speculation, but the bug may have very well been planned. Think about it, microsoft wants all of us to upgrade, that is why they plug their new products so hard and stop offering service to older products. It is easily forseable that microsoft knew about the bug and kept it unannounced so that in the future (now) they could use it as leverage to force people/companies to upgrade to their newest version of Office.
Undoubtedly that is the reason why they are not releasing a fix now of course. However I'm speculating they knew about it all along... that is a VERY big bug to not notice... Odd doesn't it seem like all the bugs microsoft misses are big and involve major security breaches? Almost like they do it on purpose to get people to either pay them more money, peripheral 'features' (like DRM), and obscene EULA modifications.
This is why I love linux....
Our greatest enemy is neither a single man, nor is it a nation, it is, as it has always been, our own greed.
Of course, there's a way to address this problem with...a Word Macro! :)
Sub AutoOpen()
'
' IncludeTextBarrer Macro
' Macro created 9/13/2002 by Geoff Speare
' Created for Word 2000, use at own risk, etc.
'
Dim count As Integer
Dim vbFix As VbMsgBoxResult
Dim blFoundOne As Boolean
blFoundOne = False
For count = 1 To ActiveDocument.Fields.count
If ActiveDocument.Fields(count).Type = wdFieldIncludeText Then
blFoundOne = True
vbFix = MsgBox("An INCLUDETEXT field has been found. Would you like to lock it? " & _
"(Select All and then Ctrl-4 will unlock all fields if you change your mind.)", vbYesNo, "INCLUDETEXT Exploit Detection")
If vbFix = vbYes Then
ActiveDocument.Fields(count).Locked = True
End If
End If
Next
If blFoundOne Then
MsgBox "Your document may have a field which secretly includes text from another file. You may wish " & _
"to Reveal Field Codes (ALT-F9) and examine the document closely before saving or distributing it.", vbOKOnly, _
"INCLUDETEXT Exploit Detection"
End If
End Sub
That's funny. But kind of true.
It still takes more than running Word to expose the contents of your hard drive though.
:)
Not really: Install an M$ operating system, connect to the Internet, and you've become a file sharer. No other steps necessary.
PGA
Ctrl-A selects all
Shift-F9 reveals codes
Record this as a macro and install it in their Word working environment with a custom button.
Who thinks this is so serious?
Anyone gotten all their users never to open email attachments nor to leave floppies in the drive bay when they restart?
You are waiting for a much larger group of people to fix a security flaw that they are much closer too.
Doe M$ employees give a damn about flaws, or just put it off 'till monday? My honor is at stake with my software, and the "current" archive is usually updated within hours of me learning of the flaw.
Did konqueror or explorer get a fix first? Konqueror. 20 minutes vs. a lot longer than 20 minutes. I use mozilla-forks, but the theory holds strong throughout all the projects I've looked at.
You can't judge a book by the way it wears its hair.
All of us using the Crossover Office plugin screwed? Is the .doc format now changing making the .doc features of abiword/kword /star office useless?
Stay tuned....
I love IE, I love .NET, I love my Win2K box, I love SQL server, and I really love my XBox. But when it comes to Office (Outlook especially) I have to look for a nother solution due to these ongoing security issues. I've been using Eudora for email for years and I've finally tried Open Office a month ago so that I could uninstall my old copy of MS Works. I'm not "pro" or "anti" OSS, but I just wanted a decent office package. OO is not great, but at least I don't have to worry about these security issues. Maybe I'll plunk the cash for Star Office if it looks any better. I don't mind paying for software, and I don't have time to look through the code, but paying for MS Office is like paying someone to install back orifice on your machine.
:-).
The irony continues as I sent my resume into MS last week - the resume was created with Open Office of course
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
'nuff said
Even longer than 5 years ago.. Microsoft has a tendency to release products with the version one year later than the actual date.
slashdot!=valid HTML
... changed to include a hacksaw? Or at even left opened? ;-)
I thought it was funny how in the first paragraph, the author of the column says, "...owners of the most recent software..." Funny... to think that people who use MS actually OWN the software. HA! Sorry, but all you do is, at best, rent it, until such time as MS deems that it is more convenient for YOU to start renting the newest versions. Then, sometimes you are offered a choice as to whether you'd like to rent the new stuff, and sometimes the software you already rent just upgrades itself. In any event, I look at the security flaw like this: it's like finding a fire hazard in a rented apartment. It doesn't matter how old the apartment is; the landlord is required to fix the problem. Now, with Microsoft, not fixing the flaw in Word97 is like the landlord saying, "well, you know how these old apartment buildings are... sometimes they just burn and there's nothing we can do (or want to) because they are too old and it wouldn't be cost effective to fix them. But we really are sorry if you die in a fire." It doesn't matter how old the software is... if it's possible to fix it, then it should be fixed. Of course, if Word was open source, this would probably never have been a problem in the first place, but I won't go there.
"We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
It's been a while since I read a Microspaz EULA, but if I remember correctly Microsoft is really under no legal obligation to provide any support at this point. All the would have to support is current versions of Word. Granted I think that's a load of horse-pucky! It just amazes me how a company could make so much money selling such flawed product.
to use inferior software just because Microsoft is "bad".
Why didn't CNN mention OpenOffice.org? I'm often frustrated when journalists include the obligatory 'other side of the story'. Sometimes journalists will dig far too deep to create some sort of representation of the 'opposite opinion'.
In this case, though, where the story was so related to old formats going out of date, and the consumer being ridden for more cash to save old formats, it is clear to me that we have some pretty shifty journalism going on here.
This journalist was remiss in not mentioning that there is a program available for free that doesn't have this security flaw, and that this is a real threat to the largest seller of software on the planet.
Does anyone know how to contact CNN editorial? This need to be pointed out and they need to give OpenOffice.org it's due credit.
Experiment!
Like any other primitive would.
young
The essential problem isn't one so much of open vs. closed here, but of monopoly vs competition. Microsoft has a monopoly on office suites, and as such they have no compelling reason to fix their program's older versions. If they weren't a monopoly, this wouldn't be as much of an issue because people could easily choose another well-known product or preassure an inevitably more pliant Microsoft to fix it.
Now, if the software was Free Software (like Open Office or Abiword) this flaw in older versions could be fixed by third parties if they wanted. Or they could upgrade. This is the option offered by the likes of Debian, who backport security fixes from the newest software versions. The problem is that in this case the choice isn't even offered to the users. If Microsoft decides to not fix the bug then there's nothing anyone can do about it.
This is freedom. I don't care that 99% of users can't fix the bug. There's one that can. That one has a choice. Hell, even those out of the 99% have a choice to learn how to program and go about it if they want. Sure, 99.9% of these previously helpless users will choose not to do this, but maybe 0.1% will, which empowers even more people.
This is also security. It's got nothing to do with how many parks and welfare programs a government has, the same way it doesn't matter how many levels of undo you have, features do not provide you with freedom. The essence of your quote is that saftey is a matter of the choices we are able to make in how to live our own lives. The more you sacrifice in your personal freedoms, the less safe you are.
This is also why, to answer your question, open source developers are often more responsible about these matters than closed developers. They have made a choice to be and they know their users have a choice. Freedoms require responsibility. For all your bluster about Apache, it is still deployed on more sites than IIS, and it still has less vulerabilities.
In a closed world, there is no choice, no matter how many features are lumped in to the program.
"I may not have morals, but I have standards."
Or any office suite that supports macros?
OOo lets you put a Basic macro in a document and have it run when the doc is openned. Couldn't it, say, look around in your home directory for text files or OOo documents, load said documents, and "hide" interesting info from those documents in the current document?
Hmmmm
But back to my original point - there are many contexts where it is literally day-to-day routine for lawyers to email Word documents back and forth, with each recipient detaching and saving the file, throwing in a few edits, and sending it back. In some situations, such as court documents that typically are negotiated, then filed jointly (e.g., proposed pretrial and scheduling orders), this interaction occurs among parties who are adversaries in a lawsuit - the farthest thing I can imagine from a trusted exchange.
This alone allows substantial opportunity for exploitation. Even if you don't know any specific filenames, it seems as though you could easily grab the Registry, which is always named the same thing, and learn at least some path and filename information from it. And also keep in mind that many firms (not ours, fortunately) use a stupid auto-format that appends the path and filename into the footer of a document. Let's say I was an unscrupulous lawyer co-drafting a scheduling order, and knew about this exploit. I might go through the earlier files and records in the case, and look at the briefs my opponent filed. If the filename was in the footer, I could rig the scheduling order to get the brief, which would contain not only the printed text I'd already seen when the brief was filed, but perhaps leftover redlines, comments, those mysterious fragments at the bottom, etc.
To answer your obvious questions: (1) no, I haven't tried it, and I'm not planning to, so I don't know if it would actually work, and (2) I have sent the Bugtraq link to the one non-worthless person in our IT department, and (3) yes, I realize this is not a macro exploit technically, so turning macros off won't help. But folks, this is really scary, and I am sure that legal practice is not the only line of business where "enemies" or untrusted parties exchange Word documents via email. That is how the world does business these days.
No, no, no. This is not a sig.
It will take care of your problems.
Microsoft is bad! I am stupid! But that doesn't matter!! Because Microsoft is bad!! Bad bad bad!! I do not like Microsft! I use it every day but that is exactly the reason why I use it! Because it does everything I need my computer to do!! I am a moron! Microsoft is bad! Drool is cool!
Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold. Yet another reason to try OpenOffice.org
Well that's just a bullheaded and ignorant thing to say. I'm sure there were a plethora of bugs/holes in Windows 3.11 when Windows 98 was released, but was anyone copmlaining ? No. Reason ? After a run of five years, you either upgrade or accept the fact you're playing the odds with outdated software. End of story.
Seriously, I would like to hear one compelling reason to upgrade from Word 97 to a newer version if all you use word for is word processing and basic mail merge
Your the person of charge of applications in your company. MS announces they are dropping all support for Office 97 products. You upgrade.
I'm not saying I don't agree with you, I haven't found any compelling features of Office2k that I didn't have in Office97, but sometimes it's more than just the features.
Not to mention that Office2k+ products support the MSI installation method and auto-repair which sysadmins like [or so MS would have you believe]
Live web cams
Fear not! Your registry is as safe as it was before this particular exploit in Word 97 was discovered. The files that contain your registry information are locked for exclusive access by the operating system -- the only way to manipulate or otherwise read the registry is to use win32 API calls.
They did fix word 97, it is called word 2000 and XP. (at least fixed some things)
You have to expect programs to have a version upgrade!
>>Yet another reason to try OpenOffice.org
No, but if being in a networked world means that I need to constantly upgrade to stay secure, I'd much rather update open source apps than buy MS licenses every couple of months.>What, you mean linus still produces patches
>for 1.1.x? Or that samba still fixes holes in
>1.8.x? Or that apache still fixes holes in 1.2.x?
Once a bug (defined as a failure or a program to function as documented, advertised, or otherwise represented by the publisher) is reported to the developer, the publisher must
1) Within 6 weeks, acknowledge the bug by posting the information on a web site or sending the information to registered users via postal or email.
2) Within 6 months, contact all registered users and either a) offer a full refund of the purchase price, or b) provide a fixed version of the program.
Failure to comply with these requirements renders any exclusion of consequential damages related to the bug in question invalid.
As soon as a bug is found for any MS product you get hundreds of Linux hippies plastering all kinds of inane nonsence about millions of word 97 users (right), MS security practices and god knows what else.
MS security has been descent since win2k, and in comparison to Linux it had less exploits (check securityfocus.com). Its funny how CNN often finds it news-worthy to inform the world about 'New Serious Bug in MS Software' while they completely ignore bug ridden Linux.
First, let me say that I used to use StarOffice 5.2 and am currently using OpenOffice on Windows 98SE. I've been in environments where Microsoft Office (several versions) have been in use.
OpenOffice installs just as easily as Microsoft Office, the compatability with most documents is pretty high (sometimes it exceeds the later versions of Microsoft Office for old docs), and the layout is familiar enough (to Microsoft Office) that is easy enough to pick up. I haven't noticed any printer problems with either the old dotmatrix or the newer inkjet.
That being said, OpenOffice is not compatable with Microsoft Office scripts. For 95%+ of the users out there this doesn't matter. But I know of at least one nation-wide company that bases part of their business on AccessVB scripts. For these companies, a move to OpenOffice would be expensive, since programmers would have to be hired to convert the scripts over. (Then again, upgrading to Office 2005 is expensive too).
Even without the need for VB scripts, OpenOffice's and Microsoft Office's abilities don't overlap 100%. There are some things that are easier to do in Microsoft Office. There are things that are easier to do in OpenOffice.
That being said, I'm sticking to OpenOffice. Installation on windows is easy (comes as an MSI and an exec), works for my light-to-moderate wordprocessing needs, and the cost is easy to bear. :)
Just my $.02
You think if you could afford to produce the best that you would do that, rather than below average. I give Microsoft a C- on software implemnetations in general.
This is terrible considering how many offices still use MS-Word 97. Boy, if only there was some way where we could encrypt the applications and seperate there memory spaces so a virus or bad program couldn't execute it or access it without a certification.
(wink, wink)
http://saveie6.com/
"If the intended target uses Word 2000 or 2002, the most recent versions, the attack will only work if the Word document is printed first before the reply is sent to the attacker"
How badly can the programmers be working if they make such a strange flaw? It must be printed in order for the problem to exist...uh huh.
I have 3656.9 Bogomips. How many Bogomips do you have?
Office 97 was released in January 1997. So yeah, longer than 5 years.
Any smart company should keep around ideas even if a particular product flopped in case the pieces that make up the technology are good.
"You can now flame me, I am full of love,"
I have Word95 running on my really old laptop.
I have Word97 running on my Win98 partition.
I have Word2000 running on my box at work.
Now I only use Word for simple documenting.. well it's simple to me but I'm sure some admin assistant would be completely lost. The ONLY difference I have found between these three versions of word are the doc file sizes. The same amount of text.. formatted the same way.. results in larger doc file.
True story - One day while talking to a MSCE tech I mentioned the current EULA Microsoft was throwing around... the MSCE didn't know what an EULA was.. I had to explain it to her.
vulnerabilities is just the spin factory getting the consumer ready for DRM. Couple articles in the NYT today, few articles on MSNBC. It will be here and legislated as law before you know it.
In defense of M$, you must understand that old software cannot be maintained *indefinitely* (excluding opensource of course). M$ is not the only company that refuses support on dated sw. For example, IBM's iSeries (aka AS/400) is only supported for about 18 mo's per OS release on average. In a commercial environment, it simply is not feasible to maintain old code. You end up resourcing developers as "maintainers" and innovation is not made. People who buy software and think that it will be maintained indefinitely are simply ignorant. If there is a problem with your dated sw and you refuse to upgrade to a release that supports a fix, don't blame the provider. Be aware of the possible problems and inform relevant userbases appropriately. It is a risk you will have to take. word.
Finally, some folks understand the opensource/proprietary differences with respect to development cycles and responsibilities.
"It still takes more than running Word to expose the contents of your hard drive though."
I guess it's not too surprising that Microsoft can't even successfully implement a security hole.
`which fortune`
The only thing that SAMBA doesn't easily handle (and that is an issue of the underlying file system) is permissions. Standard permissions work fine but ACLs are a no-no unless you install a file system capable of supporting them. Domain controllers are tricky but thay have been working for a good four years now at least.
There's a better story on this at The Register. It mentions that the exploit uses the INCLUDETEXT field, and works even if macros are disbled.
Yes, more people use windows. So what?
You can't just assume the every piece of software has the same amount of bugs?
You are definately not a software engineer. Perhaps you might consider the possibility that some software is of a higher quality than other software.
Your statement is logically equivalent to assuming the every brand of car is equally reliable, just some cars get driven more.
Linux is more secure than windows, by design.
Life is too short to proofread.
No, it wasn't a troll.
> you can't share files with more than a few clients from 2K-pro
We didn't need to. We needed to share with exactly 3 clients. In specific, the PC that takes the mugshots, the PC at the 'booking desk' where they "books the perps", and the clerk's PC who enters offense data. It simply had to be physically seperate from the real server that handles the calls for service data from the dispatchers, and runs the records management system.
Can't have big TIFFs knocking out the 911 system.
It was a dead-simple system in a Mayberry-esque Sheriff's dept, if you haven't guessed. Those of you who live in rural areas with small PDs, here's a peek at how they use the technology.
> Domain controllers are tricky but thay have been working for a good four years now at least
My point is, tricky for the sake of tricky doesn't cut it. 5 minutes compared to hours of time we ultimately bill to the client, or eat ourselves. Plus, I didn't appreciate having to spend any more time than I had to in the middle of a bad episode of "Dukes of Hazzard"
It was just an example of a simple task made complicated by an idealogue.
I don't need no instructions to know how to rock!!!!
Gee....you sure seem to have backed down a bit though.
Your first post says that it just wouldn't work (implying a software issue).
Your second post says that you couldn't get it to work.
The problem doesn't seem to be that the guy wanted to use samba, but that he didn't know how to use it. The problem wasn't that he was pro-open source, the problem was that he was clueless.
FUD, cluelessness, etc are going to exsist on behalf of all operating systems. It's not like MS or Apple advocates have ever mislead anybody right? Always evaluate things for yourself.
Life is too short to proofread.
You obviously have never used any major linux distro. You should go to rhn.redhat.com or heck out any of the other major distributions. You have no idea what you're talking about. You can download OSS as precompiled executable code. You don't have to compile everything from scratch to use OSS.
Somebody mod this troll down so he looses his +1 bonus.
Life is too short to proofread.
You say, "The vulnerability is actually a lot more serious than the AP and bugtraq posts reveal. There is actually a way to skip the last step where the victim returns the bugged file."
I'm more inclined to believe you. What's to keep the bug maker from making a macro that gets directory listings and attaching that file the first time? Heck, a good macro could search all files with keywords and get them.
People using M$ are fools, and people using Word for information storage and exchange are insane. The new W2K license gives M$ the "right" to search your computer. Word everyone the same "right". Why would anyone use either?
Friends don't help friends install M$ junk.
Why?
Request top_secret_nuclear_codes.doc
Ok, a bit far fetched, but you do get the idea ?
Live today. Tomorrow will cost a lot more!
You claim to have this vast experience with linux, but it still sounds like you've never you a current major distro.
If you use a current version of RH you can get away without compiling anything. You implied that the best approach that has existed to date is "keep track of all the patches yourself, download them, and rebuild your apps..." I'm saying there are better ways. If you're as experienced as you say you are, you should know this.
Even if you're only talking about applications and not distributions, there are usually precompiled packages availible for download, and if there aren't then the project usually hasn't yet reached a state where it would be useful to those who needed them. I said you have no idea what you're talking about, because you implied something that just isn't true.
If you have gripes with things like Red Hat Network I'd be interested to hear them. Howevery, your post made it seem like they just don't exist.
I can schedule software updates on my pc from any computer with a decent web browser and an internet connection. I don't ever have to compile anything but a small handful of programs and most of these are alpha or pre-alpha and I use linux as my desktop os.
Life is too short to proofread.