Slashdot Mirror
Microsoft Word Security Flaw
JWL-23 writes: "cnn.com is reporting that a Microsoft Word flaw may allow file theft. Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold. Yet another reason to try OpenOffice.org." It still takes more than running Word to expose the contents of your hard drive though.
Yet another reason why MS Word is not a document exchange format. That rant is also avaible in other formats
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
"Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold."
That's not entirely true. It is true that before this story broke, Microsoft had no plans on updating or offering any new fixes for anything '97.
However, CNN and AP reported this morning that Micorsoft hasn't ruled out a fix and that they are in the process of determining what it would take to make a fix available.
TeX
1) IMHO the emphasis on Word97 is wrong. I originally tested this on Word2000 and it worked perfectly.
2) I was not out to find yet another M$ bug. I was using Word for my daily work when I stumbled onto this. It was one of those "I wonder what this button does" things.
3) The vulnerability is actually a lot more serious than the AP and bugtraq posts reveal. There is actually a way to skip the last step where the victim returns the bugged file. In other words, just editing and saving (or printing) the bugged file is sufficient. Look for a new bugtraq post early next week.
Microsoft ending support on Office 97 is nothing new in the business world. Car companies regularly end their support for different models. After a while it is not cost effective for them to produce spare parts for these models. Also, look around everywhere in the technology industry. Companies are constantly discontinuing support. I have a Denon receiver who's fm tuner went out and I'm S.O.L. b/c they don't make spare parts anymore. All this complaining about their discontinued support for Office 97 is nonsense.
One reason might be that OpenOffice is free, while GobeProductive is not...
:-)
I actually just installed OpenOffice on my home PC's Win2k drive (still gotta get it for the Linux drive). I have to admit that I've never tried GobeProductive, but I did use the old StarOffice (5.2) for a while. I thought it stunk. OpenOffice is quite comparable to MS Office in terms of usability. On my system it was quite a bit faster than MS Office as well. So let's see, OpenOffice is (1) free, (2) compatible (> 90%, probably) with MS Office, (3) available right now for multiple OS platforms. Granted, GobeProductive might be faster than OpenOffice, but come on, do you really need the file to open instantaneously?
Maybe someone will come up with a quantum office productivity suite that will open files before you need them...
Instead, they release a new version with the bug fixed. Usually code patches are available, but how many people using KDE actually compiled their version?
Ok, so commercial software and open source software developers really want their users to use the most up to date versions. The difference is, MS wants their users to fork out a few hundred $$$ for their new fixes and gotta-have features. For KDE, you can just download the latest version or get it from a friend. That's why MS is evil for not patching '97. People paid a lot of money for it and expect MS to support it. I personally can't seen any feature worth paying several hundred dollars for an upgrade to Office 2000/XP over '97 and neither can millions of their customers.
Now you tell me who's looking out for their users.
Looking for a computer support specialist for your small business? Check out
Yeah, 'cuz whenever I suspect a shortcoming in the Linux kernel, I break out emacs and beat it back into shape. Right. After I correct any perceived shortcomings in emacs, that is.
Err...Ummm, this is an argument I see a lot and it just doesn't make sense. You may not be able to fix the problem yourself, but that is not the point. The point is that the decision to fix the problem is not left solely to a large corporation that only cares about the numbers on its ledger.
Sure, you probably aren't a software developer who is intimately familiar with all of the programs you use. Nevertheless, you are still much more likely to obtain a fix because the source is freely available. If you don't provide the fix (or pay someone to provide the fix), then somebody else probably will, provided it is a large enough problem. Furthermore, since open source developers tend to care more about the quality of their software than financial gain to be had (i.e: they don't have management and marketing breathing down their necks), the core developers of the project in question will probably fix the problem themselves and/or roll a patch into the main tree, again provided the problem is serious enough and the patch doesn't break anything.
Note: I use "problem is serious enough" as an umbrella term to refer to the number of people experiencing the problem, the type of problem (security, functionality, aesthetic, etc), the effect the problem has on other aspects of the program, etc...
Of course, there's a way to address this problem with...a Word Macro! :)
Sub AutoOpen()
'
' IncludeTextBarrer Macro
' Macro created 9/13/2002 by Geoff Speare
' Created for Word 2000, use at own risk, etc.
'
Dim count As Integer
Dim vbFix As VbMsgBoxResult
Dim blFoundOne As Boolean
blFoundOne = False
For count = 1 To ActiveDocument.Fields.count
If ActiveDocument.Fields(count).Type = wdFieldIncludeText Then
blFoundOne = True
vbFix = MsgBox("An INCLUDETEXT field has been found. Would you like to lock it? " & _
"(Select All and then Ctrl-4 will unlock all fields if you change your mind.)", vbYesNo, "INCLUDETEXT Exploit Detection")
If vbFix = vbYes Then
ActiveDocument.Fields(count).Locked = True
End If
End If
Next
If blFoundOne Then
MsgBox "Your document may have a field which secretly includes text from another file. You may wish " & _
"to Reveal Field Codes (ALT-F9) and examine the document closely before saving or distributing it.", vbOKOnly, _
"INCLUDETEXT Exploit Detection"
End If
End Sub
There's some other ways of getting weird extraneous data dumped into Office files -- see this Microsoft Knowledge Base document for more info. Fast saves are by far the worst culprit, though.
If you're really concerned about this sort of thing, the best thing to do (besides using a different office suite) is to pipe public documents through GNU strings first to make sure nothing conspicuous is embedded.
But back to my original point - there are many contexts where it is literally day-to-day routine for lawyers to email Word documents back and forth, with each recipient detaching and saving the file, throwing in a few edits, and sending it back. In some situations, such as court documents that typically are negotiated, then filed jointly (e.g., proposed pretrial and scheduling orders), this interaction occurs among parties who are adversaries in a lawsuit - the farthest thing I can imagine from a trusted exchange.
This alone allows substantial opportunity for exploitation. Even if you don't know any specific filenames, it seems as though you could easily grab the Registry, which is always named the same thing, and learn at least some path and filename information from it. And also keep in mind that many firms (not ours, fortunately) use a stupid auto-format that appends the path and filename into the footer of a document. Let's say I was an unscrupulous lawyer co-drafting a scheduling order, and knew about this exploit. I might go through the earlier files and records in the case, and look at the briefs my opponent filed. If the filename was in the footer, I could rig the scheduling order to get the brief, which would contain not only the printed text I'd already seen when the brief was filed, but perhaps leftover redlines, comments, those mysterious fragments at the bottom, etc.
To answer your obvious questions: (1) no, I haven't tried it, and I'm not planning to, so I don't know if it would actually work, and (2) I have sent the Bugtraq link to the one non-worthless person in our IT department, and (3) yes, I realize this is not a macro exploit technically, so turning macros off won't help. But folks, this is really scary, and I am sure that legal practice is not the only line of business where "enemies" or untrusted parties exchange Word documents via email. That is how the world does business these days.
No, no, no. This is not a sig.
What, you mean linus still produces patches for 1.1.x?
Actually, there are still new releases to the 2.0 kernel series, which is the "circa 1997" (think "Word 97") kernel series. They're at 2.0.40-pre6 right now.
Of course, perhaps the original poster meant that people should try OpenOffice not because patches are released for older versions of Open Source software, but rather because the upgrade to the latest, fully patched version is free?