Microsoft Word Security Flaw

JWL-23 writes: "cnn.com is reporting that a Microsoft Word flaw may allow file theft. Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold. Yet another reason to try OpenOffice.org." It still takes more than running Word to expose the contents of your hard drive though.

Re:Bad Developer, BAD!

[Dephex+Twin]

If microsoft offered free upgrades to customers who hold a flawed version of their software that they refuse to fix then all of their software would be basically "buy once, and recieve free upgrades for life"

Well, that sounds like an excellent motivator to try harder to get it right the first time!

Open Office

[cdf12345]

Thank god I downloaded openoffice last night.

My sister's entire school district is switching to it, it's cheap and open source, so theres no "were not going to fix it" crap.

Schools have been sold on the idea that students need to learn the microsoft products for the business world. But I say if you learn open office you'll be able to use office 2000 should an employer some day down the road still be using it.

Re:Riiiight

[ivan256]

I know of quite a few businesses that dont feel the need to pay for an upgrade when Word 97 does everything they need. There's no incentive to upgrade. (Even now, because they don't use the document protection features)

Seriously, I would like to hear one compelling reason to upgrade from Word 97 to a newer version if all you use word for is word processing and basic mail merge.

Obligations to fix flaws

[elindauer]

It is a shame that software development companies do not have a legal obligation to fix significant flaws...

This lack of responsibility on the part of proprietary software developers is one of the main selling points of open source software. It's so difficult to define what constitutes a "major" problem, and what the seller should be obligated to fix.

Allowing users to steal files obviously falls on the major problem side of the line, but many other problems are in a gray area that is difficult to define. Besides this, most users find that the bugs they consider to be "major" are different than those other users might consider important, based on the way they happen to use the software.

Just another argument for using open-source software whenever you possibly can. If you discover a bug like this and the author isn't willing to fix it, you can always fix it yourself. Why would you ever want to leave this decision to someone else?

Re:Obligations to fix flaws

[great+throwdini]

Just another argument for using open-source software whenever you possibly can. If you discover a bug like this and the author isn't willing to fix it, you can always fix it yourself. Why would you ever want to leave this decision to someone else?

Yeah, 'cuz whenever I suspect a shortcoming in the Linux kernel, I break out emacs and beat it back into shape. Right. After I correct any perceived shortcomings in emacs, that is.

I could always hire or convince someone else to fix a problem for me (with open source software), but that might rapidly amount to an obscene monetary of temporal cost (for an individual to bear) after adding up each fix requested, and doing so still leaves the decision to someone else.

So, I basically have to be able to (a) understand and (b) correct the code "behind" the software packages I use in order to derive full benefit from open source software? That line of thinking doesn't seem very compelling to me.

Nine times out of ten (at least), the only difference is that I, as an end-user, am waiting for a different group of people to improve the products I use. Maybe they'll fix it, maybe they won't -- because, as you point out:

[M]ost users find that the bugs they consider to be "major" are different than those other users might consider important, based on the way they happen to use the software.

Food for thought?

Re:Obligations to fix flaws

[great+throwdini]

[T]he point is that you CAN. WIth closed-source products, you don't even have that option [to correct flaws yourself].

No, no, no. The point is that one MAY. One has the right to, and one has access to the building materials. In no way does that grant one the ability to implement [nearly any significant set of] fixes. It is unfortunate the distinction is either lost or assumed in these discussions.

Re:Obligations to fix flaws

[Xaoswolf]

This lack of responsibility on the part of proprietary software developers is one of the main selling points of open source software.

Open source developers are more responsible than closed source developers? Could you please tell me why?

It's so difficult to define what constitutes a "major" problem, and what the seller should be obligated to fix.

Does it work as a word processor? Will it allow you to read, write, print, and format documents? Well if it didn't do those, then I would say it is a major problem. If it emailed personal information to random people on start up, then I would call it a problem, or if it caused your firewall software to crash everytime you opened a .doc file, I would call it a major problem.

If you discover a bug like this and the author isn't willing to fix it, you can always fix it yourself. Why would you ever want to leave this decision to someone else?

Perhaps because I am not a software engineer, and I know that my mother barely knows how to poerate the mouse, let alone debug complex software.

The problem here, is that someone found a way to exploit a Microsoft Word Feature. Now we can tell them to do things in the name of security, oh wait, isn't that what we all complain Bush is doing?

A very famous man once said something along the lines of "They who would give up an essential liberty for temporary security, deserve neither liberty or security".

You are giving up features for temporary security. Anything Microsoft does will be a temporary fix. There are enough hackers out there that hate microsoft that no matter what, they will find a new way to exploit the software. Now before I hear any, "that's because microsoft sucks, use linux" comments, if all the people out there trying to find cracks and exploits for MS Software were instead going agains Linux, or other open sourced applications, you'd find just as many problems.

Don't believe me. Put up an appache web page on a linux box, or what ever opensourced so. Now have the only line on the page say "You can't hack this box". Get a link somewhere that people are going to see it, and then talk to me in a month as to how safe your page was.

Re:Obligations to fix flaws

> Open source developers are more responsible than
> closed source developers ?
> Could you please tell me why ?

Quite simple. If there's a huge hole in GNU
Fortran, people know who to blame. Try to blame
an individual developer in a large software
conglomerate.

Toon Moene, g77 maintainer.

Re:Obligations to fix flaws

[CorwinOfAmber]

At least with proprietary software, with enough money you can FORCE a company that you bought software from to fix it.

Maybe. But with Free software, you can hire the original developer, or any competent programmer, to fix it. If you've got the money to throw around, you can hire the best programmer in that particular domain. With proprietary software, you are always at the original developer's mercy.

If there's no contract, there's nothing to fall back on when things go wrong (and things *always* go wrong).

As opposed to the contract you have with proprietary software that indemnifies the publisher from any and all responsibility when things go wrong? Forgive me, but I am so tired of this argument. How much responsibility did Microsoft claim over Code Red?

Would you rather spend a little extra and get a car with a warranty, or a car "as is"?

This analogy is not even remotely accurate. A better analogy would be that the car without the "warranty" has a number of mechanics who like to work on the car, and many of them are perfectly happy to come to your house at any time of day and fix it for you, free of charge, or maybe for a beer or two. But if you get the car with the "warranty", when something goes wrong you first have to tow it to the dealer, then you have to demonstrate to the dealer that it's broken, then you have to prove that the problem is covered by the warranty (that's not a bug, it's a feature!). And even then, the dealer might decide that he doesn't want to fix it, and there's nothing you can do about it (unless, of course, you can get some grunt at IBM to lean on him).

Re:isn't it odd

[Photon+Ghoul]

First of all making bugs/exploits/whatever known to the public is a perfectly acceptable way of getting the information out to those who protect systems and those who need to protect themselves.

Secondly... are you just grabbing conspiracy theories out of thin air? Where did you even come up with this? I would like to know.

Re:Bad Developer, BAD!

[Loligo]

>Well, that sounds like an excellent motivator to
>try harder to get it right the first time!

Name one major software product that has been bug-free from initial release.

For that matter, name one major software product that has ever been bug-free at any point in its lifetime.

-l

Old software is a risk?

[m_chan]

Analyst Laura DiDio of the Yankee Group said companies are taking a risk by using such old software, but Microsoft should correct the problem because of its severity.

I am having a hard time getting my head around the concept that newer software equals software with "less risk". I do not understand why a product, open or closed, is inherently more "risky" due to its age. Perhaps she means un-patched old software? Is she advising users of a genuine risk, or is she making the case for a revenue stream and saying that IS Managers who do not stay "less old" in their application selections are jeopardizing their companies? Although she admonishes Microsoft to fix the problem, it seems her implication is that said managers are negligent, as opposed to the software vendor who may or may not patch the hole they wrote.

Re:Old software is a risk?

[anonymous+loser]

I think the general thinking behind statements like this are the same reason Redhat 7.2 is more secure than say Redhat 3.0. The software has been around longer, so more security holes have been found and exploited. Granted, there are patches available but in general you could say that the newer versions are more secure with respect to these known exploits, since the patches are already built-in to the newer release.

hidden codes

[ndevice]

quote from the article:

"Microsoft suggests users view hidden codes in every document they open"

Most people I know don't even like looking at non-printable characters...

While they're at it, they may as well suggest that everyone examine binaries manually before they run them.

It's not suprising

[Kakarat]

However from a business point of view, it's not effective to keep patching very old code for something that is fixed (or will be) in a newer version of code. Also, they want to give users a reason to get off their old software and have them pay more money to upgrade.

Re:Social Engineering

[joshki]

How? This isn't social engineering -- it happens in the real world all the time!

I receive documents for review and editing from up to 400 different people -- and I'm not even all that high up the food chain. This would easily work on me -- and I'm very security concious. This isn't like "don't click on attachments from people you don't know" -- it falls more into the category of "don't ever use word and outlook and office for what they're designed to do." (I know -- use OO... When somebody convinces the government to do that...)

10 years

[thunderbug]

The auto industry is required to make parts available for 10 years past the model year. Makes sense.

Why not apply the same rule to software security fixes? Sure would do a lot to motivate better design.

Re:Ridiculous

[stratjakt]

"play up what a nightmare Microsoft malware is, and how easy and free OS software is"

No, I'd say use your head and give some insightful advice, rather than spout off like a ranting zealot. Don't "play up" anything. Give the truth.

Don't lie about how easy it is to install and configure the OSS equivalents. Don't pretend they're going to be 100% compatible. And in gods name, stop with the "microsoft owns your soul" rants. Once that user realises you lied, there goes your credibility, your 'stroke'. Next time they'll ask for advice from the kid at the counter of the local Office Depot.

If OSS is going to 'empower' people, it won't be through a bunch of FUD and politics. Let it sink or swim on its own virtues.

This isn't a message directed at you, but rather to all who want to actually help open source be taken seriously.

This is what makes me not use M$.

[xanadu-xtroot.com]

FTA:

But, referring to Microsoft engineers, McGee said "there's only so far back they can go."

No. There's only so far back they WILL go. There is a HUGE difference. Microsoft has CHOSEN not to support it, it's not that they can't.

Re:this is insane

[Razzious]

Agree with the principle, however a Rare chance at file theft and a FATAL FLAW in an automobile are not even close to realistic comparisons...

Really another reason to use openoffice?

[jpt.d]

The logic of this eludes me.

If you are using Word97 and somebody else is using WordXP. The other person will get the patch.

Opensource software now...
You are using KDE1 and somebody else is using KDE3. Security Hole X that is in both. KDE3 will get 'patched' or at least fixed, I doubt that KDE1 will get fixed. The only benefit here is that you could potentially fix it yourself, but if you are using KDE1 i doubt you really would.

Re:Really another reason to use openoffice?

[JWL-23]

Yeah, but it doesn't cost hundreds of dollars to (legally) upgrade to KDE 3.x.

Why bother with 97?

[Winterblink]

For the same reason we no longer see security fixes and patch support for Windows 3.1. It's OLD. Newer products like Office 2000 and XP are probably easier to patch than the old convoluted mess that is Office 97. I mean the product's at least five years old. Let it go.

Just my 2c!

Re:Bad Developer, BAD!

[Gonarat]

That would be a great change to software copyright. Give software full copyright protection as long as it is supported (supported being defined as helpdesk support and maintenance). That way, MS (or any software maker) would have stand by the software that has been purchased instead of abandoning it like yesterday's newspaper.

When MS drops support for Word 97, Windows 95, DOS, or whatever other package, then that version should be free to copy. We still have many machines where I work that use Win 95/Office 97 (new Machines get Win 2K and Office 2K) and have apps out in the field (point of sale) that use DOS 6.22 and Desqview. We still have to license every PC that is used -- why shouldn't we get support if we are shelling out $$?

Word in Insecure

[minairia]

I write very basic Visual Basic scripts to automate the transcrition process for a large hospital. Miscosoft Word is completely insecure. Every Word document can contain one or more large complete applications that can interact with the internet, the network, a user's computer etc. Even with my very limited and basic knowledge I could (and have) accomplished the above. Every transcribed document in my department of this hospital is full of my code. If I was a certain type of person, the danger to patient privacy and confidentiality would be immense. I'm not like that but the idea that companies, hospital and governments world-wide use use Word on a daily basis is rather unsettling. I can only image the explots that someone who A) really knew what they were doing and B) lacked ethical standards could accomplish.

Bizarro World

[SomeOtherGuy]

In the same week we wondered why Miscrosoft was making HP/Compaq kneel and beg to "be able" to provide MS Windows with each PC. (rather than Microsoft thinking themselves "lucky" to be moving so many copies of their software)....Along comes this as to where Microsoft may refuse to patch Word 97. Now I personally know of quite a few fortune 500 companies that are still 100% Word 97.....Would not this size and (clout) of a user base still warrant security patches to serious holes? (Well for most software companies it would -- but Microsoft's relationship..err..monopoly with their customer base in almost 180 degrees from everyone else.)

Re:Some clarification

[Cy+Guy]

Could a SlashDot editor please include this info as an update to the story?

I'd ask that it be modded up but its already maxed out.

Yet another reason to try OpenOffice.org

[Leto2]

Yet another reason to try OpenOffice.org

What, you mean linus still produces patches for 1.1.x? Or that samba still fixes holes in 1.8.x? Or that apache still fixes holes in 1.2.x?

Re:Yet another reason to try OpenOffice.org

[tuffy]

What, you mean linus still produces patches for 1.1.x? Or that samba still fixes holes in 1.8.x? Or that apache still fixes holes in 1.2.x?

No, but Linus, Samba and Apache don't charge $200+ for the updated versions of their software with the bugs fixed.

Re:isn't it odd

[_|()|\|]

this was a sneaky way to undermine microsoft by releasing to the public such a huge bug.

You're confused: Microsoft released the bug. Qualcomm just did a little free QA.