Microsoft Word Security Flaw

JWL-23 writes: "cnn.com is reporting that a Microsoft Word flaw may allow file theft. Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold. Yet another reason to try OpenOffice.org." It still takes more than running Word to expose the contents of your hard drive though.

Re:Bad Developer, BAD!

[Dephex+Twin]

If microsoft offered free upgrades to customers who hold a flawed version of their software that they refuse to fix then all of their software would be basically "buy once, and recieve free upgrades for life"

Well, that sounds like an excellent motivator to try harder to get it right the first time!

Open Office

[cdf12345]

Thank god I downloaded openoffice last night.

My sister's entire school district is switching to it, it's cheap and open source, so theres no "were not going to fix it" crap.

Schools have been sold on the idea that students need to learn the microsoft products for the business world. But I say if you learn open office you'll be able to use office 2000 should an employer some day down the road still be using it.

Re:Open Office

[Lizard_King]

...should an employer some day down the road still be using it

You sound quite young and naive. Companies in the past, today and tomorrow are not going abandon productivity suites such as MSOffice because of these vulnerabilities/exploits. The reason why the majority of schools teach proficiencies in these products is that the majority of businesses *use* them.

I used to be a zealot as well. A few years of working every day has turned me into a realist.

Thank god I downloaded openoffice last night.
Phew, that was a close one!

Re:Open Office

[cdf12345]

All it takes is a Network Admin to switch over to a non standard software package and a few weeks for people to get used to it.

Believe me, when our school realised they would save over $9000, the switch was a no brainer.

All it takes is for some exposure, and some businesses looking at their savings, and people will not care if there software is Microsoft or not, especially with their "Trustworthy computing" campaign.

Re:Open Office

[sunset]

...Companies in the past, today and tomorrow are not going abandon productivity suites such as MSOffice because of these vulnerabilities/exploits. ..

Don't be so sure. A company's management does have the power to make such a decision, and will do so if sufficiently persuaded. And the arguments for it just keep getting better and better.

We are in uncharted territory. This is not the time for glib predictions based on the past.

Re:Open Office

[Micah]

Microsoft Office has features that the open source alternatives don't have (yet). Period.

Like what?

OpenOffice is quite complete. And it is very extensible. You can write plugins in C++, Java, or Basic. Within a year or two there will be a thriving market for plugins, both commercial and open source. The development community is growing by leaps and bounds. Traffic on the API list is going up almost exponentially.

So even if MS Office has some unique features today, it likely won't for long.

Re:Open Office

[Micah]

Companies in the past, today and tomorrow are not going abandon productivity suites such as MSOffice because of these vulnerabilities/exploits.

No, but they will because

• It will save them a ton of money
  
• It will save them licensing headaches
  
• Better security, and the guarantee that it will be fixable apart from the whim of a large corporation
  
• It will save their files in open file formats that are far more efficient than MSs, and are far easier to integrate into other applications.
  

Re:Open Office

[Micah]

hmm, granted I'm no power user at this point, but I'm pretty sure all that is possible. You might want to ask on the OpenOffice users list... seriously...

I agree that the documentation leaves a bit to be desired, but they ARE working on it.

For one thing, there's a new Software Development Kit with info on how to write plugins.

Here's a link to thew new developer documentation draft.

Social Engineering

[xfs]

" If an attacker can persuade a target to open, modify and then return a document to him he can snaffle sensitive files on a user's PC. "

This isn't a huge bug with office it's a huge bug with USERS.

Re:Social Engineering

[joshki]

How? This isn't social engineering -- it happens in the real world all the time!

I receive documents for review and editing from up to 400 different people -- and I'm not even all that high up the food chain. This would easily work on me -- and I'm very security concious. This isn't like "don't click on attachments from people you don't know" -- it falls more into the category of "don't ever use word and outlook and office for what they're designed to do." (I know -- use OO... When somebody convinces the government to do that...)

Re:Social Engineering

[peter_gzowski]

I don't know, dude. This involves you receiving a document from a name you don't recognize (unless the attacker has your company's employee list, and then I think you have bigger problems) on a topic that the attacker probably has very little knowledge of. Maybe (s)he knows what your company does, but could they write a document passable as one of the members of your particular group (even if it is 400 people)? You make it sound like some guy could send you his term paper, and you would edit and return it with grammar corrections.

Re:Social Engineering

[joshki]

No -- but don't you have different levels of trust in your organization? I have all kinds of people working for me -- any one of them could send me a proposal, memo, or something else to go up and I would cc them on what I sent up (usually -- not always). That's just one scenario -- and an attacker can usually find out who works somewhere without any difficulty...

Faith in Microsoft?

[soboroff]

I loved this one:

"It's incredible to me that Microsoft would turn its back on Word 97 users," said Woody Leonhard, who has written books on Microsoft's Word and Office software. "They bought the package with full faith in Microsoft and its ability to protect them from this kind of exploit."


To paraphrase Douglas Adams, "Bill says, 'I refuse to fix bugs, for patches deny faith, and without faith I am nothing.' "

Re:Faith in Microsoft?

[soulsteal]

To paraphrase Douglas Adams, "Bill says, 'I refuse to fix bugs, for patches deny faith, and without faith I am nothing.' "

If only Bill could disappear in a puff of logic.

Re:Faith in Microsoft?

[Reziac]

FAITH has been defined as "believing in what you know ain't so" ;)

Re:Riiiight

[ivan256]

I know of quite a few businesses that dont feel the need to pay for an upgrade when Word 97 does everything they need. There's no incentive to upgrade. (Even now, because they don't use the document protection features)

Seriously, I would like to hear one compelling reason to upgrade from Word 97 to a newer version if all you use word for is word processing and basic mail merge.

isn't it odd

[bashbrotha]

that qualcomm (maker of the eudora PIM/email client) was the company that found the bug? not that I like microsoft, but somehow this was a sneaky way to undermine microsoft by releasing to the public such a huge bug.

I just wonder... did qualcomm try to blackmail microsoft first, before releasing the "scoop" on the bug?

Re:isn't it odd

[Photon+Ghoul]

First of all making bugs/exploits/whatever known to the public is a perfectly acceptable way of getting the information out to those who protect systems and those who need to protect themselves.

Secondly... are you just grabbing conspiracy theories out of thin air? Where did you even come up with this? I would like to know.

Re:isn't it odd

[crm114]

Far more likely that macrotheft knew all along about this bug (or was it a feature?) and is using this opportunity to 'patch' in something that will render openoffice inoperable.

Re:isn't it odd

[_|()|\|]

this was a sneaky way to undermine microsoft by releasing to the public such a huge bug.

You're confused: Microsoft released the bug. Qualcomm just did a little free QA.

Hmm.. Screwing 97 users, huh?

[stratjakt]

"That decision -- still left largely up in the air by Microsoft engineers -- may leave millions of users of Word 97 without a fix. All versions of Word are susceptible to the flaw, but the problem is most severe in Word 97."

Up in the air. May. Key words and phrases that denote that no final decision to "screw" users of '97 have been made.

Of course, 'bugged' documents could easily be captured by any number of third party virus scanning suites, which I would surely hope any use in an office environment who opens e-mails with reckless abandon would use.

Obligations to fix flaws

[elindauer]

It is a shame that software development companies do not have a legal obligation to fix significant flaws...

This lack of responsibility on the part of proprietary software developers is one of the main selling points of open source software. It's so difficult to define what constitutes a "major" problem, and what the seller should be obligated to fix.

Allowing users to steal files obviously falls on the major problem side of the line, but many other problems are in a gray area that is difficult to define. Besides this, most users find that the bugs they consider to be "major" are different than those other users might consider important, based on the way they happen to use the software.

Just another argument for using open-source software whenever you possibly can. If you discover a bug like this and the author isn't willing to fix it, you can always fix it yourself. Why would you ever want to leave this decision to someone else?

Re:Obligations to fix flaws

[sehryan]

If you discover a bug like this and the author isn't willing to fix it, you can always fix it yourself.

...If you have the skills to do so. Most people couldn't fix a problem in the code. And I know that I would not feel comfortable running a fix that didn't come from the software maker.

Re:Obligations to fix flaws

[BradleyUffner]

"It is a shame that software development companies do not have a legal obligation to fix significant flaws...

This lack of responsibility on the part of proprietary software developers is one of the main selling points of open source software. It's so difficult to define what constitutes a "major" problem, and what the seller should be obligated to fix."

Are you saying that open source software developers are any more legally responsable for fixing thier bugs then closed source?

Re:Obligations to fix flaws

[great+throwdini]

Just another argument for using open-source software whenever you possibly can. If you discover a bug like this and the author isn't willing to fix it, you can always fix it yourself. Why would you ever want to leave this decision to someone else?

Yeah, 'cuz whenever I suspect a shortcoming in the Linux kernel, I break out emacs and beat it back into shape. Right. After I correct any perceived shortcomings in emacs, that is.

I could always hire or convince someone else to fix a problem for me (with open source software), but that might rapidly amount to an obscene monetary of temporal cost (for an individual to bear) after adding up each fix requested, and doing so still leaves the decision to someone else.

So, I basically have to be able to (a) understand and (b) correct the code "behind" the software packages I use in order to derive full benefit from open source software? That line of thinking doesn't seem very compelling to me.

Nine times out of ten (at least), the only difference is that I, as an end-user, am waiting for a different group of people to improve the products I use. Maybe they'll fix it, maybe they won't -- because, as you point out:

[M]ost users find that the bugs they consider to be "major" are different than those other users might consider important, based on the way they happen to use the software.

Food for thought?

Re:Obligations to fix flaws

[rmadmin]

I'm on the same boat. I definately couldn't fix security holes in the software I run (especially considering that I'd have to have a fscking HUGE /usr/src partition). Even if I could, I don't know if I would trust the patch since:
1: I didn't write the software in the first place.
2: I'm not a full time programmer, I'm an administrator.

Re:Obligations to fix flaws

[xanadu-xtroot.com]

I definately couldn't fix security holes in the software I run

Although I am holding an oar next to you in the your boat, the point is that you CAN. WIth closed-source products, you don't even have that option.

Re:Obligations to fix flaws

[great+throwdini]

[T]he point is that you CAN. WIth closed-source products, you don't even have that option [to correct flaws yourself].

No, no, no. The point is that one MAY. One has the right to, and one has access to the building materials. In no way does that grant one the ability to implement [nearly any significant set of] fixes. It is unfortunate the distinction is either lost or assumed in these discussions.

Re:Obligations to fix flaws

[Jeremi]

And I know that I would not feel comfortable running a fix that didn't come from the software maker.

You would prefer to continue running software with a well-known, publicized security whole? That's like discovering that the lock on your front door accepts any key, and then refusing to replace it with any other brand of lock.

Re:Obligations to fix flaws

[NineNine]

This is an excellent point. At least with proprietary software, with enough money you can FORCE a company that you bought software from to fix it. It happens all of the time with big companies... Problem with IIS? Well, a call from any grunt at IBM will get 'em moving. Problem with Apache? Nobody has any obligation whatsoever to fix it.

And THAT'S why most businesses will never move to OSS as a primary platform. Business is built on relationships and contracts. If there's no contract, there's nothing to fall back on when things go wrong (and things *always* go wrong).

Would you rather spend a little extra and get a car with a warranty, or a car "as is"? I'll spend the extra and get the warranty. I'm not a mechanic, and I'm not paying for a fucking mechanic.

Re:Obligations to fix flaws

[Xaoswolf]

This lack of responsibility on the part of proprietary software developers is one of the main selling points of open source software.

Open source developers are more responsible than closed source developers? Could you please tell me why?

It's so difficult to define what constitutes a "major" problem, and what the seller should be obligated to fix.

Does it work as a word processor? Will it allow you to read, write, print, and format documents? Well if it didn't do those, then I would say it is a major problem. If it emailed personal information to random people on start up, then I would call it a problem, or if it caused your firewall software to crash everytime you opened a .doc file, I would call it a major problem.

If you discover a bug like this and the author isn't willing to fix it, you can always fix it yourself. Why would you ever want to leave this decision to someone else?

Perhaps because I am not a software engineer, and I know that my mother barely knows how to poerate the mouse, let alone debug complex software.

The problem here, is that someone found a way to exploit a Microsoft Word Feature. Now we can tell them to do things in the name of security, oh wait, isn't that what we all complain Bush is doing?

A very famous man once said something along the lines of "They who would give up an essential liberty for temporary security, deserve neither liberty or security".

You are giving up features for temporary security. Anything Microsoft does will be a temporary fix. There are enough hackers out there that hate microsoft that no matter what, they will find a new way to exploit the software. Now before I hear any, "that's because microsoft sucks, use linux" comments, if all the people out there trying to find cracks and exploits for MS Software were instead going agains Linux, or other open sourced applications, you'd find just as many problems.

Don't believe me. Put up an appache web page on a linux box, or what ever opensourced so. Now have the only line on the page say "You can't hack this box". Get a link somewhere that people are going to see it, and then talk to me in a month as to how safe your page was.

Re:Obligations to fix flaws

[ryanwright]

Would you rather spend a little extra and get a car with a warranty, or a car "as is"? I'll spend the extra and get the warranty. I'm not a mechanic, and I'm not paying for a fucking mechanic.

Your analogy is flawed. Here's one that may be more appropriate:

Would you rather spend money and get a car with a warranty that has locks under the hood you can't bypass and a dealer that takes their sweet ass time fixing the car when it breaks (sometimes not fixing it at all), or would you rather get a free car that you can fix whenever you like, and as a bonus, lots of helpful people will tell you exactly how to do so?

The last company I worked for spent many hundreds of thousands of dollars with Microsoft every year. And every single time there was a problem, we spent hours on the phone with those idiots getting it resolved. Most of the time, it never did get resolved, or took months for Microsoft to issue a hotfix. Why they didn't just hire a couple of software developers at $80k a year/each and deploy Linux is beyond me...

Re:Obligations to fix flaws

[CorwinOfAmber]

At least with proprietary software, with enough money you can FORCE a company that you bought software from to fix it.

Maybe. But with Free software, you can hire the original developer, or any competent programmer, to fix it. If you've got the money to throw around, you can hire the best programmer in that particular domain. With proprietary software, you are always at the original developer's mercy.

If there's no contract, there's nothing to fall back on when things go wrong (and things *always* go wrong).

As opposed to the contract you have with proprietary software that indemnifies the publisher from any and all responsibility when things go wrong? Forgive me, but I am so tired of this argument. How much responsibility did Microsoft claim over Code Red?

Would you rather spend a little extra and get a car with a warranty, or a car "as is"?

This analogy is not even remotely accurate. A better analogy would be that the car without the "warranty" has a number of mechanics who like to work on the car, and many of them are perfectly happy to come to your house at any time of day and fix it for you, free of charge, or maybe for a beer or two. But if you get the car with the "warranty", when something goes wrong you first have to tow it to the dealer, then you have to demonstrate to the dealer that it's broken, then you have to prove that the problem is covered by the warranty (that's not a bug, it's a feature!). And even then, the dealer might decide that he doesn't want to fix it, and there's nothing you can do about it (unless, of course, you can get some grunt at IBM to lean on him).

Re:Obligations to fix flaws

[fishbowl]

By that logic, you should not be allowed to
fix your own car, because you are not a professional mechanic.

But, this logic is also going to discourage you from hiring a professional mechanic, because any law that "protects" you from working on your car,
will also "protect" the mechanic from working on your car for hire or trade.

So what you're suggesting is that not only should the carmaker have some legal basis to prevent you from working on your own car, but that you would also support them preventing you from hiring someone to do it. And if the manufacturer won't or can't fix it, that you're fine with just leaving it broken, and being forced to get a new one.

You have not even considered that many people develop and modify software for a living. Or maybe you're willing to have one law for Microsoft and another law for everyone else.

Re:Obligations to fix flaws

[ncc74656]

This is an excellent point. At least with proprietary software, with enough money you can FORCE a company that you bought software from to fix it. It happens all of the time with big companies... Problem with IIS? Well, a call from any grunt at IBM will get 'em moving. Problem with Apache? Nobody has any obligation whatsoever to fix it.

That's great...if you happen to be IBM. If you're Joe Schmuckboy, Microsoft is as likely to tell you to FOAD as it is to fix the problem. If they tell you to FOAD, what are you going to do about it? Aside from not buying their stuff ever again, what can you do about it?

Would you rather spend a little extra and get a car with a warranty, or a car "as is"?

You must never have seen the EULA associated with nearly every closed-source product. You get no warranty WRT the software's proper functionality or fitness for purpose. Don't believe me? Here's the relevant section of the EULA associated with downloads from Windows Update (edited into mixed-case):

Disclaimer of warranties. To the maximum extent permitted by applicable law, Microsoft and its suppliers provide to you the OS Components, and any (if any) support services related to the OS Components ("Support Services") as is and with all faults; and Microsoft and its suppliers hereby disclaim with respect to the OS Components and Support Services all warranties and conditions, whether express, implied or statutory, including, but not limited to, any (if any) warranties, duties or conditions of or related to: merchantability, fitness for a particular purpose, lack of viruses, accuracy or completeness of responses, results, workmanlike effort and lack of negligence. Also there is no warranty, duty or condition of title, quiet enjoyment, quiet possession, correspondence to description or non-infringement. The entire risk arising out of use or performance of the OS Components and any Support Services remains with you.

Exclusion of incidental, consequential and certain other damages. To the maximum extent permitted by applicable law, in no event shall Microsoft or its suppliers be liable for any special, incidental, indirect, punitive or consequential damages whatsoever (including, but not limited to, damages for: loss of profits, loss of confidential or other information, business interruption, personal injury, loss of privacy, failure to meet any duty (including of good faith or of reasonable care), negligence, and any other pecuniary or other loss whatsoever) arising out of or in any way related to the use of or inability to use the OS Components or the Support Services, or the provision of or failure to provide Support Services, or otherwise under or in connection with any provision of this Supplemental EULA, even if Microsoft or any supplier has been advised of the possibility of such damages.

Limitation of liability and remedies. Notwithstanding any damages that you might incur for any reason whatsoever (including, without limitation, all damages referenced above and all direct or general damages), the entire liability of Microsoft and any of its suppliers under any provision of this Supplemental EULA and your exclusive remedy for all of the foregoing shall be limited to actual damages incurred by you based on reasonable reliance up to the greater of the amount actually paid by you for the OS Components or U.S.$5.00. The foregoing limitations, exclusions and disclaimers shall apply to the maximum extent permitted by applicable law, even if any remedy fails its essential purpose.

It seems pretty clear that you have no recourse if the updates made available manage to FUBAR your system (as Win2K SP3 did to several of my computers). Please explain how this is any different from the situation you face with open-source software, other than that open source doesn't tie you to the software vendor for support.

Re:Obligations to fix flaws

[Rutulian]

Yeah, 'cuz whenever I suspect a shortcoming in the Linux kernel, I break out emacs and beat it back into shape. Right. After I correct any perceived shortcomings in emacs, that is.

Err...Ummm, this is an argument I see a lot and it just doesn't make sense. You may not be able to fix the problem yourself, but that is not the point. The point is that the decision to fix the problem is not left solely to a large corporation that only cares about the numbers on its ledger.

Sure, you probably aren't a software developer who is intimately familiar with all of the programs you use. Nevertheless, you are still much more likely to obtain a fix because the source is freely available. If you don't provide the fix (or pay someone to provide the fix), then somebody else probably will, provided it is a large enough problem. Furthermore, since open source developers tend to care more about the quality of their software than financial gain to be had (i.e: they don't have management and marketing breathing down their necks), the core developers of the project in question will probably fix the problem themselves and/or roll a patch into the main tree, again provided the problem is serious enough and the patch doesn't break anything.

Note: I use "problem is serious enough" as an umbrella term to refer to the number of people experiencing the problem, the type of problem (security, functionality, aesthetic, etc), the effect the problem has on other aspects of the program, etc...

Re:Obligations to fix flaws

[DunbarTheInept]

The point is that a lot of other people *can* even if you *can't*, and that does give you value in the end. You benefit from more eyeballs looking at the code even if those eyeballs aren't yours. The fact that one doesn't have to work for General Motors in order to be able to do maintenence on my car causes there to be more information about my car out there, more choices of mechanics to go to, and lower prices for repairs. These are benefits even though *I* don't know how to fix my own car.

Re:Obligations to fix flaws

[simm_s]

I agree Open Source developers are no more responsible than Proprietary Software Developers when it comes to fixing security flaws.

Open Source developers need to get the point across that if a closed source software company does not feel the bug is worth fixing there is nothing that the customer can do. When dealing with opensource you have the power to fix the problem. If you do not have the knowledge to fix the problem you could probably hire someone with the knowlege to fix it.

About your security rant:
You contradict yourself by saying "if all the people out there trying to find cracks and exploits for MS Software were instead going agains Linux, or other open sourced applications, you'd find just as many problems."

Then you say: Put up an appache web page on a linux box, or what ever opensourced so. Now have the only line on the page say "You can't hack this box". Get a link somewhere that people are going to see it, and then talk to me in a month as to how safe your page was.

If hackers were'nt trying to find linux exploits, then why whould they bother with the apache box in that example?

The truth is Windows Software tends to be less secure because of feature bloat. They need a reason to keep selling newer versions of Word even though they got 99% of the needed features finished in Word 97. When you keep adding features your software looses focus and starts to do things they were not intended to do. This bug is a perfect example. The bug does not exist because Microsoft coders a bad per-se (I know a few who kick ass), but because features are laid on top of more features. The software grows exponentially as more communication paths between objects increase.

Re:Obligations to fix flaws

[ncc74656]

I didn't claim that there's any difference between the typical closed-source EULA and the typical open-source license WRT merchantability, fitness for purpose, etc. I was debunking the analogy made here to a car sold with a warranty vs. a car sold as-is, since both the closed-source and open-source products are offered as-is. The car with the warranty typically costs more, but you expect to pay more because it has the warranty. With closed-source software, your money doesn't buy you a comparable level of protection.

The only difference I see is that Microsoft can use a shift key, whereas RMS has a stuck CAPS LOCK.

Read my post again...the section of MS's EULA that I quoted was originally all-uppercase. I fixed it so that it was mixed-case. I also didn't insert <br> tags after each line (as you did), so that it'd wrap properly.

Re:Obligations to fix flaws

[IanA]

>>This lack of responsibility on the part of proprietary software developers is one of the main selling points of open source software.

Open source developers are more responsible than closed source developers? Could you please tell me why?

If it's open source, I myself or any number of other people can choose to fix it. With closed-source only the original developers can fix it, and that's if the company which controls the software allows them to, and then allows subsequent publication of said fix.

Re:Obligations to fix flaws

[Old+Wolf]

I'm a proprietary developer and I'm out to make good software.

I am working on the theory that if you write good software then people prefer it to competition software that has more bugs and is harder to use and has less features.

Of course this theory breaks down when you have companies with big marketing machines but that isn't everyone :)

Re:Obligations to fix flaws

[great+throwdini]

The point is that a lot of other people *can* even if you *can't*, and that does give you value in the end.

No, the original point I was trying to make is that those who speak of open source initiatives in glowing terms of user empowerment need to be more aware of the intricacies involved. This is especially true when (as with the poster to whom I was responding) generalizes the benefit to encompass all end-users to the extent that we all become capable of fixing things for ourselves.

I'll engage your point (above) a bit: That many people are given the opportunity to inspect the source to a program offers no guarantees it will benefit you, as a particular end-user. For a number of projects it does. For others, it won't. [1] For others, the crush of feedback from other users may actually interefere with your own use of a program. [2] Any number of outcomes are possible, and I haven't really seen solid, empirical evidence that the benefit of open source to the end-user applies in a majority of cases.

The fact that one doesn't have to work for General Motors in order to be able to do maintenence on my car causes there to be more information about my car out there, more choices of mechanics to go to, and lower prices for repairs.

The above analysis treads on new ground, that of obtaining contract work at a reasonable rate [3] and of developing a population of users and developers where free market forces will lead to reasonable fees [4] and sound distribution channels.

It's not that I don't think benefit never accrues for the end-user, I just think everyone involved needs to be a bit more realistic about the true benefit of open source, its strengths and its limitations.

[1] The case of an end-user stuck with software with no identifiable, active, or accommodating developer base comes to mind. See [3] as well for the challenge of perception (i.e., "will anyone think my issue worth fixing?").
[2] Instances of so-called "bloatware" applications would apply here (e.g., the Mozilla Project, for some).
[3] See my questioning of individual cost here.
[4] See the remarkably insightful response to [3] here - moderators, kubrick really deserves a mod upward, IMO.

Re:Obligations to fix flaws

[great+throwdini]

The point is that the decision to fix the problem is not left solely to a large corporation that only cares about the numbers on its ledger.

No, I don't believe the point has anything to do with the demonization of corporate America. One might be tempted to argue that a business charging for software services would be more willing (or, at least, "smart") to correct flaws in their products because failure to do so might impact their bottom line (e.g., loss of consumer confidence). Obviously, things could go either way, but the level of support afforded to software need not be impacted determined by the presence or absence of a corresponding financial transaction.

Nevertheless, you are still much more likely to obtain a fix because the source is freely available.

And developers are always freely (in any sense of the word) available for any project. Right. Whatever.

If you don't provide the fix (or pay someone to provide the fix), then somebody else probably will, provided it is a large enough problem.

Which returns me to a core issue I originally raised: cost to the end-user. This may be a greater burden than you imagine in a number of cases. It may even be an issue with otherwise active and responsive developers who simply don't agree that your problems are significant or worth their time. It's an easy out for you to take in arguing that money can solve any problem the end-user might encounter. Should the costs associated with using an open source package rise too high, the importance of whether said package is open or not is largely moot. Users will simply go elsewhere.

[S]ince open source developers tend to care more about the quality of their software than financial gain to be had[...]

I would love to live in the world you do, but OSS developers still need to earn a living and the quality of a software package is measured by the quality of its developer contributions, not the licensing by which it is governed. I would suggest you remove your rose-tinted spectacles.

Re:Obligations to fix flaws

[Tony+Hoyle]

I'm also a proprietary developer out to make good software, but when I've just fixed a 'can you make this window look completely crap' bug that took two days and was marked 'critical' even though I know there are half a dozen crashing bugs marked 'minor', I'm generally just glad to get out of the office, and sod the quality (the boss likes to design UIs that look like a cross between DOS and a puking session).

However for the opensource stuff that I do, I can manage the priorities myself so I know which bugs to fix first and which can wait. There's less pressure, so I can work when I'm not tired/burnt out, so fewer bugs in the first place. I care more about the customers because I know who they are and am on good terms with a number of them.

Re:Obligations to fix flaws

[dublin]

Why they didn't just hire a couple of software developers at $80k a year/each and deploy Linux is beyond me...

<SARCASM>Perhaps because they're in business to make money, not support an IT staff?</SARCASM>

Re:Obligations to fix flaws

[sehryan]

No, I prefer not to take the lock off the door and fix it myself. I also prefer not to let some stranger that isn't affliated with any lock company to take the lock away and fix it, then hand it back to me. If you live in a world where you are fine with the latter option, I hope you don't keep anything valuable in your house.

Re:Obligations to fix flaws

[ryanwright]

Perhaps because they're in business to make money, not support an IT staff?

Considering the 20+ IT staff we already had, I really doubt that had anything to do with it.

Making money generally involves spending it. Spend less to get the same results, and you make more money. On purely financial terms, the solution as to which OS to deploy should be obvious.

Re:Obligations to fix flaws

[DunbarTheInept]

All the alleged downsides you mention about open source are downsides of BOTH open and closed source. With closed source you can also end up being stuck with software with no identifiable developer - when the company that made it isn't around anymore, or isn't supporting the product anymore. The difference is the size of the set of people who are allowed to fix the problem. With open source, the size of that set is the population of the earth. With closed source, the size of that set is zero.

Which would you rather have? A lack of a guarantee that your problem will get fixed (open source) or the existence of a guarantee that it WON'T (closed source)?

catching up to emacs

[Frymaster]

finally, word is catching up to emacs 1988!

Re:Bad Developer, BAD!

[Loligo]

>Well, that sounds like an excellent motivator to
>try harder to get it right the first time!

Name one major software product that has been bug-free from initial release.

For that matter, name one major software product that has ever been bug-free at any point in its lifetime.

-l

MS-Word and document exchange

[Charles+Dodgeson]

Yet another reason why MS Word is not a document exchange format. That rant is also avaible in other formats

Re:MS-Word and document exchange

[Mr_Silver]

Yet another reason why MS Word is not a document exchange format. That rant is also avaible in other formats

I stopped reading when I hit this:

Word produces probably the worst output and is the slowest and most tedious to work in of any document preparation system I've seen in the past 15 years. I find it remarkable that when people are presented a choice between a structural mark-up system (what you mean is what get) versus a visual mark-up system (what you see is all you get) people opt for the latter. For more on this point see section 5.2.

This is all personal opinion. Having used other document markup formats (yes, even writing Postscript by hand - we did it at university) I complete disagree with the comment "the worst output and is the slowest and most tedious to work in of any document preparation system".

If he'd stuck to the facts and stopped throwing in personal opinion it would have been more credible - but to make a comment like that and advocate Latex (for gods sake, Latex over Word - are you kidding?), sorry, but no.

Old software is a risk?

[m_chan]

Analyst Laura DiDio of the Yankee Group said companies are taking a risk by using such old software, but Microsoft should correct the problem because of its severity.

I am having a hard time getting my head around the concept that newer software equals software with "less risk". I do not understand why a product, open or closed, is inherently more "risky" due to its age. Perhaps she means un-patched old software? Is she advising users of a genuine risk, or is she making the case for a revenue stream and saying that IS Managers who do not stay "less old" in their application selections are jeopardizing their companies? Although she admonishes Microsoft to fix the problem, it seems her implication is that said managers are negligent, as opposed to the software vendor who may or may not patch the hole they wrote.

Re:Old software is a risk?

[mttlg]

I am having a hard time getting my head around the concept that newer software equals software with "less risk".

You're not the only one. One of the main reasons why Office 97 is still in use is because of how long it has been around to prove itself. I know my company tests software fairly extensively before making any mandatory desktop upgrades - Office 97 is still the standard here, and Windows 2000 wasn't installed across the company until last fall. When productivity (money) is at stake, most companies will not risk switching to unproven software, and many might choose not to switch at all if the existing solution works. It is especially true with Windows that any significant change could result in serious problems, no matter how much testing has been done. Multiply that by thousands of employees, and that's some serious IT overtime, er, I mean decreased productivity.

Re:Old software is a risk?

[anonymous+loser]

I think the general thinking behind statements like this are the same reason Redhat 7.2 is more secure than say Redhat 3.0. The software has been around longer, so more security holes have been found and exploited. Granted, there are patches available but in general you could say that the newer versions are more secure with respect to these known exploits, since the patches are already built-in to the newer release.

Re:Old software is a risk?

[reverse+flow+reactor]

new software has new features. New features have not been tested in the wild. New features have their own security issues.

Old features may be more secure on more recent software, but most new software has new features as well. It is a continuous cycle:

1. write software

2. release version 2, with new features and fixes for old problems

3. release version 3, with new features, and fixes for problems in versions 1 and 2...

Re:Old software is a risk?

[anonymous+loser]

I'm well aware of this. My point is that the known exploits are already taken care of in newer versions, whereas they still exist, *and are well known* with older versions. At least with the new stuff someone has to find the exploit first. It's kind of like "security through obscurity." No, it's not actually more secure in reality, because in the long haul someone will find an exploit, but in the short term it is more secure than something that has known security holes.

The main problem with known security holes is that there are 1 million skr1pt k1dd13z that can find them in 10 seconds or less. Nobody has written scripts yet for unkown exploits, so it's not as likely you'll be compromised right away.

Re:Old software is a risk?

[Reziac]

OTOH, if a risk is significant in the Real World[tm], I'd think 5 years would be sufficient for it to be so demonstrated, by a reasonably-large number of realworld attacks. Not to say that it can't still happen, but I wouldn't hold my breath waiting for it.

But as the first poster says, it's not like older software just ups and grows fresh new warts because it's old :)

Not True

[DaytonCIM]

"Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold."

That's not entirely true. It is true that before this story broke, Microsoft had no plans on updating or offering any new fixes for anything '97.
However, CNN and AP reported this morning that Micorsoft hasn't ruled out a fix and that they are in the process of determining what it would take to make a fix available.

Re:Not True

[sacrilicious]

It is true that before this story broke, Microsoft had no plans on updating or offering any new fixes

Sorta sweeps under the rug the distinction between "Microsoft didn't know of any need to update" vs "Microsoft probably wouldn't have considered offering an update except for the bad press snowballing".

How comforting.

.

hidden codes

[ndevice]

quote from the article:

"Microsoft suggests users view hidden codes in every document they open"

Most people I know don't even like looking at non-printable characters...

While they're at it, they may as well suggest that everyone examine binaries manually before they run them.

It's not suprising

[Kakarat]

However from a business point of view, it's not effective to keep patching very old code for something that is fixed (or will be) in a newer version of code. Also, they want to give users a reason to get off their old software and have them pay more money to upgrade.

Re:Is it just Microsoft with this problem?

[SirSlud]

My interpretation is that the file is attached 'silently' - the user is unaware that the attachment was made.

I say this only because its so obviously not an exploit if the user must willingly select a file, even if s/he is not aware of what action spawned the file dialog window.

I think its a pretty serious exploit if that is indeed the case.

file sharing

[RGRistroph]

Is there any way we can make a filesharing protocol based on this, and have gateway machines that mirror files that are behind facist firewalls that block gnutella ports to gnutella ? A kind of really long latency email server ?

Re:Bad Developer, BAD!

[SquadBoy]

I have a "hello world" Perl script that is at 7.6.5 and has been bug free for it's entire lifetime. :) Oh wait that is not so much what we like to call major is it? Oh well.

But on a serious note I think that there are bugs and then there are bugs. And this certainly falls into the latte category. So I think instead of just saying bug one should say glaring borderline negligent bugs should fall under this. And I can name many major software products that have *never* had anything even close to this bad.

Ridiculous

[legLess]

From the article:

Microsoft suggests users view hidden codes in every document they open. In Word 2002, the latest version, that can be done by selecting tools, options, then checking the "field codes" box.

Fucking Jesus. The only justification for paying hundreds of dollars a year to a software behemoth is the expectation that your software is secure and usable. What they're admitting is that their software is so insecure that you have to become an expert in (what are for most people) arcane configuration options just to make sure your software doesn't bite you in the ass.

Satirizing this stuff is almost obsolete. Your word processor can send confidential files without you knowing it? What's next, your email client and movie player? Oh ... wait ...

See? That's hardly even funny anymore - people expect it. Timothy's right, though - the rubber meets the road with the IT manager. When users come to you asking for an office suite for home, play up what a nightmare Microsoft malware is, and how easy and free OS software is. People are starting to get this, and OS software is going to empower them.

Re:Ridiculous

[stratjakt]

"play up what a nightmare Microsoft malware is, and how easy and free OS software is"

No, I'd say use your head and give some insightful advice, rather than spout off like a ranting zealot. Don't "play up" anything. Give the truth.

Don't lie about how easy it is to install and configure the OSS equivalents. Don't pretend they're going to be 100% compatible. And in gods name, stop with the "microsoft owns your soul" rants. Once that user realises you lied, there goes your credibility, your 'stroke'. Next time they'll ask for advice from the kid at the counter of the local Office Depot.

If OSS is going to 'empower' people, it won't be through a bunch of FUD and politics. Let it sink or swim on its own virtues.

This isn't a message directed at you, but rather to all who want to actually help open source be taken seriously.

Re:Ridiculous

[legLess]

All communication is selective. In a finite amount of time there's only so much you can say, and what you say is determined by your own personality and viewpoints. Against this backdrop, all communication is by necessity part propoganda, and it's dishonest not to acknowledge that. You say "truth," and I read "truth as you perceive it." You likely end up communicating the same thing, but it's a different internal approach.

I'm not saying we should lie to anyone. You're right that disapointed expectations harm your case in both the short and long terms, and perhaps I could have phrased that sentence better. Tell someone how perfect OpenOffice is and at the first hint of trouble you'll look like a liar. Under-promise and over-deliver.

And in gods name, stop with the "microsoft owns your soul" rants.

Microsoft is moving as fast as they think they can afford to a subscription model. If this is implemented, then people will literally be paying a monthly vig to Microsoft just to access their own data. So no, they don't own your soul, but they will own your letters to grandma (in the sense that one of the rights of ownership is the ability to deny access).

If OSS is going to 'empower' people, it won't be through a bunch of FUD and politics. Let it sink or swim on its own virtues.

Those virtues still have to be touted by someone. I used to run the network for a large architecture firm, and people asked me for software all the time. After a while you get to know people, and many of them just aren't ready to futz around with (e.g.) OpenOffice. But those who are will still need a little encouragement.

What it boils down to is that the number one thing preventing most people from learning more about software is fear, and the conviction that it's all very difficult and arcane. Before they can learning anything they need to be in a receptive state of mind.

Re:Ridiculous

[stratjakt]

I'm only coming from personal experience, in particular an experience we had at work with SaMBa.

We had this paper tiger straight from the "newbie factory" of the local college. We had a task for a particular client, which boiled down to a fileserver with a big shared folder for images (photos).

So, this kid starts immediately frothing at the mouth about linux and SaMBa. He lied (probably out of ignorance) about how it's completely seamless on a Win2k network. He ranted about how much we'll save by not having to pay to liscense another copy of Win2k for the client.

Well, he got the marketing types convinced. Next thing I know, we're (we as in ME, I do the work around here) knee deep in all the kludges, hacks and nonsense involved in getting the SaMBa box to work exactly as we wanted it to, logging onto the Win2k domain, retrieving user lists, faking NTFS security, etc.

The management, the client, everyone involved became increasingly frustrated.

Long story short, we pissed away countless man-hours before finally acquiescing and just installing another Win2k pro box, which took all of 5 minutes to configure.

The kid has since left, and now about 6 months later, I have other projects that scream for the likes of linux, SaMBa, MySQL. Noone in this office wants to hear it, and think I've become some sort of zealot.

To me, it's just a matter of the right tool for the right job. SaMBa wasn't the right tool for that task, but it is for others. But the frenzied ideology has basically driven it out of this office, at least for the time being.

It's just an anecdotal example of how one well-meaning zealot can do much more damage than good. It happens to be one of my pet peeves.

So, in the meantime, I continue to advocate OSS solutions where they're practical. And its slowly but surely working. I was actually allowed to use a spare pentium box and CoyoteLinux to replace a buggy router in our testing 'bullpen'.

I guess I don't see OSS as 'a cause'. I try to think through problems logically and practically. Sometimes OSS is a logical, practical solution. Sometimes not. I just hate my options being slowly limited as people in the 'industry' line up on one side of the imaginary fence of the other.

Re:Ridiculous

[shepd]

>Don't lie about how easy it is to install and configure the OSS equivalents.

Of all things, this is where open office, as open source software shines, though.

The installer is extremely fast, intuitive, and easy to use by anyone. Plus, it even shows you the amount of time left to complete the install.

Not to mention the actual networkability of open office and just how easy that is to setup and use.

Why not "play up" something if it is true, and not the lie you incorrectly suggest it is.

And someone, fix the spacebar on this machine, please! :-)

Re:Ridiculous

[stratjakt]

The installer for OpenOffice is easy. By contrast, I'd say the later installers for MSOffice are counter-intuitive and try to install everything to 'run from CD' by default. Which leaves you with a machine that constantly asks for the Office CD for no good reason at all.

I was just speaking generally, see my other post in this thread about my anecdote about the kid who tried to make "configuring SaMBa sound as simple as shitting down a stove pipe"

My only point is that OSS is hurt by idealogues and zealots often more than it's helped.

You say to-may-to, I say to-mah-to.

[unsung]

Hey, new feature in Word!

Re:Bad Developer, BAD!

>>product that has been bug-free from initial release

Citronella candles?

10 years

[thunderbug]

The auto industry is required to make parts available for 10 years past the model year. Makes sense.

Why not apply the same rule to software security fixes? Sure would do a lot to motivate better design.

Re:10 years

[mrm677]

The auto industry is required to make parts available for 10 years past the model year. Makes sense.
Why not apply the same rule to software security fixes? Sure would do a lot to motivate better design.

Because software isn't really regulated. Think about it...can you build your own "open-source" automobile and operate it on public highways without it being approved by the Department of Transportation? I'm not sure, but I'm guessing you can't.

If the software industry is forced to make "security fixes" available for 10 years after initial release, then there will have to be some kind of authority that approves software packages (which of course would cost money) such that a company is legally responsible. Then there would be even less incentive for businesses to use open-source packages because their closed-source competitors have to legally provide 10 years worth of security fixes.

Re:Bad Developer, BAD!

[fobbman]

The free upgrades that you seek can be downloaded here. Just don't go telling everyone because people will take advantage of their generosity.

Some clarification

[agantman]

1) IMHO the emphasis on Word97 is wrong. I originally tested this on Word2000 and it worked perfectly.

2) I was not out to find yet another M$ bug. I was using Word for my daily work when I stumbled onto this. It was one of those "I wonder what this button does" things.

3) The vulnerability is actually a lot more serious than the AP and bugtraq posts reveal. There is actually a way to skip the last step where the victim returns the bugged file. In other words, just editing and saving (or printing) the bugged file is sufficient. Look for a new bugtraq post early next week.

Re:Some clarification

[Cy+Guy]

Could a SlashDot editor please include this info as an update to the story?

I'd ask that it be modded up but its already maxed out.

Re:Some clarification

[sharkey]

1) IMHO the emphasis on Word97 is wrong. I originally tested this on Word2000 and it worked perfectly.

IMHO, the emphasis on Word97 is due to the fact that Microsoft is hinting that they won't fix that version, only 2000 and 2002, which also have the problem.

Re:Some clarification

[Reziac]

I'm wondering if "c:\my documents\*.doc" could be exploited, instead of needing the exact filename.

BTW one can normally determine the originating system's default paths for various stuff like documents by examining the .doc file with a hex viewer.

Re:Riiiight

[Oliver+Wendell+Jones]

The corporation I work for (which is huge, BTW) still uses Office 97 and Outlook 98 on Windows 2000 as our desktop configuration.

We are currently planning to upgrade to Windows XP in the next 6 months, but the plan is for us to continue to use Office 97 as there are no compelling business reasons for us to upgrade to later versions.

Office 97 does *everything* we need it for. Period.

Visio 2000 is the only 'recent' version of any Microsoft software that we currently use.

If you can persuade someone to do that...

[Corvaith]

...why not just ask them to send you their addressbook or whatever?

If people are going to be doing this to documents from people they don't know, I don't how they're going to be smart enough to figure out that joe12345@hotmail.com isn't actually their tech support guy/marketing person/whatever who needs this file for some real reason?

Re:If you can persuade someone to do that...

[ctid]

I don't know about that. I've just been watching a documentary about building aircraft. They were talking about how the design and prduction of modern aircraft involves the work of hundreds if not thousands of companies. Suppose you're cooperating with some other company on supplying materials for an aircraft being built by a third company. It's not beyond the bounds of possibility that your partner in this part of the contract might be a competitor in another part of the same contract (or in other contracts). And I'm sure some organizations exchange MS Word documents by email, with both recipient and sender alternately making edits. I think this stinks, actually. This is pretty serious for contracting companies that use MS Word documents cooperatively. I'm not suggesting that there are organizations out there that are going to lose millions because of this flaw. But even the most perfunctory security audit must address holes like this. Unfortunately, I expect many organizations will just upgrade to a later version of Word.

Silly users

[hrieke]

I realize that Joe User wouldn't notice half the time, but when a document jumps in size you'd think they would wonder about that.
That and the fact that most people don't delete their old mail.

stealing files?

[TheGratefulNet]

what if I have mp3's on my hard drive?

maybe we can get the riaa involved and sick them on M$ since its M$ that is causing the 'file sharing' violation (ie, if some user 'shares' files via Word that weren't for public consumption).

wouldn't that be schweet to get M$ in trouble with the riaa. I'd buy a ticket to THAT event!

New backdoor policy.

[supabeast!]

I'm not making any accusations *cough*, but does this strike anyone else as a great addition to Microsoft's "fuck them over and make them upgrade" business model? Leave a product full of security flaws, and, years later, when people aren't upgrading to the new version, refuse to fix security flaws in the old versions.

Refer to:
http://news.com.com/2100-1001-273276.html
ht tp://news.com.com/2100-1001-253578.html?legacy=c net

Re:New backdoor policy.

[dirk]

I'm not making any accusations *cough*, but does this strike anyone else as a great addition to Microsoft's "fuck them over and make them upgrade" business model? Leave a product full of security flaws, and, years later, when people aren't upgrading to the new version, refuse to fix security flaws in the old versions.

While yes, this could fit into your conspiracy theory, eventually software has to stop being supported. Try to get a fix for Wordpefect 4.0 or MacOS 6, there won't be one. Office97 is 5 years old, in computer terms, that is a lifetime. Eventually, old software stops being supported. I think 2 versions and 5 years later is a fair amount of time to support a product.

Simple solution?

[Target+Drone]

From the article: Microsoft suggests users view hidden codes in every document they open.

Uh huh. Like that's going to happen.

I imagine next month they're going to suggest that everyone view the source for web pages they visit to get around the latest IE bug.

Is this a macro virus?

[smittyoneeach]

Turning on Tools | Options | General | Macro virus protection ought to help. Yes, I looked at the Word97 menu to validate that...
It strikes me that I know enough VBA that I could probably write some horrific trojan .doc's, lacked I all self respect.
While no great supporter of his Majesty Satanic, this article seems rather a stretch of the /. motto 'News for nerds, stuff that matters'. It's not news, for nerds, nor does it matter.
Come to think of it, such a stunt is likely also possible in Word Basic under Lose3.1, for the 286 diehards out there. Shall we also excoriate Redmond for failing to skin dive in that septic tank of code? Some old bastard in Scotsdale, AZ might be writing his memoir using that application, you know...

Re:Is this a macro virus?

[smittyoneeach]

Ah, the "field codes". They can do some interesting things, but rival JavaScript for bearishness...

A Poorly-Written Article

[guttentag]

Microsoft's flagship word processor has for years had a security flaw that could allow a criminal to steal computer files by "bugging" a document with a hidden code.

Oh good. My secrets are safe because I don't know any criminals. The only people after my documents are ambitious marketing managers, who may be similar to criminals, but are not.

The company said it will definitely repair the problem only for owners of the most recent versions of the software. That decision -- still left largely up in the air by Microsoft engineers -- may leave millions of users of Word 97 without a fix.

So are they "definitely" fixing it for owners of the most recent versions, or is it "up in the air?" Paging Copy Editor, aisle six. Cleanup in aisle six.

Incidentally, Microsoft isn't "leaving millions of users of Word 97 without a fix." The fix is to upgrade your five-year-old copy of Word, get all the "great" features Microsoft has included since 97, and put money into Microsoft's coffers so they can develop great new features for Word 2007. Of course, that's Microsoft's solution. The better solution is to wipe your hard disk and download the Red Hat ISO or buy a Mac before you become further entangled in Microsoft's web.

"They bought the package with full faith in Microsoft and its ability to protect them from this kind of exploit."

If they were that gullible, this is the least worrisome of their problems.

Analyst Laura DiDio of the Yankee Group said companies are taking a risk by using such old software...

FUD in an AP article? I am shocked!

Microsoft suggests users view hidden codes in every document they open.

I hope that's not the fix. "Ford suggests drivers check their oil and tire pressure before each time they start their cars."

Re:A Poorly-Written Article

[guttentag]

I don't know about your Ford, but my Merkur manual suggests that I check oil, tire pressure, transmission fluid, etc before starting my car or driving it. Come to think of it, my Nissan manual has the same thing.

They may say it in the manual because the lawyers told them to include it, but this is different. Let's say Ford discovers that the tires that came on many of their vehicles have a tendency to fail (which would never happen to Ford, of course). This would be like Ford saying, "We're not going to recall the tires. There's no need for that. Just check your tire pressure before each use. If you're going to the supermarket, check each tire before you get into the car. When you come out of the supermarket, check the tires again. If the supermarket is a great distance away, say, more than five miles, stop somewhere along the way and recheck your tires just to be sure. Oh, and owners of '97 models should just buy a new car. You're really taking a risk if you're driving a five-year-old car anyway."

Re:A Poorly-Written Article

[Dynedain]

The better solution is to wipe your hard disk and download the Red Hat ISO or buy a Mac before you become further entangled in Microsoft's web.


Hmmm....my office is almost all Mac.....and in the next year or so we will have to migrate to OSX..... is there a decent office package besides MS Office for the Mac? Nope because Open/StarOffice isn't ported yet. So buying a Mac is not getting away from MS' web.

Re:A Poorly-Written Article

[Cy+Guy]

Microsoft isn't "leaving millions of users of Word 97 without a fix." The fix is to upgrade your five-year-old copy of Word, get all the "great" features Microsoft has included since 97,

Except that to run Word XP, you will also have to get a new machine that runs at at least 300 Mhz with at least 256 Meg of RAM, and of course that will mean also getting a new operating system, coincidentally made by guess who.

MS is a monopoly and unilaterally decides which products it will continue to support. As of today, Office 97 is still listed as supported, therefore MS is on the hook for patching a major security flaw in their still supported product.

If they refuse to support the products that they say they do, then there is no reason anyone should ever buy a new product from them.

WORD

[Rupert]

Weapon Of Random Destruction

Microsoft suggests...

[MojoRilla]

Microsoft suggests users view hidden codes in every document they open. In Word 2002, the latest version, that can be done by selecting tools, options, then checking the "field codes" box. Many companies, however, use such codes for legitimate and harmless purposes.

In unrelated news, beef processors are asking all their customers to check their products for bacteria before eating. Just take a sample down to a local lab to be tested, and wait four to six weeks. The beef processors aren't responsible for meat going bad while waiting for test results.

Microsoft. What insecurity to you want to exploit tomorrow?

targeted audience

[maraist]

It still takes more than running Word to expose the contents of your hard drive though.

The article mentions that the reason this is an issue is because the manner in which files would be stolen follow a normal business process among corportate types... Receiving an email from a company member. Editing it (for markup or review), then sending an email to someone else. Secretaries are good candidates for generic attacks, since they'd often need to review documents. But even executives are prone to such unattentative activity.

Re:Bad Developer, BAD!

[chill]

If you manufacture and sell a physical product, like a car or computer, you are legally responsible to provide support and repair/replacement for 7 years after discontinuation.

In the U.S., anyway.

And it isn't quite a 5 year old product -- almost. It actually shipped in late November 1997 *AND* with a major flaw -- it couldn't export Word 95 format correctly, even though it claimed it could. It only did RTF. They fixed that in February 1998.

this is insane

[deander2]

"Analyst Laura DiDio of the Yankee Group said companies are taking a risk by using such old software..."

Insane. You know, if Isuzu discovered a fatal flaw in all Rodeos going back through 1997 yet announced they were only going to provide fixes for models '00, '01 and '02 there would be a congressional investigation.

Completely insane.

Re:this is insane

[Razzious]

Agree with the principle, however a Rare chance at file theft and a FATAL FLAW in an automobile are not even close to realistic comparisons...

Re:this is insane

[ceswiedler]

It is unlikely that a flaw in a Microsoft product could cause serious injury or death. If that were the case, I imagine the laws would apply (or be rewritten to apply). Thankfully, most consumer protection laws like this only apply in serious-injury-or-death cases, or lawsuits against companies would increase tenfold. ("Your stapler product didn't perform as advertised, we lost $800,000 last year fixing and replacing them...")

Personally I feel there should be MORE responsibility placed on the consumer, not less. Why should we have laws protecting them from their own bad decisions? Did Microsoft advertise that their product would be bug-free? On the contrary, their EULA says exactly the opposite. It's the consumer's responsibility to buy products from companies which they believe will support them in the future, won't cause death or financial loss, etc. Unless the company commits outright fraud, anyway.

Re:this is insane

[deander2]

Even if it was something trivial, they still would repair it. In fact, they're required to keep open databases about such things.
http://www.alldata.com/

And I would hardly call this a rare chance. All someone has to do is return a document after opening it. That is VERY common in the business world.

Re:this is insane

[TFloore]

Personally I feel there should be MORE responsibility placed on the consumer, not less. Why should we have laws protecting them from their own bad decisions? Did Microsoft advertise that their product would be bug-free? On the contrary, their EULA says exactly the opposite. It's the consumer's responsibility to buy products from companies which they believe will support them in the future, won't cause death or financial loss, etc.

Umm, huh???

Have you ever looked at the NHTSA Recalls web site?

Find me a car manufacturer that a consumer can reasonably believe will make a vehicle that won't "cause death". Or just one that won't cause inconvenience.

You think car makers support previous year models because they want to? Nope. The government makes them. More specifically, the government makes them correct product defects at the manufacturer's cost. If you ever paid for recall work to be done on your car, you were ripped off.

By the same logic, if you pay for correction of a defective software product... are you getting ripped off?

And don't think this is just for serious injury or death. Car recall work covers such non-life-threatening things as air conditioning.

When a company sells a defective product, consumer protection laws are *supposed* to make the manufacturer repair or replace that product. Doesn't matter if it is a kid's toy, a car, a television, a computer, or computer software. A defective product is a defective product.

And don't give me any of this crap about how hard software development is. Designing bridges so they don't fall down is hard. (Look at Tacoma-Narrows.) Designing cars so they don't have exploding gas tanks is hard. (Look at Ford Pintos, and appearently some police cruisers too.)

Saying "but it's hard" is another way of saying "I don't want to be bothered doing it right".

And the academic CS response of "it is mathematically impossible to verify complicated software"... We used to think it was physically impossible for bumblebees to fly too, the models of their wings said they couldn't possibly do that. Somebody noticed bumblebee wings are curved, not flat, and everyone that said it was impossible suddenly stopped talking. "It's impossible" is another way of saying "we don't know how yet".

If your justification is "the industry is immature" then the solution is to either outlaw use of your products until they are mature, or to force manufacturers to offer additional protections for this immature product, not fewer protections.

Re:this is insane

[bnenning]

And don't give me any of this crap about how hard software development is. Designing bridges so they don't fall down is hard.

I disagree. Not that designing bridges is easy, but neither is software development. A bridge has a single goal: to stay up. Furthermore, it is deployed in a single known environment with specific load requirements (which of course should be padded with a large safety factor). Software is generally run in a tremendous variety of environments, is often used in ways not considered by its creators, and interacts with countless other pieces of software, many of which didn't exist when it was originally written.

Saying "but it's hard" is another way of saying "I don't want to be bothered doing it right".

Actually it's saying that the costs of mathematically rigorous verification that software is bug-free would result in nobody being able to afford to buy it, and thus nobody willing to produce it.

If your justification is "the industry is immature" then the solution is to either outlaw use of your products until they are mature, or to force manufacturers to offer additional protections for this immature product, not fewer protections.

Or we could let people decide for themselves via the free market. Of course Microsoft currently does not operate in a free market due to the abuse of their monopoly, but that's a separate issue.

Re:this is insane

[TFloore]

Why do you want to regulate software development?

Because looking at the quality of software produced now, it seems that the only way to get reliable software is to regulate it. To require that you train software developers properly. To require that you develop software properly to minimize errors.

Why do you want to rob me of the right to write software?

I don't. I want to make you produce good quality software.

Why do you want to rob my customers of the right to buy my software?

I don't. I want to get your customers to buy good quality software.

Because it seems the industry as a whole is incapable of doing it properly ourselves.

Software bugs don't exist because somebody neglects to do his job.

Bull. Anyone that writes code with a buffer overflow neglected to do his job right. Anyone that doesn't do input checking has a problem because he didn't do his job right. Most software bugs exist because programmers don't bother to learn how to do things right.

Complex applications with complex interactions? Break it into component pieces. Write interface specs, follow those specs, publish those specs, and if you use them, read those specs. This is not inflexible. This is doing things right. This is showing that quality matters more than playing around. You can have fun and enjoy your work and still do things right.

You say that software relies on other software. Yes, it does. When you rely on other software to do other than what it does, that is your fault for not reading and understanding the documentation for that software. When you rely on software to do what it does, and it changes what it does, that is not your problem. That is the problem of the author of the relied-upon software. You use a system interface and it changes behavior? We learned quite a while ago how to put version numbers on system libraries, and load the proper version when called in the proper manner. We know how to freeze APIs and ABIs for versions so that minor changes can be made and not break software that relies on these libraries.

These are *solved* problems.

The major problem is we let insufficiently-trained people produce software and pretend it is good-quality, or even almost-acceptable-quality, code. It isn't. Programming is hard, yes. It takes brains and education to do it right. Get proper training, and stop thinking it's something you can pick up in a couple of evenings playing with a compiler.

We regulate building contractors because it is a multi-billion dollar industry, and quality matters. We should regulate software development because it is a multi-billion dollar industry and quality matters.

No, this isn't popular to say here, because we like freedom. I like freedom too. But I'm tired of seeing freedom used as a defense to produce crap. You want to produce crap under the protection of freedom? That's fine. You call it art, you sell it as art, and the source code gets hung on a wall to be admired for its beauty and elegance, but it doesn't get used. You want to sell a product that is used, and you can no longer hide behind freedom, because you just hit product liability, and you are being forced to produce good-quality product and stand behind that product.

Re:this is insane

[bnenning]

Because looking at the quality of software produced now, it seems that the only way to get reliable software is to regulate it.

Maybe you should look at different software. Linux pretty much works. Mac OS X pretty much works. Perl, Apache, vi and emacs pretty much work. I would much rather have the freedom to use these software packages with the understanding that they may have bugs than have someone like you prevent software from being released without official approval "for my own good".

I want to get your customers to buy good quality software.

A noble goal. Unfortunately after spending thousands or millions of dollars dealing with the regulations you would impose, many fewer potential customers would be able to afford it. And forget about open source software.

Complex applications with complex interactions? Break it into component pieces. Write interface specs, follow those specs, publish those specs, and if you use them, read those specs.

Well, I'm glad you've got this all figured out. I look forward to using the bug-free software you will produce.

We regulate building contractors because it is a multi-billion dollar industry, and quality matters.

And because land is scarce, and because improperly designed buildings can kill people. If software is used in a situation where people can die as a result of failure, it is more strictly designed, as such it is more expensive. You have no right to decide for everyone the proper balance between cost, time to market, and reliability.

This is what makes me not use M$.

[xanadu-xtroot.com]

FTA:

But, referring to Microsoft engineers, McGee said "there's only so far back they can go."

No. There's only so far back they WILL go. There is a HUGE difference. Microsoft has CHOSEN not to support it, it's not that they can't.

Re:This is what makes me not use M$.

[Frank+of+Earth]

But, referring to Microsoft engineers, McGee said "there's only so far back they can go."

Damn, we're all screwed in 2050 when the pivot point crosses over and all our documents are now saved as 1949! The good news is that the engineers who wrote Word97 [assuming 23 years old], can go back and fix it in their retirement [76] to earn some more cash. Because, of course, the retirement age will be around 80 by then ;-)

What's the issue?

[Dynedain]

"It's incredible to me that Microsoft would turn its back on Word 97 users," said Woody Leonhard, who has written books on Microsoft's Word and Office software. "They bought the package with full faith in Microsoft and its ability to protect them from this kind of exploit."

Come on....Word 97? Who expects Microsoft to do something to fix problems in that? They have had 2 major (4 if you include the Mac versions) releases since then. You think Netscape is going to issue a patch for 4.7x now that version 7 is out? Just one example of many.

Re:What's the issue?

[kubrick]

You think Netscape is going to issue a patch for 4.7x now that version 7 is out?

Bad example -- Netscape 4.80 came out about three weeks ago.

Besides, with the amount of money Microsoft had banked from Office sales over the years, surely they could have used some of that to ensure that problems like this could be fixed for versions that are still widely used by the general public (e.g. Word 97)?

Re:What's the issue?

[crumley]

You think Netscape is going to issue a patch for 4.7x now that version 7 is out? Just one example of many.

I doubt that's a very good example. Netscape 4.8 just came out in August. Since there are probably still more people using Netscape 4.x, than using Netscape 6 and Netscape 7 combined, and since Netscape can't afford to throw away any customers, I think that the Netscape 4 branch probably will be supported for at least a couple more years.

Ending support issue

[1000101]

Microsoft ending support on Office 97 is nothing new in the business world. Car companies regularly end their support for different models. After a while it is not cost effective for them to produce spare parts for these models. Also, look around everywhere in the technology industry. Companies are constantly discontinuing support. I have a Denon receiver who's fm tuner went out and I'm S.O.L. b/c they don't make spare parts anymore. All this complaining about their discontinued support for Office 97 is nonsense.

Really another reason to use openoffice?

[jpt.d]

The logic of this eludes me.

If you are using Word97 and somebody else is using WordXP. The other person will get the patch.

Opensource software now...
You are using KDE1 and somebody else is using KDE3. Security Hole X that is in both. KDE3 will get 'patched' or at least fixed, I doubt that KDE1 will get fixed. The only benefit here is that you could potentially fix it yourself, but if you are using KDE1 i doubt you really would.

Re:Really another reason to use openoffice?

[JWL-23]

Yeah, but it doesn't cost hundreds of dollars to (legally) upgrade to KDE 3.x.

Re:Really another reason to use openoffice?

[yorgasor]

There is a big difference. Open source software developers rarely dish out patches. They can't, really. Windows software gets patched because they have complete control over the binary and know exactly what was shipped to customers. Open source software could be compiled on a dozen different platforms with who-knows-what kind of optimizations.

Instead, they release a new version with the bug fixed. Usually code patches are available, but how many people using KDE actually compiled their version?

Ok, so commercial software and open source software developers really want their users to use the most up to date versions. The difference is, MS wants their users to fork out a few hundred $$$ for their new fixes and gotta-have features. For KDE, you can just download the latest version or get it from a friend. That's why MS is evil for not patching '97. People paid a lot of money for it and expect MS to support it. I personally can't seen any feature worth paying several hundred dollars for an upgrade to Office 2000/XP over '97 and neither can millions of their customers.

Now you tell me who's looking out for their users.

Re:Really another reason to use openoffice?

[dublin]

There is a big difference. Open source software developers rarely dish out patches. They can't, really. Windows software gets patched because they have complete control over the binary and know exactly what was shipped to customers. Open source software could be compiled on a dozen different platforms with who-knows-what kind of optimizations.

This is a great case against open source software for anyone that either cannot or, like me, just falt refuses to compile things.

If the best answer open source can come up with is "keep track of all the patches yourself, download them, and rebuild your apps, then open source software will lose. (And if that scenario is true, open source *should* lose.) It's just not reasonable to expect end users to ever have to compile *anything*. As long as that's the mindset, people have plenty of reason to avoid open source software.

Re:Really another reason to use openoffice?

[dublin]

Regardless of what the original poster said, this *is* pretty much the best answer open source has come up with. I've been an open source advocate longer than the FSF has been around, and this is an area where to be honest, we've failed miserably.

Eventually Microsoft won't even bother

[Henry+V+.009]

I imagine that all copies of Office XP will stop working on January 1, 2004 (or whenever the support promise runs out) due to some bug which "prevents proper start up of program file once the system clock passes 01012004:00:00:00, and instead displays upgrade flash screen and and crashes."

Since the service period will have expired, Microsoft will not be fixing this problem, and will instead recommend upgrading to OfficeBall Z for $1000 a copy.

Re:Why OpenOffice ?

[jnd3]

One reason might be that OpenOffice is free, while GobeProductive is not...

I actually just installed OpenOffice on my home PC's Win2k drive (still gotta get it for the Linux drive). I have to admit that I've never tried GobeProductive, but I did use the old StarOffice (5.2) for a while. I thought it stunk. OpenOffice is quite comparable to MS Office in terms of usability. On my system it was quite a bit faster than MS Office as well. So let's see, OpenOffice is (1) free, (2) compatible (> 90%, probably) with MS Office, (3) available right now for multiple OS platforms. Granted, GobeProductive might be faster than OpenOffice, but come on, do you really need the file to open instantaneously?

Maybe someone will come up with a quantum office productivity suite that will open files before you need them... :-)

perhaps overstating the obvious but...

[rob-fu]

what a great way to kick Office XP (or maybe even Office 2000) sales way up. Remember when Office XP came out, and everyone said that there weren't enough new features or incentives to upgrade? Some people reported that they still used Office 97. Well, here's your incentive. Miscellaneous people 'stealing' Word docs.

It makes me wonder if MS marketing is blowing the bug way out of proportion -- the average user hears 'Word 97 will let people STEAL your documents' and runs down frantically to the local CompUSA and buys a copy (or 2 or 3, depending on how many machines, of course :).

I haven't seen a proof of concept or anything, but I wonder how serious this bug really is. Just my $0.02 US.

Re:Bad Developer, BAD!

[mangu]

No, it should be "buy once, and receive free repairs for life". Bugs are present in the software from the beginning, and should be covered by the warranty, no matter when they are discovered. Car manufacturers do that, and survive, why couldn't software producers do the same? It's much cheaper to supply a software patch than recalling cars to fix bugs.

Only fools use Office 97

[lseltzer]

Numerous serious security problems in Office 97 have not been patched and Microsoft won't patch it anymore.

Especially Outlook 97.

Why bother with 97?

[Winterblink]

For the same reason we no longer see security fixes and patch support for Windows 3.1. It's OLD. Newer products like Office 2000 and XP are probably easier to patch than the old convoluted mess that is Office 97. I mean the product's at least five years old. Let it go.

Just my 2c!

Check this out...

[Mustang+Matt]

View some of the past word docs you've received in a hex editor...

Near the bottom there is often information from other documents of the sender that they were recently working on. I don't know why it saves this. Maybe something to do with the undo buffer?

At work I used to look at internal memos that would be sent out on a weekly basis and find out all sorts of other stuff that was going on.

Re:Check this out...

[DeadMeat+(TM)]

Sort of. Word has a feature called "fast saves" that only adds revisions on saves (think like GNU diff) rather than going through and rebuilding the file. This was enabled by default until some later Word service pack (2K SP1 IIRC). This is also one of the reasons DOC files tend to have hideously-bloated filesizes.

There's some other ways of getting weird extraneous data dumped into Office files -- see this Microsoft Knowledge Base document for more info. Fast saves are by far the worst culprit, though.

If you're really concerned about this sort of thing, the best thing to do (besides using a different office suite) is to pipe public documents through GNU strings first to make sure nothing conspicuous is embedded.

Re:Check this out...

[NewtonsLaw]

Yes, the flaw in MS word continues to potentially expose a huge amount of sensitive information on the web (including as many as quarter of a million US Government documents).

Check out this story I wrote back in May for the chilling details.

Re:Check this out...

[DVega]

You have discovered Word Metadata and Fast Save problems.

Re:Check this out...

[Reziac]

Word document innards can be quite fascinating :) That's why I consider Word documents to be a default security hazard -- because in addition to the usual tattling (such as paths that can reveal a fair amount about system or even network structure), the user really has no idea what data each .doc file unwittingly includes.

What you're seeing tacked onto the end of the file (it can also be inserted elsewhere) is the filesize padding that Word does. It thinks files need to be a certain size, and grabs random data (from memory, the swapfile, and/or other documents) to use for padding. You can see how this is a problem -- what if it just happens to grab a chunk of that confidential memo??

I've seen an example much to that effect: Someone sent a joke to a mailing list, but didn't grok plaintext and attached it as a Word document. When I looked at the file with the ever-handy LIST, I found not only the joke we were meant to read, but a chunk of some unrelated porn story. (Which on inquiry I learned belonged to the poster's boss.)

Re:Bad Developer, BAD!

[Gonarat]

That would be a great change to software copyright. Give software full copyright protection as long as it is supported (supported being defined as helpdesk support and maintenance). That way, MS (or any software maker) would have stand by the software that has been purchased instead of abandoning it like yesterday's newspaper.

When MS drops support for Word 97, Windows 95, DOS, or whatever other package, then that version should be free to copy. We still have many machines where I work that use Win 95/Office 97 (new Machines get Win 2K and Office 2K) and have apps out in the field (point of sale) that use DOS 6.22 and Desqview. We still have to license every PC that is used -- why shouldn't we get support if we are shelling out $$?

Anything '97 Support?

[LittleGuy]

According to the list of MS Obsolete Products, Office 97 and Word 97 aren't included.... yet.

But with the number of successive software upgrades (OS included) since Office/Word 97, MS could claim that Office/Word 97 is too far down in its food chain to care.

OpenOffice

[glh]

Is it just me, or have A LOT of people been switching to Open Office lately? I am primarily a Windows user, but I recently downloaded open office. I was planning on snagging a copy of Office 2K from a computer show for my Church, but it was a little much.

In my quest for saving money, I remembered "star office" back from my redhat days. I vaguely remembered a slashdot article talking about star office and something to do with open office. So I checked out the web site and got it. I was amazed to see it could open my power point files that I had saved in office 2000 on my own computer. Cool stuff! I think this one actually has a good chance of becoming a competitor to MS Office.

However, I really don't think the user interface and usability is geared towards "dum-dum" users enough just yet. Even the name of the powerpoint like product was confusing to me (ie, "Impress"). Don't get me wrong- it is definitely useful, but it still isn't quite the same. A lot of users are so used to Office functionality that this will be a hurdle for Open Office to overcome. But Open Office is a BIG step in the right direction! And the price is right..

I think what is really needed is a standards body to come up with office document formats (such as document format, presentations, "calculators"/excel, etc.). This would be a Good Thing for the community. One of the most frustrating things about office productivity is having an old version of such and such, or not being able to open a particular format.

Excuse me?

[InnereNacht]

"Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold. Yet another reason to try OpenOffice.org."

They say that like other companies don't orphan software after 5 years. Programs become obsolete. Are we to ask Adobe to support Photoshop 4 still after it's had (at least) two major releases after it?

+ forced upgrading, etc.

[Ender+Ryan]

You make a good point. I'd like to expand on that. Microsoft isn't fixing this bug because it's in an older product, and they want users to upgrade to the "newer product", ie. they want to sell you the same thing again.

Even if you have money to burn, this still may not be acceptable. What if the new product is altered in such a way as to not meet your needs? What if you simply can't agree to the new "license agreement"? In such a case, you're totally screwed!

With Open Source software, you have the option of making fixes to any version of the software you want. Sure, it may be expensive, but at least you have that option.

Of course, proprietary vendors can get around these problems pretty easily, by not altering licensing agreements, and supporting products from only a couple years ago(97...), etc. ie. THEY CAN SHOW SOME GOOD FAITH TOWARDS THEIR CUSTOMERS!

Re:Bad Developer, BAD!

[jandrese]

I think that if you refuse to support your old code, you should be forced to release it open source so the community can fix it.

That ought to light a fire under MS with those security vulnerabilities.

MS Word == newest P2P client?

[richieb]

So, now I can search and find MP3 files by emailing Word files? How cool is that!

Word in Insecure

[minairia]

I write very basic Visual Basic scripts to automate the transcrition process for a large hospital. Miscosoft Word is completely insecure. Every Word document can contain one or more large complete applications that can interact with the internet, the network, a user's computer etc. Even with my very limited and basic knowledge I could (and have) accomplished the above. Every transcribed document in my department of this hospital is full of my code. If I was a certain type of person, the danger to patient privacy and confidentiality would be immense. I'm not like that but the idea that companies, hospital and governments world-wide use use Word on a daily basis is rather unsettling. I can only image the explots that someone who A) really knew what they were doing and B) lacked ethical standards could accomplish.

Bizarro World

[SomeOtherGuy]

In the same week we wondered why Miscrosoft was making HP/Compaq kneel and beg to "be able" to provide MS Windows with each PC. (rather than Microsoft thinking themselves "lucky" to be moving so many copies of their software)....Along comes this as to where Microsoft may refuse to patch Word 97. Now I personally know of quite a few fortune 500 companies that are still 100% Word 97.....Would not this size and (clout) of a user base still warrant security patches to serious holes? (Well for most software companies it would -- but Microsoft's relationship..err..monopoly with their customer base in almost 180 degrees from everyone else.)

Re:Anything '97 Support?

[cant_get_a_good_nick]

They've obsoleted BOB!!!! Noooooo!!!!!!!!!!!!

Re:Riiiight

[Oliver+Wendell+Jones]

I am assuming that your IT group hasn't done any stability testing

You are of course assuming that our IT group is stable enough to perform that kind of testing... :-)

It takes more

[llamalicious]

It still takes more than running Word to expose the contents of your hard drive though.

True. Running Windows helps.

Intruders

[Tablizer]

This horrible bug could even allow invaders to install malicious or undesirable software such as MS-Word 97.

Oh, wait

Yet another reason to try OpenOffice.org

[Leto2]

Yet another reason to try OpenOffice.org

What, you mean linus still produces patches for 1.1.x? Or that samba still fixes holes in 1.8.x? Or that apache still fixes holes in 1.2.x?

Re:Yet another reason to try OpenOffice.org

[tuffy]

What, you mean linus still produces patches for 1.1.x? Or that samba still fixes holes in 1.8.x? Or that apache still fixes holes in 1.2.x?

No, but Linus, Samba and Apache don't charge $200+ for the updated versions of their software with the bugs fixed.

Re:Yet another reason to try OpenOffice.org

[Leto2]

Ah, the Open Source mantra. You can fix the code yourself. In all these years of me using FreeBSD, Linux, Samba, Apache, I've not audited one single line of code, neither have I changed one single line of code. And with me 99.99% of the OS users do.

So while you may have the source, it's pretty much useless, because you're not going to change it. You can, but you won't. And that's where your reasoning breaks.

Re:Yet another reason to try OpenOffice.org

[Some+Dumbass...]

What, you mean linus still produces patches for 1.1.x?

Actually, there are still new releases to the 2.0 kernel series, which is the "circa 1997" (think "Word 97") kernel series. They're at 2.0.40-pre6 right now.

Of course, perhaps the original poster meant that people should try OpenOffice not because patches are released for older versions of Open Source software, but rather because the upgrade to the latest, fully patched version is free?

Re:Yet another reason to try OpenOffice.org

[James+Foster]

No, but the new versions are FREE.
Microsoft isn't offering Word 2000 for free.

Re:Yet another reason to try OpenOffice.org

[bluGill]

FreeBSD still has 2.1 and 2.2 in CVS, and once in a while they get patches. Not often, but once in a while. (1.0 turned out to have some copyright violations, you need an AT&T license to run it, but if you have that licesne we can track down the source to 1.0 for you)

Re:Yet another reason to try OpenOffice.org

[gilroy]

Blockquoth the poster:

So while you may have the source, it's pretty much useless, because you're not going to change it. You can, but you won't. And that's where your reasoning breaks.

Well, not exactly. Look at this bug. Microsoft might say, "We will simply not patch Word 97". If you use Word 97, you have only two options:

Pay hundreds of dollars for Office XP (and perhaps also thousands of dollars for a machine it can run on); or

Continue using Word 97, knowing that it has a hole.
What you cannot do is, fix the hole on your own. You don't have the source and attempts to reverse engineer it are liable to violate at least the EULA and possibly a real law.

Now, imagine this in a world where you used an open source suite (say, the excellent OpenOffice.org). First, there is no single company to charge you for an update. But say the entire community decides, to heck with you -- update to v. 2.0 or die. Well, the upgrade path is free (modulo download and install time -- which you pay for with MS, too). And say you don't want even to do that... hey, you've got the source. If you insist on living in v. 1.1, go ahead... you also have the tools and the permission to patch, fix, and update that version. You might have to go it alone but you are allowed to go there...

As opposed to the closed-source proprietary model, where the question might be "Where do you want to go today?" but the answer certainly is, "You'll go wherever we decide you'll go."

Careful what you ask for.

[TheLink]

Coz who made Linux v1? Or FreeBSD 2?

If we are not careful, open source developers will be worse hit - it will raise the entry barriers for software.

Maybe a better direction would be - you either support it, or open source it so that others can support it.

Be careful what you wish for. And be careful of what other people wish for.

e.g.
So many software problems.
we got to do something.
Lets require manufacturers be liable no matter what.
Lets make legal action easier against software producers.
Lets require software certification.

Guess what will happen if these happen.

The "antihacker" and "security" directions can also affect open source badly.

So beware.
Link.

antivirus vendors?

[Tablizer]

(* Ah, the "field codes". They can do some interesting things... *)

I wonder if the antiviral software (McCaffe, etc) will be able to detect them?

The problem is that they can't tell if it is meant for legit purposes or not. But, it would be nice if there was a setting to get warnings.

Virus detection/fixing is less and less a Boolean operation these days.

Re:Bad Developer, BAD!

[netringer]

Rather than penalizing them, this "fixes in current versions only" policy makes it PROFITABLE for the software vendor to write flaws into the code. They are acutally better off selling products that have serious proiblems.

"Now that we got you hooked and your company has stadardized on our product and all of your documents are in our proprietary format...if you want a version that really works (or doesn't possibly expose your data to damage), pay us $200 (a year) for the upgrade!"

Re:Bad Developer, BAD!

[mangu]

Actually, the Duesenberg Model J had 15 years. Not that anybody had a chance to use it, the Model J came out in 1928 and the company went bankrupt in 1937. Yes, I was refering to recalls. The manufacturer is responsible for design errors, even when the warranty has expired, but they are not responsible for wear and tear.

Re:Anything '97 Support?

[dublin]

No they haven't, he's just called Clippy now. Don't believe me? In Office97, press F1 for help and type "bob" into the search field, and see what you get...

As I've posted here before, I supect Bob will never really dis for the very simple reason that the product manager for Bob was none other than Melinda Gates (pre-marriage, of course.)

A Fix!

[gspeare]

Of course, there's a way to address this problem with...a Word Macro! :)

Sub AutoOpen()
'
' IncludeTextBarrer Macro
' Macro created 9/13/2002 by Geoff Speare
' Created for Word 2000, use at own risk, etc.
'
Dim count As Integer
Dim vbFix As VbMsgBoxResult
Dim blFoundOne As Boolean

blFoundOne = False
For count = 1 To ActiveDocument.Fields.count
If ActiveDocument.Fields(count).Type = wdFieldIncludeText Then
blFoundOne = True
vbFix = MsgBox("An INCLUDETEXT field has been found. Would you like to lock it? " & _
"(Select All and then Ctrl-4 will unlock all fields if you change your mind.)", vbYesNo, "INCLUDETEXT Exploit Detection")
If vbFix = vbYes Then
ActiveDocument.Fields(count).Locked = True
End If

End If
Next
If blFoundOne Then
MsgBox "Your document may have a field which secretly includes text from another file. You may wish " & _
"to Reveal Field Codes (ALT-F9) and examine the document closely before saving or distributing it.", vbOKOnly, _
"INCLUDETEXT Exploit Detection"
End If
End Sub

Re:Bad Developer, BAD!

[dublin]

It is a shame that software development companies do not have a legal obligation to fix significant flaws for a certain amount of time.

Other than the fact that I can find no rational basis for such a law, it would also have to apply equally to open source software. (There's that "equal protection" thing that totally changed the nature of the Constitution in 1865...)

If we enact laws around the idea that software developers have some sort of responsibility to deliver functioning products, then that standard must be applied across the board. Open source software might find it quite hard to survive in such an environment, where a lawsuit could put the authors' personal assets at risk.

Open Office.

[tshak]

I love IE, I love .NET, I love my Win2K box, I love SQL server, and I really love my XBox. But when it comes to Office (Outlook especially) I have to look for a nother solution due to these ongoing security issues. I've been using Eudora for email for years and I've finally tried Open Office a month ago so that I could uninstall my old copy of MS Works. I'm not "pro" or "anti" OSS, but I just wanted a decent office package. OO is not great, but at least I don't have to worry about these security issues. Maybe I'll plunk the cash for Star Office if it looks any better. I don't mind paying for software, and I don't have time to look through the code, but paying for MS Office is like paying someone to install back orifice on your machine.

The irony continues as I sent my resume into MS last week - the resume was created with Open Office of course :-).

Shouldn't the padlock icon be ...

[UnknownSoldier]

... changed to include a hacksaw? Or at even left opened? ;-)

Re:Developers should be held to a higher standard

[simm_s]

Because developers do not intentionally create vulnerabilities in their products.

Check out this "contrived" situation:
The application in question is a spread sheet program.

Module A created 5 years ago allows any caller to load a file into a buffer.

Module B created 3 years ago allows any caller to transfer a buffer over a network interface to another buffer.

Module C created 1 year ago allows you to embed and execute a scripting language into the data file. This was used to replace an old macro language written 6 years ago, but wasn't flexible enough to handle new features for your application. The developers do not want to create a scripting language from scratch. They smartly choose to use a well tested and widely used language.

Module C version 2 allows the script to make library calls (like calling a .so or .dll library). This was done at the request of a customer who wanted to import numbers from a legacy database with the scripting language. In this case the database didn't have support for the scripting language and had API libraries in built in another language.

Now a hacker discovers she could link module A and module B and embed that into any spreadsheet datafile using module C version 2. She works for a bank and creates the spreadsheet which then downloads other spreadsheets with confidential account numbers and passwords.

Who is responsible? What should be done?

Well IMHO the hacker is responsible for any harm she has caused by using this exploit.

This is the state of the industry today. And before you say this does not happen in other engineering practices (trust me it does to a lesser degree). There is even a term for this "The Law of Unintended Consequenes."

Most software of sufficient age and compexity will run into problems like this. The problem is when you know the problem exists and you cannot do anything to remedy it.

Re: Liberty and Security

[krmt]

A very famous man once said something along the lines of "They who would give up an essential liberty for temporary security, deserve neither liberty or security".

You are giving up features for temporary security. Anything Microsoft does will be a temporary fix. There are enough hackers out there that hate microsoft that no matter what, they will find a new way to exploit the software.

There's a gross misconception here. Liberty and features are not the same thing.

The essential problem isn't one so much of open vs. closed here, but of monopoly vs competition. Microsoft has a monopoly on office suites, and as such they have no compelling reason to fix their program's older versions. If they weren't a monopoly, this wouldn't be as much of an issue because people could easily choose another well-known product or preassure an inevitably more pliant Microsoft to fix it.

Now, if the software was Free Software (like Open Office or Abiword) this flaw in older versions could be fixed by third parties if they wanted. Or they could upgrade. This is the option offered by the likes of Debian, who backport security fixes from the newest software versions. The problem is that in this case the choice isn't even offered to the users. If Microsoft decides to not fix the bug then there's nothing anyone can do about it.

This is freedom. I don't care that 99% of users can't fix the bug. There's one that can. That one has a choice. Hell, even those out of the 99% have a choice to learn how to program and go about it if they want. Sure, 99.9% of these previously helpless users will choose not to do this, but maybe 0.1% will, which empowers even more people.

This is also security. It's got nothing to do with how many parks and welfare programs a government has, the same way it doesn't matter how many levels of undo you have, features do not provide you with freedom. The essence of your quote is that saftey is a matter of the choices we are able to make in how to live our own lives. The more you sacrifice in your personal freedoms, the less safe you are.

This is also why, to answer your question, open source developers are often more responsible about these matters than closed developers. They have made a choice to be and they know their users have a choice. Freedoms require responsibility. For all your bluster about Apache, it is still deployed on more sites than IIS, and it still has less vulerabilities.

In a closed world, there is no choice, no matter how many features are lumped in to the program.

couldn't you do this in OpenOffice too?

[Micah]

Or any office suite that supports macros?

OOo lets you put a Basic macro in a document and have it run when the doc is openned. Couldn't it, say, look around in your home directory for text files or OOo documents, load said documents, and "hide" interesting info from those documents in the current document?

Hmmmm

Re: VERY EASY Social Engineering

[raresilk]

I work for a large law firm that shall remain anonymous. Much of our user population is still using Word 97, and for various reasons I don't agree with, secretaries are actually being trained to use macro based templates to perform relatively simple functions, so everybody has macros turned on. (Don't blame me, I'm a lawyer, not IT. Our IT department sucks like a vacuum, mainly because of a few powerful old farts who miss their quill pens, hate computers, and won't retire.)

But back to my original point - there are many contexts where it is literally day-to-day routine for lawyers to email Word documents back and forth, with each recipient detaching and saving the file, throwing in a few edits, and sending it back. In some situations, such as court documents that typically are negotiated, then filed jointly (e.g., proposed pretrial and scheduling orders), this interaction occurs among parties who are adversaries in a lawsuit - the farthest thing I can imagine from a trusted exchange.

This alone allows substantial opportunity for exploitation. Even if you don't know any specific filenames, it seems as though you could easily grab the Registry, which is always named the same thing, and learn at least some path and filename information from it. And also keep in mind that many firms (not ours, fortunately) use a stupid auto-format that appends the path and filename into the footer of a document. Let's say I was an unscrupulous lawyer co-drafting a scheduling order, and knew about this exploit. I might go through the earlier files and records in the case, and look at the briefs my opponent filed. If the filename was in the footer, I could rig the scheduling order to get the brief, which would contain not only the printed text I'd already seen when the brief was filed, but perhaps leftover redlines, comments, those mysterious fragments at the bottom, etc.

To answer your obvious questions: (1) no, I haven't tried it, and I'm not planning to, so I don't know if it would actually work, and (2) I have sent the Bugtraq link to the one non-worthless person in our IT department, and (3) yes, I realize this is not a macro exploit technically, so turning macros off won't help. But folks, this is really scary, and I am sure that legal practice is not the only line of business where "enemies" or untrusted parties exchange Word documents via email. That is how the world does business these days.

Just plain ignorant

[WndrBr3d]

Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold. Yet another reason to try OpenOffice.org

Well that's just a bullheaded and ignorant thing to say. I'm sure there were a plethora of bugs/holes in Windows 3.11 when Windows 98 was released, but was anyone copmlaining ? No. Reason ? After a run of five years, you either upgrade or accept the fact you're playing the odds with outdated software. End of story.

Re:Riiiight

[Frank+of+Earth]

Seriously, I would like to hear one compelling reason to upgrade from Word 97 to a newer version if all you use word for is word processing and basic mail merge

Your the person of charge of applications in your company. MS announces they are dropping all support for Office 97 products. You upgrade.

I'm not saying I don't agree with you, I haven't found any compelling features of Office2k that I didn't have in Office97, but sometimes it's more than just the features.

Not to mention that Office2k+ products support the MSI installation method and auto-repair which sysadmins like [or so MS would have you believe]

Re:Bad Developer, BAD!

[chill]

Yes, it is easier with non-software since it was a matter of "function or not".

The specific instance I was thinking of was when I worked in the automotive electronics industry. I've also seen this in a couple other manufacturing industries but would have to dig for the exact regulations.

Proposal: Software lemon law

[tgibbs]

Once a bug (defined as a failure or a program to function as documented, advertised, or otherwise represented by the publisher) is reported to the developer, the publisher must

1) Within 6 weeks, acknowledge the bug by posting the information on a web site or sending the information to registered users via postal or email.

2) Within 6 months, contact all registered users and either a) offer a full refund of the purchase price, or b) provide a fixed version of the program.

Failure to comply with these requirements renders any exclusion of consequential damages related to the bug in question invalid.

What you don't hear about OpenOffice

[dasunt]

First, let me say that I used to use StarOffice 5.2 and am currently using OpenOffice on Windows 98SE. I've been in environments where Microsoft Office (several versions) have been in use.

OpenOffice installs just as easily as Microsoft Office, the compatability with most documents is pretty high (sometimes it exceeds the later versions of Microsoft Office for old docs), and the layout is familiar enough (to Microsoft Office) that is easy enough to pick up. I haven't noticed any printer problems with either the old dotmatrix or the newer inkjet.

That being said, OpenOffice is not compatable with Microsoft Office scripts. For 95%+ of the users out there this doesn't matter. But I know of at least one nation-wide company that bases part of their business on AccessVB scripts. For these companies, a move to OpenOffice would be expensive, since programmers would have to be hired to convert the scripts over. (Then again, upgrading to Office 2005 is expensive too).

Even without the need for VB scripts, OpenOffice's and Microsoft Office's abilities don't overlap 100%. There are some things that are easier to do in Microsoft Office. There are things that are easier to do in OpenOffice.

That being said, I'm sticking to OpenOffice. Installation on windows is easy (comes as an MSI and an exec), works for my light-to-moderate wordprocessing needs, and the cost is easy to bear. :)

Just my $.02

Only if we had some hardware based protection

[Billly+Gates]

This is terrible considering how many offices still use MS-Word 97. Boy, if only there was some way where we could encrypt the applications and seperate there memory spaces so a virus or bad program couldn't execute it or access it without a certification.

(wink, wink)

Re:"a couple" 5, jerkoff!

[cscx]

Office 97 was released in January 1997. So yeah, longer than 5 years.

Re:Troll?

[anonymous+cupboard]

Is this a troll? There are some things that are obviously incorrect here, you can't share files with more than a few clients from 2K-pro. You need to have a 2K-server. This is an artificial limitation (down to licensing manager) but a real one in terms of dollars spent.

The only thing that SAMBA doesn't easily handle (and that is an issue of the underlying file system) is permissions. Standard permissions work fine but ACLs are a no-no unless you install a file system capable of supporting them. Domain controllers are tricky but thay have been working for a good four years now at least.

Better story at El Reg

[Ronin441]

There's a better story on this at The Register. It mentions that the exploit uses the INCLUDETEXT field, and works even if macros are disbled.

Re:Bad Developer, BAD!

[jandrese]

What we're looking at here is the ability to disallow a certain small feature. It's the kind of bugfix you can actually do as a person. I'm not talking about doing major work on the source (like the Mozilla project with the original Netscape 4 source).

Re:Troll?

[stratjakt]

No, it wasn't a troll.

> you can't share files with more than a few clients from 2K-pro

We didn't need to. We needed to share with exactly 3 clients. In specific, the PC that takes the mugshots, the PC at the 'booking desk' where they "books the perps", and the clerk's PC who enters offense data. It simply had to be physically seperate from the real server that handles the calls for service data from the dispatchers, and runs the records management system.

Can't have big TIFFs knocking out the 911 system.

It was a dead-simple system in a Mayberry-esque Sheriff's dept, if you haven't guessed. Those of you who live in rural areas with small PDs, here's a peek at how they use the technology.

> Domain controllers are tricky but thay have been working for a good four years now at least

My point is, tricky for the sake of tricky doesn't cut it. 5 minutes compared to hours of time we ultimately bill to the client, or eat ourselves. Plus, I didn't appreciate having to spend any more time than I had to in the middle of a bad episode of "Dukes of Hazzard"

It was just an example of a simple task made complicated by an idealogue.

I agree, there's much more that can be done

[twitter]

M$ says, "Microsoft says an attacker would have to know the exact file name to be stolen and its location. But many critical files -- an address book or saved e-mails, for example -- are usually in obvious or predictable places on every Microsoft Windows computer."

You say, "The vulnerability is actually a lot more serious than the AP and bugtraq posts reveal. There is actually a way to skip the last step where the victim returns the bugged file."

I'm more inclined to believe you. What's to keep the bug maker from making a macro that gets directory listings and attaching that file the first time? Heck, a good macro could search all files with keywords and get them.

People using M$ are fools, and people using Word for information storage and exchange are insane. The new W2K license gives M$ the "right" to search your computer. Word everyone the same "right". Why would anyone use either?

Re:Troll?

[anonymous+cupboard]

Yes, with three clients only, you are under the five. However NT isn't that great anyway when getting to organise things and the client lucenses really suck big time. If I pay for a W2K Pro license why do I have to pay $$$$ just to access a Win2K Server? No, we aren't talking all the BO stuff like SQL Server, just the basic file system. With Linux, you get it working once and it stays working MS do not own your balls. Otherwise you have an inadequate system responsible for law enforcement. Sure as hell, you can't sue MS if it goes wrong. They 0wn you.

Why?

email to dubya@whitehouse.gov

[tapiwa]

Request top_secret_nuclear_codes.doc

Ok, a bit far fetched, but you do get the idea ?

Re:Clueless

[dublin]

You obviously have never used any major linux distro. You should go to rhn.redhat.com or heck out any of the other major distributions. You have no idea what you're talking about.

No, you obviously are far to quick to assume you know far more than other people, when in fact, you don't.

Over the years, I've used literally dozens of Linux distros, including the "major" ones such as Red Hat, SuSE, Turbo, Caldera, Mandrake, Corel, Slack, and Debian. My "production" Linux experience goes back to version 0.99 patch level 56. I've even built commercial products around Linux (RedHat itself in the most recent case of a high performance storage-over-IP server.)

So actually, I *do* know what I'm talking about on this topic, and I stand by my statements. (They were, as was clear in the context, aimed at applications, not the OS itself...)

FWIW, I find BSD is a far better choice these days than any Linux distro, especially for production use where stability, reliabilty and security are important.