PowerPoint ZeroDay Vulnerability Exploited

whitehatlurker writes to mention a WashingtonPost.com article about another unpatched flaw with Microsoft Office. The bug, part of the PowerPoint software, has already been used in the wild, and may be connected to an industrial espionage case. From the article: "This undocumented flaw does not appear to have been addressed in any of the 13 security updates Microsoft shipped this week to mend a variety of problems in Office software. As Security Fix and others have noted, some of the work Microsoft has done in hardening the security of the Windows operating system has forced the bad guys to look for lower-hanging fruit in applications that run on top of Windows, so we may see more Office flaws under attack."

The more vulnerabilities the better?

[kcbrown]

...because more vulnerabilities will cause more people to consider switching to something like OpenOffice, right?

Yeah right. The vast majority of the people who stick with Office these days are people who won't switch unless the alternative is 100% in every way, shape, and form "compatible" with (which to them means exactly the same as) Office.

Must be nice to be Microsoft, where you don't have to give a shit about your customers...

Re:The more vulnerabilities the better?

[kripkenstein]

"[...] people [...] won't switch unless the alternative is 100% in every way, shape, and form 'compatible' with [...] Office"

Exactly. This is why we need to get these security vulnerabilities in MS Office to work in OpenOffice, ASAP. It's all about compatibility, baby.

Seriously, though, I don't agree with the quote. Of course people want compatibility. But they also want security. Using MS office is a tradeoff: more compatibility, less security. When the tradeoff gets less comfortable, rational people will reconsider their options.

Re:The more vulnerabilities the better?

[jonbryce]

If OpenOffice is about 95% compatible with Office 2003, then Office 2007 must be about 50% compatible with it. Does that suggest that people will switch to OpenOffice rather tha Office 2007?

Re:The more vulnerabilities the better?

[Darundal]

Then again, even if it was wholly compatable and faster, the majority of users out there don't even know that alternatives exist. They can't switch if they don't know an alternative exists. The majority of users see their computer as a mystical box that "just works" and see constant attack by spyware, adware, viruses and other malware as a price of using the computer. They think that Microsoft is required for their computer to run. They make a minimal differentiation, if any at all, between Windows, Office, IE, Outlook Express, etc. They make the differentiation only in the name of the icon they click and what types of things they can do once the window pops up. Even though they may whine, moan, bitch, and complain about something on their computer, most, even if presented with an alternative, would say no because they would honestly be scared at the prospect of their box suddenly working differently, and would see differences in such trivial things as menu placement as design flaws.

Re:The more vulnerabilities the better?

[ozmanjusri]

Does that suggest that people will switch to OpenOffice rather tha Office 2007?

I'm running the beta of Office 2007 now, and there's no doubt that it's the biggest change to the Office interface since the switch from DOS. The new "ribbon" interface is a little easier of novices to do normal tasks with, but is a real hindrance to power users familiar with the '95-03 style Offices.

Anyone who's already productive with the older apps will find it easier to shift to OOo than to Office 2007. There's a few new tricks under the hood of the suite, but nothing compelling enough to pay the cost of the new version. In fact, Access coders are definitely going to want to look for alternatives. The new version is pitched much more at desktop experimenters, to the serious detriment of professional developers.

Re:The more vulnerabilities the better?

[Bert64]

Plus with an open documented format, you can weed out a lot of things by parsing the document...

Embedded binaries, recogniseable shellcode, macros, and many other nasties embedded in an open document can be detected, and the xml data itself can be validated against the schema to further cut out a percentage of nasties...
MS on the other hand uses a binary blob, which is much harder to sort through.

Re:The more vulnerabilities the better?

[ozmanjusri]

I used to think that but you will pick up the ribbon fairly quickly

I've been using it for a fair while now, and it still annoys me. Thing is, at the need of the beta period I'm going to have to decide whether to stick with my existing Office version (XP), switch to Open Office, or upgrade to Office 2007.

Right now, I just can't see any reason to upgrade. I've been a Office developer for more than a decade (switched from Paradox/Lotus to Office/Access 95), so this is a big decision for me. I've been a fairly vocal critic of MS since they started their customer harassment phase - I keep the install disks of my first Office XP Developer edition install nailed to the wall in front of me. It's there to remind me that I paid AU$1500 for a tool that won't activate on any computer in existence today.

I've never had an alternative until now though, and even if OOo isn't a perfect replacement, at least it's a way out of the trap. If I and others start developing for it and using it, we'll be well on the way to creating the platform OOo is going to need to hit critical mass.

Do you really need MS Office?

[pieterh]

The question people need to ask is not, "why should I switch to OpenOffice", but "what is the killer feature in MS Office that I absolutely need?" Do you really need to be able to run Word on a PDA? Do you need a smooth integration between Office and Exchange? Perhaps, but it's worth reevaluating.

If the cost-benefit ratio is not strong enough to make the cost and insecurity worthwhile, abandon MS Office and use OOo. For most people it's a lot less painful than it sounds. I've even seen OOo spread like a fashion in some teams that were 100% Microsoft, as they discovered that OOo does actually work very nicely, and as they started using ODF as a standard in place of Microsoft's own formats. We did this a long time ago... we get a consistent set of tools on Windows and Linux, and documents that now conform to a global standard and which I know will still be readable in 20 years' time, whatever software or platform I'm using.

There are many alternative office suites and OOo has its flaws, mainly it's a bit slow, but it has a feature set that hits 100% of what we've used - for documents, spreadsheets, simple graphics, and presentations - for years. And I don't get the feeling, when I run it, that I'm running a code base that has hundreds of undocumented backdoors, caused deliberately, or accidentally.

Re:Do you really need MS Office?

[pieterh]

Yes, the problem of "send this document to random people" is a real issue.

However, since OpenOffice has had a "create PDF" feature for ages, and since it produces really elegant PDFs, this is a solved problem.

I much prefer sending PDFs to editable documents because it prevents random modifications. When people do have to collaborate on writing a document, they can install OOo without much effort, and it is easy to learn, despite not being MS Office.

I've seen many people learn to use OpenOffice and the suggestion that its interface is hard to use is untrue. I've literally given non-technical people (office admins, sales and marketing people) a Linux box with OpenOffice and said, "go for it", and they've produced documents and spreadsheets and presentations without asking anything after, "what printer do I use".

PDFs are the answer to distributing prepared documents. PDF or HTML works fine for presentations. And if you *really* need to send someone an MS-Office format document, you use the "Save as" function to create it.

And this model has let us use OO for 4-5 years in a world where almost all of our clients use MS-Office. It works.

Re:Do you really need MS Office?

[tomstdenis]

you've got machines with RAM to spare,

What? Office ain't light on ram either boy.

you're not going to need support,

I've never known Microsoft to allow any arbitrary Office user to phone them up...

You're not going to need the pre-written macro code which is everywhere for Office,

If I wanted to script my documents, I'd use LaTeX and do it properly.

you don't need the excellent VBA IDE,

??? What is that?

you don't need the excellent documentation,

I've found that most of their documentation doesn't cover odd corner cases, that "clippy" is useless and trial and error is usually the best way to go with either suite.

As to the rest ... the fact that others don't use it is self-serving. That's not a feature of Office, it's a result of the monopoly MSFT tries to establish. As for not matching the GUI, speak for yourself. It fits in just fine on my Gnome desktop.

And again for the Macros. Dude, go teach yourself LaTeX. That's how you script a proper document.

Tom

Re:Do you really need MS Office?

[tdvaughan]

And I don't get the feeling, when I run it, that I'm running a code base that has hundreds of undocumented backdoors, caused deliberately, or accidentally.

I, too, have become so much safer since I turned off my antivirus software and instead relied on good old, tried-and-tested intuition to detect malicious software and vulnerabilities.

Re:Do you really need MS Office?

[killjoe]

"you've got machines with RAM to spare, "

If you have enough RAM for access you have enough ram for office.

"you're not going to need support,"

If you need support you can buy it from Sun. You may have heard about Sun. I think they are a pretty large company.

"you're not going to need the pre-written macro code which is everywhere for Office,"

Office by default will not let you execute macros. Most organizations turn off the macro execution as a group policy in AD. Having said that if you have willingly chosen to open up your desktop to macro exploits and have willingly chosen to lock yourself to a vendor then you can't switch. Vendor lock sucks for an organization though. From now on you are no longer allowed to use any non MS office software ever. Good for them, sucks for you.

"you don't need the excellent VBA IDE,"

See above. You can script OO in python though, much better then VBA as far as I am concerned. There are several python IDEs around too last I checked.

"you don't need the excellent documentation,"

Wait let me check my office manual to see if it's better then the OO manual. Ooops looks like I didn't get an office manual. Seriously... There is excellent OO documentation. There are also several books which are cheaper then office.

"you're not going to use the entire systems implemented in Office (Excel and Access systems are commonplace where I work, they're commercial and not in-house software)"

If you are buying commercial apps they can (and should) use the office developer toolkit to deliver you a runtime. If they are forcing you to buy office just to run their apps then you are getting screwed. Also see the above remark about vendor lock.

"you don't mind not being able to properly use the documents everyone outside your organisation will be using, and the documents your employees will be bringing from home,"

Keep a copy of office around for those rare documents that don't translate properly. Tell your employees to use OO at home if they want to work from home. All companies have document standards.

"you don't mind the GUI not matching the rest of your system,"

When office 2007 comes out the GUI of OO will more closely match your XP box then office will.

"you don't mind using a piece of software which no-one will have audited,"

What makes you think office was audited? Who audited that commercial software package you got from that commercial vendor (you know the one that requires office to run). Who audited that messenger program half of your staff is using? I have news for you. 100% of the corporations in the world are running at least one piece of un-audited software.

"you can't wait for Office 2007 for ODF,"

The ODF support in 2007 will be read only. It will also be crippled from the looks of it.

"and you don't need a rich macro API."

You have no idea what you are talking about. None at all. Every part of OO is scriptable.

"Disclaimer: I'm not an MS fanboy, "

Yes you are. If you weren't you would not have lied so much.

Re:Do you really need MS Office?

[miro+f]

Audits don't have to be done by the people who wrote the code..

no but they're generally done by people who can at least look at the code. Not to mention they usually don't use the knowledge gained from their audit to maliciously attack other systems.

you're calling the many hackers willing to "audit" MS Office for vulnerabilities a benifit now? I find it difficult to comprehend your argument here...

Re:My world is crumbling!

No! A flaw in PowerPoint? A security issue? Say it ain't so!

Hastily written karma whoring frist prost on Slashdot? Say it ain't so!

Re:Office Vulnerabilities

[blowdart]

It depends how they update windows. If they've switched from windowsupdate to microsoftupdate then Office updates will be included (as well as updates for some server software like SQL 2005). The switch also changes the automatic update software.

Good

[tomstdenis]

Now I have an excuse for all those stupid sales presentations I've skipped. :-)

Tom

Spend the time making better software

[Knutsi]

It appears to me that it is hard to find software that cannot be exploted somehow, given enough time to dig into every possible way of doing so. Isn't this an indication that there is simply something wrong in the way software is put togeather and executed? Maybe the people who design API's, compilers and whatever is used to make software needs to rethink the way the stuff works... or maybe software is quite simply such a complex task of engineering that to keep it possible, it must also be possible to exploit.

I have of course no idea how to change the world, or I'm sure I'd be either very rich, very famouse or both ;)

Take it away now,
. Knut

Word resume

[lastberserker]

email it in Word format to an recruitment agency (why they wouldn't accept PDF is beyond me)

Why? Because before the first living soul casts a glance on your resume it will be sifted for keywords, dragged through filters and rendered in some uniform way. And guess what, PDF is a presentation format, not a data storage format - there is no guarantee that you get the original textual data back from an arbitrary PDF document. So they don't accept any PDFs.

Do you really need powerpoint or similar?

[dbIII]

The question people need to ask is not, "why should I switch to OpenOffice"

The question people should have been asking since 1992 is "why should I be doing a powerpoint or clone of it when a web presentation of some form can be used later and will work on something that is available if my laptop does not like the projector, gets dropped or other problems." Going out to buy the latest version of MS Office a few minutes before the presentation because some guy has a powerpoint presentation with embedded avi files that won't work with anything else is somewhat annoying.

There are web content tools designed to work well even for your average aging office typist who is scared of computers.

"Office!" [Snorts]

[ettlz]

He he, "PowerPoint"! When will you people give up and use LaTeX/Beamer like everyone else?!

Link about the actual virus

[DavidD_CA]

The summary really should have linked to this page which describes the virus in a bit more technical nature. Not "reporter speak".

http://www.symantec.com/enterprise/security_respon se/writeup.jsp?docid=2006-071212-4413-99&tabid=2

Apparently the victim launches the PowerPoint slide show (probably spread via email like every other virus) and it uses PowerPoint to drop the virus and infect the machine. Although the link doesn't say, my guess is that it does this without prompting the user if it's okay to run a macro.

The virus also displays a slide full of Chinese (?) characters. Anyone know what that translates to? "All your slide are belong to us"?