Slashdot Mirror
Flaw Finders Lay Seige to Microsoft Office
An anonymous reader writes "The Register is reporting that bug reports on the latest iteration of Microsoft Office are certainly keeping the Redmond firm's programmers busy. So far this year 24 flaws have been found by outside researchers, more than six times the number found in all of 2005. From the article: 'The deluge of vulnerabilities for the Office programs - Word, Excel, PowerPoint, Outlook, and, for professional users, Access -signals a shift in the focus of vulnerability research and underscores the impact of flaw-finding tools known as fuzzers. The vulnerabilities in Office also highlight the threat that such files, if remained unchecked, can pose to a corporate network. Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.'"
I wish someone would do this much work for OpenOffice - I mean, think of how many $ of pen testing Microsoft is getting out of this deal, and all for free! Now they just need to put some deecnt programmers on it to clean up bugs and they will end up with a nice solid, secure codebase.
Think of the Children; Sleep with your Sister
http://www.openoffice.org/
I guess it sucks if your business requires some esoteric feature in Microsoft's expensive and proprietary office software, but it is outright incompetence for any CTO to not have migrated, in the process of migrating, or planning on migrating their workers to OpenOffice at this point.
Guys, guys. There's nothing wrong with Microsoft Office.
Access is used by lots of small businesses keeping database logs of their customers and such...while it's not the greatest, it fills the void for a much larger customer base than you might think. In regards to the topic in general, it seems reasonable that as software grows more intricate and feature-filled as versions progress that more and more bugs will arise due to the mountains of new code added on. Maybe it's just me but 24 bugs in all of Office, when it is not even available to the public for beta testing, seems acceptable.
Siege, not seige.
Clearly, Microsoft keeps track of internal bug reports through Access.
(I keed, I keed...)
Without a proper flamewar, Anonymous was undecided on what shell to run.
The count also surpasses the 20 flaws that Microsoft has fixed so far this year in Internet Explorer, a perennial favorite among vulnerability researchers.
This is in tune with the general movement of virus and trojan writers to make money for their work, that we have been seeing in recent years. Internet Explorer was a good way to reach as many people as possible, but such attacks are also quickly detected, since they affect many people. So you make some money (for porn ads, most likely), then stop. With Office, you can attack fewer targets, but get paid well for your efforts, and no-one ever hears about it.
This sort of corporate espionage can go on for years without any antivirus vendor even getting the chance to encounter the malware. In addition, virtually 100% of corporations use Office; it's easier to leave IE in favor of Firefox than Office for OpenOffice. So targetting Office makes a lot of sense.
The worst form of "more than" abuse is, of course, when people use it with flagrantly non-round numbers. "More than 274 parts", "More than 6831 batteries", etc.
The second worst form -- which this OP engages in -- is nonsensical math. If 24 faults is "more than six times" the number of faults in the previous year, then the number of faults in the previous year was 1, 2, or 3 (if there were 4 in the previous year, 24 would be exactly six times as many). Yeah, the previous year could have been zero, but 1) I know office better than that, and 2) let's give the OP at least a tiny bit of credit.
So, ok, we're up from between 1 and 3 to 24. "More than six times"? Well, if the previous year was 3, "more than seven times" would be more accurate. If the previous year were 2, "twelve times" would suffice. And, god help us, if there were only one in the previous year, "compared to only one last year" is probably better than "24 faults, which is 24 times more than last year."
Please, join me in the crusade against "more than" abuse. It does give extra punch to a sentence, but only if used properly.
-b
If I wanted a sig I would have filled in that stupid box.
I guess it sucks if your business requires some esoteric feature in Microsoft's expensive and proprietary office software, but it is outright incompetence for any CTO to not have migrated, in the process of migrating, or planning on migrating their workers to OpenOffice at this point.
Personally, I use OpenOffice, but from what I hear it's not that easy to use OpenOffice for many corporations. Some people I know are in the process of building a tech company, and they wanted to use OpenOffice, both because of the cost and because of the security. But some testing revealed that a single feature made that impossible for them: 'track changes' worked fine in OO, but opening a document from Office with change tracking never succeeded 100%. Apparently they plan to collaborate on documents with people outside their organization, so that's a problem. Sadly it looks like they will be buying Office licenses soon.
OpenOffice is great for a home user, but 'enterprise-oriented' features like tracking changes with people using Office are a must for some corporations. Until OpenOffice gets this sort of stuff to work, I can't completely agree with the quote above.
Although, given the security risk for Office users - which we can't even evaluate, as I'm assuming most corporate espionage is never discovered - it might be rational to find a way to live without some of the features in Office. Or, alternatively, to run Office on Crossover Office on Linux (assuming some of the trojan functionality, e.g. calling home, depends on ties with the underlying OS, which makes sense to me).
I would agree with you there except for the "when it is not even available to the public" I except a lower count _because_ it is not available to the public. Ie. if the code base was at least read-only, I would expect a higher number of such reports. However, do these guys get paid for this? I would assume Microsoft has dedicated staff for this.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Yeah i see what you mean, more beta testers=more bugs found...my point was that a piece of software that has not made it to public beta is still going to have lots of issues, and that's understandable. Had these 24 issues arisen closer to the release date and during beta testing, this problem would seem much more significant.
Also, I don't know if these testers are paid or not, but yes, Micrsoft has their own testers. However, the tried and true method of having an outside source proofread your work is very helpful in discoverig problems in any situation.
Sure - if you have a data file (tab delimited or whatever) with more than 65,536 rows you can't open it in Excel. Or maybe you're more familiar with SQL queries than coding for Excel. Enter a market niche for Access. I see both of these happening on a regular basis in the world of Finance.
Access is a very powerful program, if nothing else it allows you to easily create a frontend to a much more powerful database with very little fuss.
Access is huge in business because it is trivial to modify the user interface, and to add functionality later on. A massive database solution might do the job faster but if the IT staff can't go in and change the interface every now and then it is pointless. A prime example is upgrading the user interface from the one designed in 1998 for an 800x600 screen to a more recient 1024x768 interface.
says the Flaw Finder.
Access actually has a number of uses in the business world, and even the enterprise.
Even in larger businesses, where a major enterprise database/system would NEVER be written in "access" its not uncommon for a little access app to be written as a custom front end to some aspect of an mssql server database. In fact that's one of access' strenths, its actually a pretty good RAD (rapid application development) tool for building simple UI front ends for larger databases. And since Access is bundled with Office Pro its basically "free" in this environment.
Just for clarification the article says that the flaws are being found in the latest production version of office, not the latest iteration (which would imply pre-betas of office 2007 (2008?, whatever)). Obviously it would be stupid to compare the flaws in a production product with those in a pre-beta, which is what the summary on /. seems to imply.
Philosophy.
Delphi comes to mind for such RAD tools. But I suppose I see your point.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
OpenOffice would be great, except that in the academic world, Microsoft Office still holds a dominant position. Mainly, this is due to two facts. First, major citation programs that are critical to published scholarship, such as End Note, will not integrate with OpenOffice. Second, many major academic conferences require a PowerPoint presentation. Now, you can write all you want about how that sucks and how people should not support such stupid requirements, but they exist, and I as an academic professional must adhere to them.
So I am glad to see that M$ is patching these bugs. Anything that makes my essential tools safer is a Good Thing.
KDE and GNOME could really use this as well. Security through minority is only so feasible. Is anyone working on something similar?
Any sufficiently advanced libertarian utopia is indistinguishable from government.
Why would they write this? 4x6 is 24, and every integer under 4 is a factor of 24. So they could have sadi "8 times as many", or "12 times as many". But why "More than 6 times"?
All of these flaws deal with documents and the answer is obvious: you need to have anti-virus anyway, and it's easier for AV to cover these flaws quickly than for Microsoft to patch them quickly. So for any responsible organization it's not a problem for very long.
who thought that "Flaw finders" where people who found flaws in Finder? Thats even easier than finding flaws in Microsoft software....
Monstar L
ok, just to clear a few things up:
1) they're talking about security vulnerabilities, not bugs. I'm sure the number of Office bugs are in the thousands... It's pretty difficult to write a large piece of software without them
2) The article was stating that 24 Vulnerabilities were found in the current crop of Office, not in the up and coming Office 2007, so your bit about "not available to public" is not applicable
being vague is almost as cool as doing that other thing...
Okay, 24 flaws were found. And yeah sure, it could be that it was actually "six times more than" (see the great post about "more than" abuse) found in all of 2005. It could just mean that they've been looking harder this year, not because flaws didn't exist before. The longer the program has been in development, the longer they have had to expose flaws. Plus, we really don't know anything about these "flaws". The article is very vague. We don't know the nature of the flaws, how difficult they will be to fix, or even how likely any hacker would be able to even use the flaw to do any serious damage.
And on the topic of flawed interpretation, I really must protest the comparison of an entire suite of at least 4 applications to ONE (internet explorer). That's worse than meaningless - that's just plain stupid.
You know how the saying goes about statistics - "The average human being has one breast and one testicle."
"The only normal people are the ones you don't know very well."
Bollocks! They've always posed a danger, it's just that now they're getting some attention. I wonder if they'll look at TrueType/OpenType fonts any time soon - anyone remember the BSOD .ttf file?
I believe by "professional user" our anonymous friend means "person who for some reason purchased the Professional Edition of Microsoft Office, possibly because it sounded cooler". I use it for phone numbers!
Absolutely. As soon as OO implements a large enough subset of Office features, I'll be all over that.
Until then, as long as there's a need to embed documents, to use a powerful macro language that communicates with the OS and other software, to have data update in real time, to interop with business logic that depends on DDE or XLLs, or to do any of the million other essential things that Excel (in particular) does and OO does not, it's "Hello, Clippy!"
Actually, though, I do have some questions for those who might take a more optimistic view than me:
1 -- maths formulae created in OO don't seem to work in Word. Is that OO's fault or Word's?
2 -- Bloomberg's DDE system seems not to work with OO (not that it's particularly efficient in Excel either). Is that OO's fault or Bloomberg's?
Whence? Hence. Whither? Thither.
The bugs where found with automated tools to make "broken" files. Seems to work well. Means there will be a much higher detection-rate and it is much harder to keep up patching.
Also Office is the new vector of attack, no longer IE or email. Office is now the format for the web, and people can't avoid opening files coming from the outside. A good reason to examine it closely.
Office System is not just an Business Application, it is an entire Business PLATFORM hance why its called Office SYSTEM.
Anything built on top of Office System will also be targetted. Office is not just about Outlook or word or Excel anymore. It is an entire ECO SYSTEM for business.
My company business unit is building upon O12 System. This is a great reason to be concerned. It offers ALOT for free (including the vulnerabilities due to its inherent complexity and visiblity)
The thing about most Office suites, openoffice included, is that they are overly complex for what they are used for. The more complex the software is, the higher chance that there will be bugs.
...and that is all I have to say about that.
http://jessta.id.au
Sorry, malware writers run thier code against AV software to make sure it gets through first before releasing it in the wild. It's figured around 8 out of ten malware attempts gets through.
.07% of the market.
y _popular_antivirus_apps_do_not_work_/0,39033341,39 264249,00.htm/
p ercent_of_new_malware_defeats_antivirus/0,20000617 44,39263949,00.htm/
Only one brand of AV software catches 90% of malware and it only holds
http://www.zdnet.com.au/blogs/securifythis/soa/Wh
http://www.zdnet.com.au/news/security/soa/Eighty_
It seems amazing to me that there are so many very critical flaws in Microsoft products. If someone else can find the flaws, why didn't Microsoft?
I've heard that Microsoft is managed in such a way that programmers don't have time to finish their work. I know that Microsoft makes more money if there are more flaws, because users can be expected to upgrade.
However, it seems that there are too many bugs for that to be the whole explanation.
So, why, year after year, has Microsoft been at the top of the vulnerabilities list? I don't accept the argument that "software is complex, and always has bugs. There are people who know how to write complex software that is secure. Microsoft could certainly hire such people. If the company wanted to have software that was relatively free of vulnerabilities, it could.
The argument that Microsoft vulnerabilities get more attention doesn't seem adequate to me to explain the huge number of very severe bugs.
But, what is the explanation?
May I point you to the OpenBSD bug tracker, in which you may notice a bug has been open (Not even analyzed) since 1997. MSFT isn't the only one who doesn't fix bugs quickly, 9 years is a bit excessive.
How many people can read hex if only you and dead people can read hex?
AV will always be broken. There are better ways than signatures. The problem is with human nature. We'd rather take a pill to relieve a headache than avoid the things that give us that headache in the first place.
You should have posted the bug #. I'm willing to bet that the 9 year bug is neither severe or security related.
It is somehow considered "unfair" to use to these tools? Does MS already know of the flaws found by these tools and just chosen not to fix them? Do the OO.org people run these tools agsinst the OO.org suite.
From a practicle point of view, these tools just seem like regression test. Test that we all know we should run, but few take the time to so do. And as solftware developers not running regression tests really puts the responsibility of the falws in the developers lap, not QA or the user.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
>Number: 137
>Severity: critical
As quoted from the tracker.
How many people can read hex if only you and dead people can read hex?
"Maude Flanders Lays Siege to Microsoft's Office"
I think I need to cut down a bit. Maybe more Futurama instead.
Death and danger are my various breads and various butters.
Pirate versions of windows can recieve security patches. Pirate versions of Office don't, since any office updates will break the cracks used. Therefore office flaws can be more damaging to the cheap scate user. He has to pay, or (preferably) use OO instead
Suggesting Office is pretty bad, but you do have some semi-legitimate reasons.
A bit of optimism is called for.
Suggesting IE is pure evil. You're needlessly putting critical data at risk.
You coded up some crapplet in Office BASIC. As a result, the user interface does not scale to different screen resolutions. Your solution to the problem is actually the cause of your problem.
Using a proper GUI toolkit, building an app that fails to scale is probably more difficult than building one that scales perfectly. All the example apps scale perfectly. Most of the documentation assumes that you want your app to scale perfectly. As a bonus, you get a programming language that isn't a joke.
Proper toolkits: GTK, Qt, most of the Java stuff, probably FLTK and wxWindows...
Yes. Absolutely. "Nobody ever got fired for recommending Microsoft Office."
Clearly you don't know anyone that recommended buying Word 6 for Macintosh. After Word 5 being just fine they created a superturd in the next release.
Take a Mac program, port it to Windows, rewrite it, and then compile it for Windows and Mac. How could that possibly yield a crap product?
[UID-HeinzIntel]
systemic: of or pertaining to a system. http://www.webster-dictionary.net/definition/syste mic
e matic
indicating evil as a pervasive and basic attribute of any Microsoft product or endeavor.
or
systematic: Of or pertaining to system; consisting in system; methodical; formed with regular connection and adaptation or subordination of parts to each other, and to the design of the whole. http://www.webster-dictionary.net/definition/syst
indicating a deliberate, planned integration of evil into Microsoft products and endeavors.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
If someone else can find the flaws, why didn't Microsoft?
Who says Microsoft can't find the flaws? The problem is, Microsoft needs to find ALL the flaws. The "someone else" just needs to find ONE flaw.
Not ones working from muscle memory.
When MS stop supporting your current stuff, or you can't buy it any more, you'll have a shedload of numpties who will be complaining and no way out.
There were up to 10x or more flaws in Office discovered this year than the previous year.
So your program crashes with a PC=0xdeadbeef (as an example), you search the fuzz data for the sequence 0xdeadbeef, and try changing the fuzz data to 0xbeefdead, and if that's the new PC in the crash, you simply put a really short break-me sequence in front of it, and change the PC to the return address in the crash minus the length of the break-me sequence...
Sure, not every bug that the fuzzer findes will be one like that, but I suspect many of the ones listed in the MS code were found that way.
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
If someone else can find the flaws, why didn't Microsoft?
Given the sheer number of people looking for flaws who don't work for Microsoft, the answer is simply: Microsoft could, if they employed as many people to look for bugs. But since other people are doing it, and for free, why should they?
So, why, year after year, has Microsoft been at the top of the vulnerabilities list?
Because their products are used in more places than any other. Therefore, if you want to write an exploit which will spread the furthest, or cause the most damage, then you target the most widespread software. It really is that simple. If another product came to market, and wiped out Microsoft's lead, then I'm willing to bet that we'd suddenly see slews of flaws in the new Product X being reported.
If the company wanted to have software that was relatively free of vulnerabilities, it could.
Given the complexity of the software, I think that's up for debate. But Microsoft, being a profit-orientated organisation, face different pressures than a non-profit, open-source project. At the end of the day, managers have targets that the sales people have promised other people. If you get slippage on a project, then (in my experience) the attitude of the managers (at any profit-based company) is usually "let's ship something that LOOKS like it works; we can always patch it later, and we'll hit our deadline."
I've never worked for Microsoft, so I don't know what their processes are; but I can certainly understand how a software company ends up shipping products with security flaws, and how they are discovered so quickly.
And, of course, there's a certain breed of script kiddy who targets Microsoft products because they are Microsoft, and regarded as the Evil Empire (tm).
'No rational religion claims "supernatural" exists, that's an atheist slander.' - seen on slashdot.
If the siege gets too hot, Baller will be out with his Furion Chair Battalions, and will settle the matter in seconds. The pen testers are trembling.
"Openoffice is slow, awkward to use and lacks a lot of features"
...
On this computer, Open Office opens and runs just as fast as msOffice under Windows. Most people stick to open/spellcheck/save/print. It doesn't matter how many feetures, you still have to pay someone to work the computer.
"after all time is not worthless"
fud injection alert
davecb5620@gmail.com
"Our (very small) business recently migrated *away* from Open Office"
..
What was the name of this business?
Why did it migrate to OpenOffice in the first place?
What did you use before migrating to Open Office?
"Since changing to office our productivity on certain tasks such as collaboratively authoring"
Neither msOffice nor OpenOffice are suitable for such a purpose. What you need is some kind of CVS system only in this case to handle rich text files.
"We just send the latest version and they send it back with the edits marked in track changes"
Reminds me of an architects office I did some work for. 'A' emailed a doc to 'B' who worked on it and emailed it to 'C' who emailed it back to 'A'. Meanwhile 'D' worked on the 'C' version and emailed it to 'F' who emailed it in turn to back to 'A'. Question: which one is the 'current' version?
"Openoffice has to be really, really easy for someone to use who is familiar with office (its getting closer, but a long way to go)"
I've tried a few msOffice users on OpenOffice and they can't tell the difference!
"its ability to save to and read from office formats needs to be a lot better than it currently is"
Oh, I forgot: A, B, C, D, E and F all have different versions of msOffice. B can only read files sent from A etc
davecb5620@gmail.com
"No, ignoring blatant flaws in OSS makes you a fanboy."
...
..
No, resorting to name calling makes you a TROLL
"Openoffice is slow"
False
"awkward to use"
How so exactly. Most users can't tell the difference
"and lacks a lot of features"
Exactly what kind of functionality does it lack?
"I think I'll stick with MS Office, for a professional user the price is not important"
The corollary meaning being 'professional' users don't use OO and the rest only use it because it is 'free'
"after all time is not worthless."
If this isn't a TROLL, I don't know what is.
Who are you going to be next week?
davecb5620@gmail.com