Slashdot Mirror
Flaw Finders Lay Seige to Microsoft Office
An anonymous reader writes "The Register is reporting that bug reports on the latest iteration of Microsoft Office are certainly keeping the Redmond firm's programmers busy. So far this year 24 flaws have been found by outside researchers, more than six times the number found in all of 2005. From the article: 'The deluge of vulnerabilities for the Office programs - Word, Excel, PowerPoint, Outlook, and, for professional users, Access -signals a shift in the focus of vulnerability research and underscores the impact of flaw-finding tools known as fuzzers. The vulnerabilities in Office also highlight the threat that such files, if remained unchecked, can pose to a corporate network. Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.'"
I wish someone would do this much work for OpenOffice - I mean, think of how many $ of pen testing Microsoft is getting out of this deal, and all for free! Now they just need to put some deecnt programmers on it to clean up bugs and they will end up with a nice solid, secure codebase.
Think of the Children; Sleep with your Sister
Access is used by lots of small businesses keeping database logs of their customers and such...while it's not the greatest, it fills the void for a much larger customer base than you might think. In regards to the topic in general, it seems reasonable that as software grows more intricate and feature-filled as versions progress that more and more bugs will arise due to the mountains of new code added on. Maybe it's just me but 24 bugs in all of Office, when it is not even available to the public for beta testing, seems acceptable.
The count also surpasses the 20 flaws that Microsoft has fixed so far this year in Internet Explorer, a perennial favorite among vulnerability researchers.
This is in tune with the general movement of virus and trojan writers to make money for their work, that we have been seeing in recent years. Internet Explorer was a good way to reach as many people as possible, but such attacks are also quickly detected, since they affect many people. So you make some money (for porn ads, most likely), then stop. With Office, you can attack fewer targets, but get paid well for your efforts, and no-one ever hears about it.
This sort of corporate espionage can go on for years without any antivirus vendor even getting the chance to encounter the malware. In addition, virtually 100% of corporations use Office; it's easier to leave IE in favor of Firefox than Office for OpenOffice. So targetting Office makes a lot of sense.
The worst form of "more than" abuse is, of course, when people use it with flagrantly non-round numbers. "More than 274 parts", "More than 6831 batteries", etc.
The second worst form -- which this OP engages in -- is nonsensical math. If 24 faults is "more than six times" the number of faults in the previous year, then the number of faults in the previous year was 1, 2, or 3 (if there were 4 in the previous year, 24 would be exactly six times as many). Yeah, the previous year could have been zero, but 1) I know office better than that, and 2) let's give the OP at least a tiny bit of credit.
So, ok, we're up from between 1 and 3 to 24. "More than six times"? Well, if the previous year was 3, "more than seven times" would be more accurate. If the previous year were 2, "twelve times" would suffice. And, god help us, if there were only one in the previous year, "compared to only one last year" is probably better than "24 faults, which is 24 times more than last year."
Please, join me in the crusade against "more than" abuse. It does give extra punch to a sentence, but only if used properly.
-b
If I wanted a sig I would have filled in that stupid box.
it is outright incompetence for any CTO to not have migrated, in the process of migrating, or planning on migrating their workers to OpenOffice at this point.
If you don't mind me asking: how many users (corporate desktops, not friends/family) have you migrated from MS Office to OpenOffice?
Talk is cheap. Until you've moved maybe 100 or more people professionally from one to the other, you really shouldn't drone on about "incompetence". Suffice it to say: people do NOT want to change, and will put up with amazing amounts of wasted time and inconvenience to avoid doing so. Most people think of computers as these "black boxes" with arcane syntax and usability.
I've had tech support calls that consisted of somebody dragging the menu around in IE so that the "back" button had moved! (which underscores perhaps the most worthless feature MS has ever put out - the movable menu. Who ever wants to change that?)
It's not incompetence - it's following the path of least resistance. That results in less friction, which results in happier staff which results in more productivity, which results in more profit, which means that the executives get richer, the lackeys don't get fired, and everybody is satisfactorially miserable.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
KDE and GNOME could really use this as well. Security through minority is only so feasible. Is anyone working on something similar?
Any sufficiently advanced libertarian utopia is indistinguishable from government.
Why would they write this? 4x6 is 24, and every integer under 4 is a factor of 24. So they could have sadi "8 times as many", or "12 times as many". But why "More than 6 times"?
Okay, 24 flaws were found. And yeah sure, it could be that it was actually "six times more than" (see the great post about "more than" abuse) found in all of 2005. It could just mean that they've been looking harder this year, not because flaws didn't exist before. The longer the program has been in development, the longer they have had to expose flaws. Plus, we really don't know anything about these "flaws". The article is very vague. We don't know the nature of the flaws, how difficult they will be to fix, or even how likely any hacker would be able to even use the flaw to do any serious damage.
And on the topic of flawed interpretation, I really must protest the comparison of an entire suite of at least 4 applications to ONE (internet explorer). That's worse than meaningless - that's just plain stupid.
You know how the saying goes about statistics - "The average human being has one breast and one testicle."
"The only normal people are the ones you don't know very well."
A few dozen - companies are small around here, so 'hundreds' would mean changing jobs a lot.
This is nonsense. In my experience, almost every user has no interest in the matter at all. They don't "want to change" but neither do they "not want to change". In fact, they don't want to be bothered by the decision. I could install MS Office; they wouldn't understand how to use it. I can install OpenOffice; they don't understand how to use that either, but it costs less and reduces worm damage. Either way, I'm going to get the same number of calls from people who can't figure out how to change the font size.
It's not that they're willing to put up with amazing amounts of wasted time and inconvinience to avoid switching - it's that they're willing to put up with wasted time and inconvinience, period. That has got nothing to do with their choice of software; they assume that all software is going to waste their time and inconvinience them, and consider it to be what they are paid for.
There are occasionally a small number of 'power users', who like to play with all the toys in a piece of software. These are the ones who loudly and strongly object to (any) changes. I simply forward all their complaints to the company directors, along with a quote for a copy of MS Office to install on that user's workstation; the directors can then decide whether this person is worth spending the extra money on. Interop between different versions of Office with different paper sizes is a joke anyway (because the users do not understand how to make it work), so they don't notice any extra problems caused by converting back and forth between MS and OpenOffice formats. The users understand that if they want a document to look the same way to the person receiving it, they should either (a) print it, or (b) send it as a PDF (because that's what I tell them every time they have trouble with this).
The reason for all this is simple: word processing and other 'office' applications are largely comprised of things that are not 'business-critical'. This means that so long as you can get a tidy-looking document onto a piece of paper, the rest is not significantly going to affect the business. The efficiency of this process does not have any visible effect on the bottom line (regardless of whether it has any actual effect) - because producing documents is 'overheads', not a part of the 'productive' side of the business (for most businesses). If you were in a business where the documents were your actual product, then it might matter, but you probably aren't (I'm not). Once I sketch these things out for the company directors, they invariably say "do it the way that doesn't involve spending £300 per workstation". They don't care about anything else, and consider the requests for expensive copies of Office in the same manner that they consider requests for expensive leather office chairs. While it is somewhat perverse to think of Office as a luxury, I don't have a problem with this because it means I have less copies of the thing to support.
My goodness, where did you get that idea? Nobody seriously cares about the happiness of employees doing office work, because they are interchangeable and frequently changed. It comes back to that "not business-critical" thing again. You want the employees producing your
Ah. What a wonderfully simple world. If only end users would listen to us IT geeks who know what they actually need, and if only every IT geek agreed on what that need actually was... Do you really believe there is no business case to be made for pre-installing a common suite of desktop apps, of which most of the workforce has experience, and which is known to serve the needs of power users? And do you think issuing edicts ex cathedra on what your user base really needs, without careful evaluation, is the best way to serve their long term interests?
Congrats on having run across so many low-tech businesses where WordPad suffices for 90 % of users. However, I'd suggest you avoid hitching your wagon to them: the ratio and level of knowledge workers in most Western industries can only increase, and for them WordPad and its ilk quickly becomes a straitjacket. OO is a better option, but there are several forces which makes switching an expensive proposition. There's considerably more to a computer as a professional tool than producing paper output. As a corporate customer, I'm reasonably impressed by MS' product targeting: they (as does e.g. IBM) push features which enable collaboration, where OO is years behind. (Of course, other features, such as 'smart tags', are still solutions in search of a problem... but it's a cool API!)
I can't help but wonder what levels of annoyance and missed opportunities are hidden behind those who do not belong to the 'most are happy' category you mention. You don't need to kill all the yeast to get bread that does not rise... and those few percent who are not happy may well be those who could have made a real creative difference.
No, MS Office isn't the greatest set of products ever created. Yes, OO has many great features, and may well suffice for the needs of many. That still does not a business case make, no matter how many anectdotal war stories we recite, without hard numbers. If there really were such huge savings to be made across the board, there should be locust swarms of consultants helping companies make a tidal wave of conversion across the industry. Instead, we hear mixed reports, with some pointing to at least initial successes, but others migrating back into MS' fold. You may claim that is due to inbred stupidity, but that wouldn't tend to convince most people... Thus, CTO's tend to place higher priority on efforts which actually are likely save or make some money for their companies, oddly enough.
First, major citation programs that are critical to published scholarship, such as End Note, will not integrate with OpenOffice.
And? When I did my MSc we did use MS Office (before the days of OOo) but we did all our citations by hand. It didn't make things much slower as long as you were organised. And if you're not organised enough to keep track of your citations, what the hell are you doing in academia anyway, and what the hell is your thesis going to read like?
Bob
Listen to my latest album here
Office System is not just an Business Application, it is an entire Business PLATFORM hance why its called Office SYSTEM.
Anything built on top of Office System will also be targetted. Office is not just about Outlook or word or Excel anymore. It is an entire ECO SYSTEM for business.
My company business unit is building upon O12 System. This is a great reason to be concerned. It offers ALOT for free (including the vulnerabilities due to its inherent complexity and visiblity)
I'm guessing this comment was made in a facetious tone.
I love FOSS. I'll use it every chance I can get. I will sing the praise of FOSS all day long.
However, Office is one of the best products Microsoft has ever put out. It is feature rich, the new UI in Office 12/2007 is damned clever, and despite all the bells and whistles, it loads extremely fast.
KOffice isn't nearly as powerful. OpenOffice.org is slow and bloated. I'm also not crazy about how 20% of the program is in Java.
The big knock on MS Office is the security flaws that come from macros. Just turn them off. And people have done proof-of-concept macro exploits with OpenOffice as well. The reason that we see so many in MS Office is because people specifically target it. It hackers targetted OpenOffice as often, you'd likely see the same number, if not more exploits.
But honestly, MS Office is a pretty solid product.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
OpenOffice's code isn't exactly free of bugs. Given that it is open-source, it would be very easy to discover (if not plant) exploits. I advocate open-source software. And I'm glad that projects like OOo are around. Don't get me wrong. But office suites in general form some of the largest applications we have. There is just a butt-load of code there. So flaws are bound to pop-up. And people do specifically really target Microsoft.
I still believe Office to be one of the best products they put out. And I do believe (though I can't quantify with real evidence) that you could easily see the same type (and number) of exploits in other office suites if they were targeted as often.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
That's the Microsoft approach.
The OSS approach is not to try to integrate the stuff in the application. Integrating stuff to applications is slow, difficult and error-prone.
The smart solution, of course, being that the documents can be processed by external tools written in any language you choose, with the documents only acting as the intermediate data stores and representation.
Why make software open up the office application and use cursor-ballet to do its stuff, when you can just open the document and feed the data in right away, spitting out a new, modified document? That's not the confusing, explosive rocket science Microsoft is proposing - instead, just same stuff people have been doing since dawn of time in frigging IBM mainframes.
The reason nobody does that in MS is that nobody understands the file formats really all that well, but OpenDocument file format is actually documented...
May I point you to the OpenBSD bug tracker, in which you may notice a bug has been open (Not even analyzed) since 1997. MSFT isn't the only one who doesn't fix bugs quickly, 9 years is a bit excessive.
How many people can read hex if only you and dead people can read hex?
You should have posted the bug #. I'm willing to bet that the 9 year bug is neither severe or security related.
It is somehow considered "unfair" to use to these tools? Does MS already know of the flaws found by these tools and just chosen not to fix them? Do the OO.org people run these tools agsinst the OO.org suite.
From a practicle point of view, these tools just seem like regression test. Test that we all know we should run, but few take the time to so do. And as solftware developers not running regression tests really puts the responsibility of the falws in the developers lap, not QA or the user.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
ActiveSync is he absolute worst synchronization software on the planet.
It took me a long time to get it to work on my fathers machine, and after spending a considerable amount of time doing research on the problem it spontaneously started working correctly.
No, I am not kidding. I have never seen a functional piece of software that was as capable of acting flakey and in-determinant as ActiveSync.
And someday someone is going to have to explain to me what ever happened to plug-and-play under windows. If you accidentally plug a usb device in that was never plugged in before and doesn't have drivers installed you spend the next 15 minutes cleaning it up so you can install drivers.
Your experiences make you a lucky fellow. I do 3rd-party corporate IT, so unlike you I _do_ have hundreds of users without changing jobs.
- to-be-working-right and they throw up their hands in the air saying "oh, Firefox...? We don't support that." One reluctant business-owner who can barely turn his computer on who wants to know why everyone else gets something different.
While some of my customers are exactly the casual users that you describe, who don't really "need" Office, there's more at stake than you're really seeing. First, users and businesses evolve. Sally the Secretary might not actually need Word right now, but if she develops a need for Word at any point during the life-cycle of the computer she uses, there's going to be a problem. That problem: OEM software is cheaper than retail and only purchasable with hardware. Ooops. Okay, how about Volume Licensing? Sure, that's do-able, but there's a minimum number of licenses that have to be bought at once to qualify to open a VL account, which only lasts TWO YEARS. It's often -- not always -- a good idea to set up the PC with the functionality it's likely to aquire during its life cycle on day 0.
Next, all it takes is one feature not present in "the industry standard", a.k.a. MS Office, to throw into fairly severe scrutiny any advice to use an alternate product, free or not. Want to know how many tool-and-mold programs that render cutter-paths link to Excel? Excel. Not "something functionally equivalent to Excel." Want to know how many insurance industry programs that do either client-management or quote-generation link to Word or Outlook? Not "something functionally equivalent to Word or Outlook." It's common. Not universal, but common. And again, if you impliment something "nonstandard" day 0 and have to come back later to retrain and rework even a small department, it's easy for accounting departments (the guys who often link their software to Excel or Access) to wonder why things weren't just done "right" in the first place. You're the IT guy. You should've seen this coming.
The point that I'm trying to make here is that there's a reason why I have been unable to recommend Firefox (for instance) to even a single customer, despite being firmly addicted and a True Believer. One site that doesn't render "right" or even "the same" and my recommendation becomes suspect. One call to the support desk at whatever-business-partner-whose-site-doesn't-SEEM
It's hard. It's very hard in a LOT of cases to recommend anything other than MS' products. And that's the ugly truth.
"Oh no... he found the
Couldn't agree more..
Companies aren't interested in open source, just because it's open source... it has to not only have all of the features of MS office, but it has to give them a reason to switch.. it has to save them money, or make them more productive.
Yes.. OO is free. so it would save them money WHEN THEY ARE LOOKING TO UPGRADE from what they already have.. but if they have Office and it's working, switching to a new office suite for no reason is only going to cost them money.
Help me take back Slashdot. When did 'News for Nerds' become 'FUD and Conspiracy Theories for Extremist Nutjobs'?