Slashdot Mirror
Flaw Finders Lay Seige to Microsoft Office
An anonymous reader writes "The Register is reporting that bug reports on the latest iteration of Microsoft Office are certainly keeping the Redmond firm's programmers busy. So far this year 24 flaws have been found by outside researchers, more than six times the number found in all of 2005. From the article: 'The deluge of vulnerabilities for the Office programs - Word, Excel, PowerPoint, Outlook, and, for professional users, Access -signals a shift in the focus of vulnerability research and underscores the impact of flaw-finding tools known as fuzzers. The vulnerabilities in Office also highlight the threat that such files, if remained unchecked, can pose to a corporate network. Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.'"
I wish someone would do this much work for OpenOffice - I mean, think of how many $ of pen testing Microsoft is getting out of this deal, and all for free! Now they just need to put some deecnt programmers on it to clean up bugs and they will end up with a nice solid, secure codebase.
Think of the Children; Sleep with your Sister
Access is used by lots of small businesses keeping database logs of their customers and such...while it's not the greatest, it fills the void for a much larger customer base than you might think. In regards to the topic in general, it seems reasonable that as software grows more intricate and feature-filled as versions progress that more and more bugs will arise due to the mountains of new code added on. Maybe it's just me but 24 bugs in all of Office, when it is not even available to the public for beta testing, seems acceptable.
The count also surpasses the 20 flaws that Microsoft has fixed so far this year in Internet Explorer, a perennial favorite among vulnerability researchers.
This is in tune with the general movement of virus and trojan writers to make money for their work, that we have been seeing in recent years. Internet Explorer was a good way to reach as many people as possible, but such attacks are also quickly detected, since they affect many people. So you make some money (for porn ads, most likely), then stop. With Office, you can attack fewer targets, but get paid well for your efforts, and no-one ever hears about it.
This sort of corporate espionage can go on for years without any antivirus vendor even getting the chance to encounter the malware. In addition, virtually 100% of corporations use Office; it's easier to leave IE in favor of Firefox than Office for OpenOffice. So targetting Office makes a lot of sense.
The worst form of "more than" abuse is, of course, when people use it with flagrantly non-round numbers. "More than 274 parts", "More than 6831 batteries", etc.
The second worst form -- which this OP engages in -- is nonsensical math. If 24 faults is "more than six times" the number of faults in the previous year, then the number of faults in the previous year was 1, 2, or 3 (if there were 4 in the previous year, 24 would be exactly six times as many). Yeah, the previous year could have been zero, but 1) I know office better than that, and 2) let's give the OP at least a tiny bit of credit.
So, ok, we're up from between 1 and 3 to 24. "More than six times"? Well, if the previous year was 3, "more than seven times" would be more accurate. If the previous year were 2, "twelve times" would suffice. And, god help us, if there were only one in the previous year, "compared to only one last year" is probably better than "24 faults, which is 24 times more than last year."
Please, join me in the crusade against "more than" abuse. It does give extra punch to a sentence, but only if used properly.
-b
If I wanted a sig I would have filled in that stupid box.
it is outright incompetence for any CTO to not have migrated, in the process of migrating, or planning on migrating their workers to OpenOffice at this point.
If you don't mind me asking: how many users (corporate desktops, not friends/family) have you migrated from MS Office to OpenOffice?
Talk is cheap. Until you've moved maybe 100 or more people professionally from one to the other, you really shouldn't drone on about "incompetence". Suffice it to say: people do NOT want to change, and will put up with amazing amounts of wasted time and inconvenience to avoid doing so. Most people think of computers as these "black boxes" with arcane syntax and usability.
I've had tech support calls that consisted of somebody dragging the menu around in IE so that the "back" button had moved! (which underscores perhaps the most worthless feature MS has ever put out - the movable menu. Who ever wants to change that?)
It's not incompetence - it's following the path of least resistance. That results in less friction, which results in happier staff which results in more productivity, which results in more profit, which means that the executives get richer, the lackeys don't get fired, and everybody is satisfactorially miserable.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Okay, 24 flaws were found. And yeah sure, it could be that it was actually "six times more than" (see the great post about "more than" abuse) found in all of 2005. It could just mean that they've been looking harder this year, not because flaws didn't exist before. The longer the program has been in development, the longer they have had to expose flaws. Plus, we really don't know anything about these "flaws". The article is very vague. We don't know the nature of the flaws, how difficult they will be to fix, or even how likely any hacker would be able to even use the flaw to do any serious damage.
And on the topic of flawed interpretation, I really must protest the comparison of an entire suite of at least 4 applications to ONE (internet explorer). That's worse than meaningless - that's just plain stupid.
You know how the saying goes about statistics - "The average human being has one breast and one testicle."
"The only normal people are the ones you don't know very well."
A few dozen - companies are small around here, so 'hundreds' would mean changing jobs a lot.
This is nonsense. In my experience, almost every user has no interest in the matter at all. They don't "want to change" but neither do they "not want to change". In fact, they don't want to be bothered by the decision. I could install MS Office; they wouldn't understand how to use it. I can install OpenOffice; they don't understand how to use that either, but it costs less and reduces worm damage. Either way, I'm going to get the same number of calls from people who can't figure out how to change the font size.
It's not that they're willing to put up with amazing amounts of wasted time and inconvinience to avoid switching - it's that they're willing to put up with wasted time and inconvinience, period. That has got nothing to do with their choice of software; they assume that all software is going to waste their time and inconvinience them, and consider it to be what they are paid for.
There are occasionally a small number of 'power users', who like to play with all the toys in a piece of software. These are the ones who loudly and strongly object to (any) changes. I simply forward all their complaints to the company directors, along with a quote for a copy of MS Office to install on that user's workstation; the directors can then decide whether this person is worth spending the extra money on. Interop between different versions of Office with different paper sizes is a joke anyway (because the users do not understand how to make it work), so they don't notice any extra problems caused by converting back and forth between MS and OpenOffice formats. The users understand that if they want a document to look the same way to the person receiving it, they should either (a) print it, or (b) send it as a PDF (because that's what I tell them every time they have trouble with this).
The reason for all this is simple: word processing and other 'office' applications are largely comprised of things that are not 'business-critical'. This means that so long as you can get a tidy-looking document onto a piece of paper, the rest is not significantly going to affect the business. The efficiency of this process does not have any visible effect on the bottom line (regardless of whether it has any actual effect) - because producing documents is 'overheads', not a part of the 'productive' side of the business (for most businesses). If you were in a business where the documents were your actual product, then it might matter, but you probably aren't (I'm not). Once I sketch these things out for the company directors, they invariably say "do it the way that doesn't involve spending £300 per workstation". They don't care about anything else, and consider the requests for expensive copies of Office in the same manner that they consider requests for expensive leather office chairs. While it is somewhat perverse to think of Office as a luxury, I don't have a problem with this because it means I have less copies of the thing to support.
My goodness, where did you get that idea? Nobody seriously cares about the happiness of employees doing office work, because they are interchangeable and frequently changed. It comes back to that "not business-critical" thing again. You want the employees producing your
I'm guessing this comment was made in a facetious tone.
I love FOSS. I'll use it every chance I can get. I will sing the praise of FOSS all day long.
However, Office is one of the best products Microsoft has ever put out. It is feature rich, the new UI in Office 12/2007 is damned clever, and despite all the bells and whistles, it loads extremely fast.
KOffice isn't nearly as powerful. OpenOffice.org is slow and bloated. I'm also not crazy about how 20% of the program is in Java.
The big knock on MS Office is the security flaws that come from macros. Just turn them off. And people have done proof-of-concept macro exploits with OpenOffice as well. The reason that we see so many in MS Office is because people specifically target it. It hackers targetted OpenOffice as often, you'd likely see the same number, if not more exploits.
But honestly, MS Office is a pretty solid product.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
OpenOffice's code isn't exactly free of bugs. Given that it is open-source, it would be very easy to discover (if not plant) exploits. I advocate open-source software. And I'm glad that projects like OOo are around. Don't get me wrong. But office suites in general form some of the largest applications we have. There is just a butt-load of code there. So flaws are bound to pop-up. And people do specifically really target Microsoft.
I still believe Office to be one of the best products they put out. And I do believe (though I can't quantify with real evidence) that you could easily see the same type (and number) of exploits in other office suites if they were targeted as often.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
It is somehow considered "unfair" to use to these tools? Does MS already know of the flaws found by these tools and just chosen not to fix them? Do the OO.org people run these tools agsinst the OO.org suite.
From a practicle point of view, these tools just seem like regression test. Test that we all know we should run, but few take the time to so do. And as solftware developers not running regression tests really puts the responsibility of the falws in the developers lap, not QA or the user.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Your experiences make you a lucky fellow. I do 3rd-party corporate IT, so unlike you I _do_ have hundreds of users without changing jobs.
- to-be-working-right and they throw up their hands in the air saying "oh, Firefox...? We don't support that." One reluctant business-owner who can barely turn his computer on who wants to know why everyone else gets something different.
While some of my customers are exactly the casual users that you describe, who don't really "need" Office, there's more at stake than you're really seeing. First, users and businesses evolve. Sally the Secretary might not actually need Word right now, but if she develops a need for Word at any point during the life-cycle of the computer she uses, there's going to be a problem. That problem: OEM software is cheaper than retail and only purchasable with hardware. Ooops. Okay, how about Volume Licensing? Sure, that's do-able, but there's a minimum number of licenses that have to be bought at once to qualify to open a VL account, which only lasts TWO YEARS. It's often -- not always -- a good idea to set up the PC with the functionality it's likely to aquire during its life cycle on day 0.
Next, all it takes is one feature not present in "the industry standard", a.k.a. MS Office, to throw into fairly severe scrutiny any advice to use an alternate product, free or not. Want to know how many tool-and-mold programs that render cutter-paths link to Excel? Excel. Not "something functionally equivalent to Excel." Want to know how many insurance industry programs that do either client-management or quote-generation link to Word or Outlook? Not "something functionally equivalent to Word or Outlook." It's common. Not universal, but common. And again, if you impliment something "nonstandard" day 0 and have to come back later to retrain and rework even a small department, it's easy for accounting departments (the guys who often link their software to Excel or Access) to wonder why things weren't just done "right" in the first place. You're the IT guy. You should've seen this coming.
The point that I'm trying to make here is that there's a reason why I have been unable to recommend Firefox (for instance) to even a single customer, despite being firmly addicted and a True Believer. One site that doesn't render "right" or even "the same" and my recommendation becomes suspect. One call to the support desk at whatever-business-partner-whose-site-doesn't-SEEM
It's hard. It's very hard in a LOT of cases to recommend anything other than MS' products. And that's the ugly truth.
"Oh no... he found the