Slashdot Mirror
Flaw Finders Lay Seige to Microsoft Office
An anonymous reader writes "The Register is reporting that bug reports on the latest iteration of Microsoft Office are certainly keeping the Redmond firm's programmers busy. So far this year 24 flaws have been found by outside researchers, more than six times the number found in all of 2005. From the article: 'The deluge of vulnerabilities for the Office programs - Word, Excel, PowerPoint, Outlook, and, for professional users, Access -signals a shift in the focus of vulnerability research and underscores the impact of flaw-finding tools known as fuzzers. The vulnerabilities in Office also highlight the threat that such files, if remained unchecked, can pose to a corporate network. Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.'"
I wish someone would do this much work for OpenOffice - I mean, think of how many $ of pen testing Microsoft is getting out of this deal, and all for free! Now they just need to put some deecnt programmers on it to clean up bugs and they will end up with a nice solid, secure codebase.
Think of the Children; Sleep with your Sister
Guys, guys. There's nothing wrong with Microsoft Office.
Access is used by lots of small businesses keeping database logs of their customers and such...while it's not the greatest, it fills the void for a much larger customer base than you might think. In regards to the topic in general, it seems reasonable that as software grows more intricate and feature-filled as versions progress that more and more bugs will arise due to the mountains of new code added on. Maybe it's just me but 24 bugs in all of Office, when it is not even available to the public for beta testing, seems acceptable.
Siege, not seige.
Clearly, Microsoft keeps track of internal bug reports through Access.
(I keed, I keed...)
Without a proper flamewar, Anonymous was undecided on what shell to run.
The count also surpasses the 20 flaws that Microsoft has fixed so far this year in Internet Explorer, a perennial favorite among vulnerability researchers.
This is in tune with the general movement of virus and trojan writers to make money for their work, that we have been seeing in recent years. Internet Explorer was a good way to reach as many people as possible, but such attacks are also quickly detected, since they affect many people. So you make some money (for porn ads, most likely), then stop. With Office, you can attack fewer targets, but get paid well for your efforts, and no-one ever hears about it.
This sort of corporate espionage can go on for years without any antivirus vendor even getting the chance to encounter the malware. In addition, virtually 100% of corporations use Office; it's easier to leave IE in favor of Firefox than Office for OpenOffice. So targetting Office makes a lot of sense.
The worst form of "more than" abuse is, of course, when people use it with flagrantly non-round numbers. "More than 274 parts", "More than 6831 batteries", etc.
The second worst form -- which this OP engages in -- is nonsensical math. If 24 faults is "more than six times" the number of faults in the previous year, then the number of faults in the previous year was 1, 2, or 3 (if there were 4 in the previous year, 24 would be exactly six times as many). Yeah, the previous year could have been zero, but 1) I know office better than that, and 2) let's give the OP at least a tiny bit of credit.
So, ok, we're up from between 1 and 3 to 24. "More than six times"? Well, if the previous year was 3, "more than seven times" would be more accurate. If the previous year were 2, "twelve times" would suffice. And, god help us, if there were only one in the previous year, "compared to only one last year" is probably better than "24 faults, which is 24 times more than last year."
Please, join me in the crusade against "more than" abuse. It does give extra punch to a sentence, but only if used properly.
-b
If I wanted a sig I would have filled in that stupid box.
I guess it sucks if your business requires some esoteric feature in Microsoft's expensive and proprietary office software, but it is outright incompetence for any CTO to not have migrated, in the process of migrating, or planning on migrating their workers to OpenOffice at this point.
Personally, I use OpenOffice, but from what I hear it's not that easy to use OpenOffice for many corporations. Some people I know are in the process of building a tech company, and they wanted to use OpenOffice, both because of the cost and because of the security. But some testing revealed that a single feature made that impossible for them: 'track changes' worked fine in OO, but opening a document from Office with change tracking never succeeded 100%. Apparently they plan to collaborate on documents with people outside their organization, so that's a problem. Sadly it looks like they will be buying Office licenses soon.
OpenOffice is great for a home user, but 'enterprise-oriented' features like tracking changes with people using Office are a must for some corporations. Until OpenOffice gets this sort of stuff to work, I can't completely agree with the quote above.
Although, given the security risk for Office users - which we can't even evaluate, as I'm assuming most corporate espionage is never discovered - it might be rational to find a way to live without some of the features in Office. Or, alternatively, to run Office on Crossover Office on Linux (assuming some of the trojan functionality, e.g. calling home, depends on ties with the underlying OS, which makes sense to me).
it is outright incompetence for any CTO to not have migrated, in the process of migrating, or planning on migrating their workers to OpenOffice at this point.
If you don't mind me asking: how many users (corporate desktops, not friends/family) have you migrated from MS Office to OpenOffice?
Talk is cheap. Until you've moved maybe 100 or more people professionally from one to the other, you really shouldn't drone on about "incompetence". Suffice it to say: people do NOT want to change, and will put up with amazing amounts of wasted time and inconvenience to avoid doing so. Most people think of computers as these "black boxes" with arcane syntax and usability.
I've had tech support calls that consisted of somebody dragging the menu around in IE so that the "back" button had moved! (which underscores perhaps the most worthless feature MS has ever put out - the movable menu. Who ever wants to change that?)
It's not incompetence - it's following the path of least resistance. That results in less friction, which results in happier staff which results in more productivity, which results in more profit, which means that the executives get richer, the lackeys don't get fired, and everybody is satisfactorially miserable.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Access is a very powerful program, if nothing else it allows you to easily create a frontend to a much more powerful database with very little fuss.
Access is huge in business because it is trivial to modify the user interface, and to add functionality later on. A massive database solution might do the job faster but if the IT staff can't go in and change the interface every now and then it is pointless. A prime example is upgrading the user interface from the one designed in 1998 for an 800x600 screen to a more recient 1024x768 interface.
Just for clarification the article says that the flaws are being found in the latest production version of office, not the latest iteration (which would imply pre-betas of office 2007 (2008?, whatever)). Obviously it would be stupid to compare the flaws in a production product with those in a pre-beta, which is what the summary on /. seems to imply.
Philosophy.
If the business case for switching to OO were that clearcut, you think MS Office would still be around?
Yes. Absolutely. "Nobody ever got fired for recommending Microsoft Office."
I know several business where 90% of the users don't need much more than WordPad who are running MS Office Pro. They only use spreadsheets at all because the "table" layout makes doing certain types of form easier -- they have timesheets, expense sheets, etc that don't even use calculations. They don't use powerpoint or access or even outlook. (they on a corporate webmail)
They DO NOT need a several hundred licenses of MS Office.
But the IT director authorizes Office Pro on every new desktop. There is no business case for it. When I suggested they cut costs and standardise on OO on at least the machines that are being used by low level staff to fill out their time sheet and read office memos I just get a blank stare.
They've never heard of it, don't beleive that it could possibly meet their needs (which they've clearly never actually assessed), and they have ZERO intention of even looking into it. Worse they've been gradually growing, and new machines come with new office the old machines have "old office".. so they are supporting users with every version office since 95.
Its sad.
FWIW I *have* converted a couple companies to OO, and the most recent was done as part of a general upgrade. We pulled out boxes with Win98 and Office 98 and dropped in new XP Pro boxes with OO. We set the defaults to use office formats so there would be minimal transition issues. Most staff aren't even really aware they aren't using Microsoft Office anymore -- which is unfortunate really, because its not doing OO much good if people don't even know they are using it.
I've also recommended OO to a many Home users. For the most part they are happy with it, and it works well enough that they actually prefer the "legality" of it even if its not 100% what they are used to.
ok, just to clear a few things up:
1) they're talking about security vulnerabilities, not bugs. I'm sure the number of Office bugs are in the thousands... It's pretty difficult to write a large piece of software without them
2) The article was stating that 24 Vulnerabilities were found in the current crop of Office, not in the up and coming Office 2007, so your bit about "not available to public" is not applicable
being vague is almost as cool as doing that other thing...
Okay, 24 flaws were found. And yeah sure, it could be that it was actually "six times more than" (see the great post about "more than" abuse) found in all of 2005. It could just mean that they've been looking harder this year, not because flaws didn't exist before. The longer the program has been in development, the longer they have had to expose flaws. Plus, we really don't know anything about these "flaws". The article is very vague. We don't know the nature of the flaws, how difficult they will be to fix, or even how likely any hacker would be able to even use the flaw to do any serious damage.
And on the topic of flawed interpretation, I really must protest the comparison of an entire suite of at least 4 applications to ONE (internet explorer). That's worse than meaningless - that's just plain stupid.
You know how the saying goes about statistics - "The average human being has one breast and one testicle."
"The only normal people are the ones you don't know very well."
Our (very small) business recently migrated *away* from Open Office. New staff were confused, couldn't do things the way they were used to. They arrive already knowing how to use word, excel, powerpoint (ugh! but its sometimes necessary) but give them OpenOffice and there is a substantial learning curve. Remember, what slashdot uber-geeks can learn in 5 seconds takes the average person 10 weeks. Since changing to office our productivity on certain tasks such as collaboratively authoring documents has increased substantially. We just send the latest version and they send it back with the edits marked in track changes. Yes, all can be done using openoffice - but not when the customer or client doesn't have open office. Openoffice has to be really, really easy for someone to use who is familiar with office (its getting closer, but a long way to go). And its ability to save to and read from office formats needs to be a lot better than it currently is.
In theory, there's no difference between theory and practice; in practice there is.
I believe by "professional user" our anonymous friend means "person who for some reason purchased the Professional Edition of Microsoft Office, possibly because it sounded cooler". I use it for phone numbers!
A few dozen - companies are small around here, so 'hundreds' would mean changing jobs a lot.
This is nonsense. In my experience, almost every user has no interest in the matter at all. They don't "want to change" but neither do they "not want to change". In fact, they don't want to be bothered by the decision. I could install MS Office; they wouldn't understand how to use it. I can install OpenOffice; they don't understand how to use that either, but it costs less and reduces worm damage. Either way, I'm going to get the same number of calls from people who can't figure out how to change the font size.
It's not that they're willing to put up with amazing amounts of wasted time and inconvinience to avoid switching - it's that they're willing to put up with wasted time and inconvinience, period. That has got nothing to do with their choice of software; they assume that all software is going to waste their time and inconvinience them, and consider it to be what they are paid for.
There are occasionally a small number of 'power users', who like to play with all the toys in a piece of software. These are the ones who loudly and strongly object to (any) changes. I simply forward all their complaints to the company directors, along with a quote for a copy of MS Office to install on that user's workstation; the directors can then decide whether this person is worth spending the extra money on. Interop between different versions of Office with different paper sizes is a joke anyway (because the users do not understand how to make it work), so they don't notice any extra problems caused by converting back and forth between MS and OpenOffice formats. The users understand that if they want a document to look the same way to the person receiving it, they should either (a) print it, or (b) send it as a PDF (because that's what I tell them every time they have trouble with this).
The reason for all this is simple: word processing and other 'office' applications are largely comprised of things that are not 'business-critical'. This means that so long as you can get a tidy-looking document onto a piece of paper, the rest is not significantly going to affect the business. The efficiency of this process does not have any visible effect on the bottom line (regardless of whether it has any actual effect) - because producing documents is 'overheads', not a part of the 'productive' side of the business (for most businesses). If you were in a business where the documents were your actual product, then it might matter, but you probably aren't (I'm not). Once I sketch these things out for the company directors, they invariably say "do it the way that doesn't involve spending £300 per workstation". They don't care about anything else, and consider the requests for expensive copies of Office in the same manner that they consider requests for expensive leather office chairs. While it is somewhat perverse to think of Office as a luxury, I don't have a problem with this because it means I have less copies of the thing to support.
My goodness, where did you get that idea? Nobody seriously cares about the happiness of employees doing office work, because they are interchangeable and frequently changed. It comes back to that "not business-critical" thing again. You want the employees producing your
Absolutely. As soon as OO implements a large enough subset of Office features, I'll be all over that.
Until then, as long as there's a need to embed documents, to use a powerful macro language that communicates with the OS and other software, to have data update in real time, to interop with business logic that depends on DDE or XLLs, or to do any of the million other essential things that Excel (in particular) does and OO does not, it's "Hello, Clippy!"
Actually, though, I do have some questions for those who might take a more optimistic view than me:
1 -- maths formulae created in OO don't seem to work in Word. Is that OO's fault or Word's?
2 -- Bloomberg's DDE system seems not to work with OO (not that it's particularly efficient in Excel either). Is that OO's fault or Bloomberg's?
Whence? Hence. Whither? Thither.
It seems amazing to me that there are so many very critical flaws in Microsoft products. If someone else can find the flaws, why didn't Microsoft?
I've heard that Microsoft is managed in such a way that programmers don't have time to finish their work. I know that Microsoft makes more money if there are more flaws, because users can be expected to upgrade.
However, it seems that there are too many bugs for that to be the whole explanation.
So, why, year after year, has Microsoft been at the top of the vulnerabilities list? I don't accept the argument that "software is complex, and always has bugs. There are people who know how to write complex software that is secure. Microsoft could certainly hire such people. If the company wanted to have software that was relatively free of vulnerabilities, it could.
The argument that Microsoft vulnerabilities get more attention doesn't seem adequate to me to explain the huge number of very severe bugs.
But, what is the explanation?
It is somehow considered "unfair" to use to these tools? Does MS already know of the flaws found by these tools and just chosen not to fix them? Do the OO.org people run these tools agsinst the OO.org suite.
From a practicle point of view, these tools just seem like regression test. Test that we all know we should run, but few take the time to so do. And as solftware developers not running regression tests really puts the responsibility of the falws in the developers lap, not QA or the user.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Your experiences make you a lucky fellow. I do 3rd-party corporate IT, so unlike you I _do_ have hundreds of users without changing jobs.
- to-be-working-right and they throw up their hands in the air saying "oh, Firefox...? We don't support that." One reluctant business-owner who can barely turn his computer on who wants to know why everyone else gets something different.
While some of my customers are exactly the casual users that you describe, who don't really "need" Office, there's more at stake than you're really seeing. First, users and businesses evolve. Sally the Secretary might not actually need Word right now, but if she develops a need for Word at any point during the life-cycle of the computer she uses, there's going to be a problem. That problem: OEM software is cheaper than retail and only purchasable with hardware. Ooops. Okay, how about Volume Licensing? Sure, that's do-able, but there's a minimum number of licenses that have to be bought at once to qualify to open a VL account, which only lasts TWO YEARS. It's often -- not always -- a good idea to set up the PC with the functionality it's likely to aquire during its life cycle on day 0.
Next, all it takes is one feature not present in "the industry standard", a.k.a. MS Office, to throw into fairly severe scrutiny any advice to use an alternate product, free or not. Want to know how many tool-and-mold programs that render cutter-paths link to Excel? Excel. Not "something functionally equivalent to Excel." Want to know how many insurance industry programs that do either client-management or quote-generation link to Word or Outlook? Not "something functionally equivalent to Word or Outlook." It's common. Not universal, but common. And again, if you impliment something "nonstandard" day 0 and have to come back later to retrain and rework even a small department, it's easy for accounting departments (the guys who often link their software to Excel or Access) to wonder why things weren't just done "right" in the first place. You're the IT guy. You should've seen this coming.
The point that I'm trying to make here is that there's a reason why I have been unable to recommend Firefox (for instance) to even a single customer, despite being firmly addicted and a True Believer. One site that doesn't render "right" or even "the same" and my recommendation becomes suspect. One call to the support desk at whatever-business-partner-whose-site-doesn't-SEEM
It's hard. It's very hard in a LOT of cases to recommend anything other than MS' products. And that's the ugly truth.
"Oh no... he found the