Slashdot Mirror
OpenOffice.org Security 'Insufficient'
InfoWorldMike writes "IDG News Service's Robert McMillan reports that researchers at French Ministry of Defense say vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version. With Microsoft's Office suite now being targeted by hackers, researchers at the French Ministry of Defense say users of the OpenOffice.org software may be at even greater risk from computer viruses. "The general security of OpenOffice is insufficient," the researchers wrote in a paper entitled In-depth analysis of the viral threats with OpenOffice.org documents. "This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software. "The one real flaw in the programming logic has been fixed," said Louis Suarez-Potts, an OpenOffice.org community manager. "The others are theoretical.""
It is disappointing to see a free software project dismissing threats as "theoretical". Today's "theoretical" vulnerabilities are tomorrow's exploits. Worse, the article hints that these threats are fundamental design flaws - the developers should be working to fix these and not issuing PR speak to cover them.
If someone finds a bug or flaw, it doesn't take someone else very long to fix it. Now when it comes to corporations, they have to wait to bill you for the next release, and you pay it too because the fix of bugs alone justifies buying the new version.
God spoke to me.
which should I use, hmmmm...
Microsoft's Office Suite IS being attacked.
OpenOffice could, possibly, theorectically, be attacked.
Letter To Iran
They may find the security of OpenOffice to be insufficient. Their grounds for the finding seem rather questionable to me, given the theoretical nature of said flaws, and the very realized nature of Office security flaws.
I for one find the security of MS Windows as a whole to be insufficient. Quite clearly the only way to achieve a sufficient level of security is to use a patched BSD kernel, and use Vi or Ed for all editing tasks instead of MS Word, OpenOffice, or other similar GUI application.
In many ways, integrated GUI applications have ineffective security compared to segregated command line applications. When you type a command into a computer, you can be a lot clearer as to what the computer will do.
You separate viewing some text from viewing a picture, etc.
This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed.
The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems.
Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office.
Signatures are a waste of bandwi (buffering...)
...that OpenOffice has security flaws.
The Good News is that in the time it takes the suite to open and load an infected document the malicious hacker has been captured by the FBI, brought to trial, convicted, and a patch made available.
I'm assuming that the vast majority of these alleged vulnerabilities came about as a result of them examining the source code. Since Microsoft Office is closed source, it may have just as many potential exploits or more. The difference is OO.o's vulnerabilities are known and thus can be guarded against or even patched by a third party. MS Office's potential exploits are unknown and thus may be released as zero-day exploits, and even when they are known we're at the mercy of MS to release a timely and effective patch.
I fail to see how this is a black mark against OpenOffice.org.
The statement that "the others [vulnerabilities] are theoretical" reminds me of the slogan that L0pht used to have at the top of their web site:
"That vulnerability is completely theoretical." -- Microsoft
L0pht: Making the theoretical practical since 1993.
Not that I don't greatly prefer OpenOffice and open source in general over Microsoft, but in order to remain better than Microsoft, open source can't afford to become complacent like Microsoft.
OpenOffice.org is FREE! FREE I tell you! Given the choice between a known-to-be-vulnerable $200 suite and a hypothetically-vulnerable Freeware suite, I'll take the latter. The day I discovered OO still ranks in the top 10 of my favorite computing moments of my life.
the mods may say you posted flamebait, but to me it's a flame that warms my heart. rock on, brother! --chebucto
On the one hand, we have an office suite (MS Office) that's presently under heavy attack by hackers, and on the other, we have one (OpenOffice) that MAY be attacked, that has already addressed one of the discovered weaknesses and will probably address the others ASAP. OpenOffice is a greater security risk? Maybe in Upside-Down Land.
in talking about what os/office suite/browser/... has the most bugs. Just report them to the programmers so they can fix them. I mean, this is an open source project. I'm sure they care about critical security bugs...
If a company/project takes 2 years average to fix a bug, that's a problem, but hey - stop spreading blame and start spreading bug reports. That's far more productive.
Everytime you kill a kitten, god masturbates.
I don't either. But you know that if MS (or its shills) can make it appear so, they will.
Founding member: He-Man Windoze Hater Club
True. Guess the same applies to Abiword. But who will write an Abiword worm?
From: sballmer@microsoft.com
To: accounting@microsoft.com
Attached find my receipts for the recent meetings I had with the French Ministry of Defense:
First class plane ticket to Paris: 2100 USD
Swank hotel in Paris: 1800 USD
Dinner for 2 at a spiffy restaurant: 800 USD
Hookers and blow for MoD officials: 5000 USD
Business Justification For Expense: I believe that we will sell ONE MILLION copies of Office to the French MoD.
--Steve
PS If you get a bill from the hotel about a broken chair, it was like that when I got the room, so I don't think we should pay it. Bill said it would be OK.
I want to delete my account but Slashdot doesn't allow it.
This is the MINISTRY OF DEFENSE where draconian access control and accounting should be routine.
It's very difficult to go from that environment back to the real world where security is measured by successfully implementing long passwords in a company.
Making the inductive(?) leap that OpenOffice.org is insecure is a really long leap of faith. Are there holes? Probably.
In many ways, this is good news because the open source application is being picked over with a fine tooth comb by a large ministry.
Bring it on!
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
... is that France has a Ministry of Defense.
My understanding is that a lot of the security problems in MS Office comes from bad design wrt things like macros which make it very hard to secure the system. If OpenOffice is working towards compatibility with MS Office they may be having to deal with the same types of security issues in trying to secure bad macros and such. Thus it makes sense that OpenOffice would be just as, or even more, insecure than OpenOffice, not only do they have many of the same classes of exploits, but they also have greater pressure to rush these features out (for compatibility reasons) and up till now haven't had the motivation of attackers actively exploiting them to force them to spend the necessary time on security.
I stole this Sig
Well, be careful of Other People's Documents (OPDs)!
.doc files I receive from other people in OpenOffice.org.
:-)
I always turn off any live macro support in OpenOffice.org and Microsoft Word, and hope that is good enough security. I also tend to open Word
A little off topic, but I have been blogging about this lately: whether I am writing up short project documents or working on a for-fun book project (Ruby AI Programming), I find that just using Latex is much more productive for me. One reason is just seeing raw text (with a little markup) seems less distracting. Also, I find Latex easier to automate for stuff like running external commands and including the output, auto-insert of external files using custom listing styles for programs and for program output, etc. This is great when writing about programming - tweak the code examples, and the next time you run Latex on the main document, the new code versions and new output are included. Sweet. The "overhead" for writing is reduced, giving me more time to post on Slashdot
I think that the flaw they are talking about is CVE-2006-2198, which was fixed in OOo-2.0.3. It was pretty nasty, executes arbitray macro without alerting or prompting the user. However, given that the mistake was already found and fixed, what else does the French Ministry of Defence have to complain about?
From the summary: ...vulnerabilities with open source office suite OpenOffice.org may rival those of Microsoft's version
Microsoft has a version of OpenOffice? Isn't OpenOffice's closed version StarOffice, which is owned by Sun, not MS?
Installation d'une fonction offensive C dans la macro DicOOo.
La fonction C est exécutée à l'installation de DicOOo.
"DicOOo" is an installer for dictionaries into OpenOffice. Unfortunately, it seems to have too much power, and can be replaced or induced to install other things. This is an add-on to OpenOffice, and apparently an unsafe one.
a decade or more, at least.
How about we stop writing word processors and spreadsheets that are capable of running code (other than its own)?
I remember back when I was big on a certain usenet news group, we had a discussion about an email virus. The claim was, when you opened the email (don't recall the name off hand), it would do all sorts of nasty things to your computer, and possibly to your girlfriend/wife/sister/etc. The entire thing was a hoax that preyed on ignorant computer users, and urged them to spread the word.
My argument at the time was basically that an email client could not, or should not execute the text within the email itself, and any client that did, shouldn't be used.
Now I use Outlook on a daily basis, and guess what?
So, let's take a step back to simpler, less efficient applications. Get rid of what causes the vulnerabilities in the first place.
Now where did this box come from?
H.
When VCR's are outlawed, only outlaws will have VCR's.
How secure is MS software that responds to vulnerability discoveries by ignoring them or lying about them, fixing them after months or even several versions (years) later? Because users have to rely on MS to fix them.
Compared to OO.o, which anyone can fix, even the French government itself, but which does fix bugs quickly.
--
make install -not war
It doesn't have a sales staff that can kiss a ministers ass.
"This sounds like a strength of the open source model. Many eyes can include security auditors too. The weaknesses get reported and fixed."
This seems to be the call of the open source zealout, but it is not reality. 99% of the people using Open Office are users. The other 1% contain people that might have the ability to look at it, but may not have the time or patience.
I have been involved with many open source projects over the past couple of years and it usually ends up like this:
1) someone emails a bug to the main programming team
2) someone on the programming team (when they have time..since it is a volunteer position) will look through the code and make the changes
3) rinse and repeat
Proprietary apps actually seem to be better in this respect because at least the main programming team is usually working on it full time and can implement changes in a timely fashion (because they aren't working other jobs). In bigger corporations, this does not always happen because of corporate BS.
"Chalk this up as a win for the open source model... at least for large high visibility projects like Open Office."
Not really. Many proprietary apps still have people that can and do find flaws (much in the same way they find them in open source apps. Sure, the source code helps, but I would imagine it's easy for many of the security experts to test it from the outside).
"The closed source model doesn't offer the same level of opportunity to find flaws. Even when people do find flaws in closed source products the publishers are as likely to bury the report, deny the flaw it exists or use DMCA to sue the people who disclose the problems"
so why did the people at openoffice.org pass many of the flaws off as theoretical?
Not so. A fundamental design problem isn't fixed by a patch. I suppose you can guard against it, in the sense of "never open a document from anybody you don't trust". Of course, if that advice were offered as a solution to similar problems with a MSFT product, the person offering it would rightly be laughed out of the room.That's because you appear to lack critical thinking skills.
I fail to see how this is a black mark against OpenOffice.org
I don't think that's (neccessarily) the point. Whatever MS does about their Office security flaws does not really concern me any longer. There's almost nothing that could ever make me use MS Office again. But so what. The point isn't which suite is better, the point is: OpenOffice.org still has flaws, and those should be fixed. In this context the statement "The [other flaws] are theoretical" does not make me feel good. I want even theoretical flaws to be taken serious, so they won't become real ones ever, if possible to avoid. I just hope the OO.o team does not concentrate too much on having the better PR, but also on having a good product.
Disclaimer: I don't have the slightest clue about OOo security in general, and the "theoretical" flaws in particular, so possible they may in fact be nothing to worry about. If you convince me this is the case, or I'm just mis-interpreting the quote, I'll happily shut up.
... is that when they do have a security 'fix', they force you to update by downloading the entire suite... they don't have differential patches. I personally get sick and tired of having to download around 100 MBytes of app, uninstall the original, and re-install the new. Granted on my Linux box the package updater will do all three, but the updater takes forever to download the files. Quite frankly it is a pain in the ass. Sometimes I delay installing an update because of it (sometimes quite a while). Other than OO, I really am pretty diligent about updating my systems, so I can imagine there are those who just won't bother updating OO at all. I would think this is especially for those who are still on dial-up where a 100 meg download can take many, many hours.
In my opinion, if they want to say they get fixes out quickly, I can call bullshit. Just because you have the code complete doesn't mean the fix is complete. It still needs to be distributed to all the installations. If this is not done because the process is so onerous, then you can't say the fix is released faster than M$. As much as dislike monopolies, they do make the update process a lot less painful.
That said, it is a pretty decent office suite.
-- I ignore anonymous replies to my comments and postings.
Again we have this inconsistent naming structure, where two different programs have the same name. See it all the time, like "firefox has this new bug" etc when a lot of the times it is only really a problem when it is a microsoft windows brand firefox. A windows product is a proxy MS product, whether someone else besides MS develops it or not or what they charge for it or what license it is developed under. Now the same with open office. I REALLY wish these projects would pick entirely different names for their software to distinguish an MS proxy product or not. Please distinguish between your "helping out poor old penniless Microsoft" efforts in developing software for them, and "the other". It's time, way past time, to be a little more accurate here. And if you can't come up with different names, throw it out to the community of users, get some suggestions, then vote on it.
Great. A goverment agency sees enough potential in OO.org to spend a probably not insignificant amount of time and money on analysing the code, and what is the reaction around here? Finger pointing. "But MS Office is at least just as bad, yadda yadda yadda".
How constructive. When you were a child and you came back from school with your less-than-stellar marks, did you point at your retarded little cousin and yelled "but Bobs marks are even worse"?
Either refute their points if they are wrong, or suck it up like a man, use the money already spent for the betterment of the project and get your shit together and clean up the mess.
And yes, I know that the people whining around here are probably not the same spending their time coding on OO. Still, this attitude pisses me off.
Consider the Source -- The French. Need I say more?
\
1) Click Tools menu.
2) Click Options.
3) On the left side, click the Security category.
4) Under "OpenOffice.org Basic Script", set "Run macro" to "Never".
5) Under "Hyperlinks", set "Open hyperlinks" to "Never".
6) Under "Java", untick "Enable".
7) Under "Enable", untick "Plug-ins" and untick "Applets".
8) Click OK.
OpenOffice.org will now be configured for best security. Some functionality will not be available. Depending upon your system, you may need to repeat these steps for each user account.
While I agree that the attitude that open source fixes all vulnerabilities is blasee, your statement is also a bit too broad. Secure projects are generally those that have been engineered to be secure from start to finish. Apache is quite secure, and OpenBSD sets the bar there. This is because these projects are carefully designed and managed for security. MS Office's general insecurity comes from its incredibly ugly code base - apparently it is just a mess in there - which is due to the product having been munged together by acquisition rather than engineered from scratch. Sadly, OpenOffice appears to have nearly the same problem - the original code base was very ugly, and while some cleanup has been done, there has been no general design process to ensure that problems are fixed at a broad level rather than an individual one. So there's very likely a lot of merit to MoD's claims.
Application security will always be a problem, both in terms of modifying or misusing the OS, and in terms of wrecking users data. The former can and will be mitigated by better sandboxing (e.g. some sort of Zones or virtual machine approach for each app), while continuous backups and shadow copies may help the latter. I suspect you'll see security evolve in two ways - one it will take on much more importance, but two it will also move towards the "plan for flaws and keep things working" approach you hear Amazon, Google and others adopt these days. If OOo can move towards that model, it continue to be a fine alternative, but that requires somebody rescueing it from its enduring stepchild status. Time will tell whether that turns out to happen.
In an amazing echo of the open source community's criticisms of Micro$loth for the past ten+ years, people ditching Open Office were noted as saying "it's too bad they didn't bother writing it securely the first time".
Damn, mods have no sense of humor. Libre Fries? Come on, its hilarious.
Funny, I've heard that advice many times and never any laughing. This is the kind of advice you follow for everything when working in windows. Don't open a document from someone you don't trust, don't go to a website you don't trust, don't open an attachment from someone you don't trust (you even have to be careful opening attachments from people you DO trust)
In fact if anyone's being laughed out of the room for this advice it's because everyone with any common sense has been following this advice since the first computer ever connected itself to the Internet.
being vague is almost as cool as doing that other thing...
It's a bit like comparing apples and oranges
unless your running openoffice as root it doesn't really matter anyway
as an exploit would only be able to access files that the user has access to due to the way Security works within the Linux kernel
and typically the user won't have access to any system files by default that would allow spyware etc to be installed
At most a hacker may be able to access files in the home drive but that's about it
windows / MS Office on the other hand everything runs at the same level
and any Security within the Windows OS / Kernel is easy to circumvent
My sister's fiance is a total Microsoft zealot. He loves that Windows. He told me about some exciting things about Microsoft Office 2007 or something like that. He tells me about these APIs that you can do all this crazy stuff with. In my mind I wonder about why an office suite is supposed all that stuff... thinking if it's an office suite really should do the office functions, and not anything else.
Those APIs maybe one reason why Office is insecure.
OO.o wouldn't try this. They would stick to the UNIX philosophy that each utility should do only one thing, but do it well.
Well, considering that a higher proportion of the users of OSS will contribute fixes and bug reports than the equivelant for proprietary software, it doesn't matter as much if fewer of the main programming team are always available. Also, companies that are worried can fix security threats internally and submit the changes back. I'm not a major OSS developer but I've contributed many bug reports to GNOME and some to the linux kernel, and they've all been fixed. I have submitted some usability improvements in patch form too, which can't be done with proprietary stuff. Sure I'm only one person, but if you get even a tiny proportion of the users of a popular piece of software willing to get messy with the code, then it's a positive thing.
The problem I find with most proprietary apps isn't the development model as such, but there's rarely a clear place to forward suggestions and bug reports. For Microsoft software you get the crasher bug reporting with their "Send error report" thing, but there are far many more types of bug that you can submit to bugzilla on most projects (Crasher, usability, suggestion, glitch, etc.). I have seen some Microsoft projects with places to send reports and suggestions, as I have other proprietary stuff, it's just that it usually much less polished if it exists at all.
The French have every right to be paranoid about invaders.
Right... as compared to closed source, where 0% have the capability of auditing the source code.
Of course, things aren't as black and white as either of our initial comments make things seem. The edge is a bit blurred these days as even Microsoft does have a 'shared source' initiative to allow some interested parties to have a look and those just happen to be some of the most likely ones to actually be motivated and qualified to find and implement fixes. However, openness as the default stance does seem to make a lot more sense because even one's critics can look at the code and make an assessment.
That sounds a lot like the proprietary model except that the 'when they have time' gets replaced with 'if they get budget approval'. I've worked on proprietary software and know, first hand, that development costs are usually dwarfed by customer support costs. In many projects, bugs only get fixed if there's a good business case for the fix.
Either way, resources have to be available, but they can come from outside of the core organization in the case of open source projects. If some customer thinks something is important enough for them, they can always go out and fix themselves. With a commercial program if they aren't a big enough account to make a ripple at headquarters, then it'll never get fixed unless it happens to pop up on the radar of someone more important. Sure, companies that will do this are few and far between, but at least they do have the option. Heaven help them if they decide that they like the legacy version that they've been using for years and haven't ponied up for the forced upgrade to the latest and greatest or even worse, if the company has gone bankrupt and the software is no longer available. At least with source they have a fighting chance.
One of the biggest factors in all of this is the size of the projects. Small open source projects tend to be fairly poorly supported, not as a rule, but in general. Small proprietary programs often have very little support at all and tend to be discontinued. Large, sexy, open source projects get a lot of visibility and tend to benefit from lots of participation and feedback. Large, profitable, proprietary projects tend to have enough paying customers who complain about enough bugs that there's some pressure to get them fixed. Counter examples of all four cases abound, but in general... size matters.
So, perhaps arguments about open vs. closed are really about secondary effects rather than the primary effects.
Sure, SOME proprietary software makes SOME of their code available to A FEW reviewers, but as I wrote above, open by default means that even unexpected sources capable of performing audits and code contribution.
Signatures are a waste of bandwi (buffering...)
Then nobody in the world had any common sense 15 years ago, including you. Or are you now going to claim that you never opened any document (note that I did not write "executed a program") from an untrusted source? If so, you are either an incredible exception or an outight liar. In fact, I'll bet you open documents (PDFs, images, movies) from untrusted sources regularly today.
"Much as I enjoy watching gcc messages fly past, that is not a credible solution in an enterprise environment."
Ok, I'm going to call you on this...
Just exactly how do you define "enterprise environment"? If by "enterprise environment" you are talking server farms, gentoo is already on quite a few. If you are talking desktops, again, it is on quite a few and can be installed (if that is a measure) in under 20 minutes (GRP).
I installed Gentoo in 2000. That was the first time as well as the last time I installed the OS. Yet I can assure you that everything is up to date and some of it is bleeding edge. Do you consider having to reinstall the OS every time the distro revs a "credible solution for the enterprise environment"? I sure don't especially when it is so easy to stay on top of updates as they are released instead of as they are packaged.
B.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
problem spots you ought to address. These may be areas that need some additional checking etc. but they are not yet practical exploits. They may however be whole classes of exploits in the future.
One can never get rid of all theoretical exploits. What one can do is prevent them from being practical to exploit in general by adding additional checks and countermeasures.
LedgerSMB: Open source Accounting/ERP
Someone finds something wrong with something other than microsoft. =P Seems likes its allways Microsoft were bashing.
The greatest revenge in life is massive success.
"Well, considering that a higher proportion of the users of OSS will contribute fixes and bug reports than the equivelant for proprietary software."
This was my point: Even though the source is available, you don't really get that many more (if any or helpful) eyes looking for security issues.
"Right... as compared to closed source, where 0% have the capability of auditing the source code."
You missed my point. Even though the source code is available, you don't get more people auditing your code. So what is the benefit?
"That sounds a lot like the proprietary model except that the 'when they have time' gets replaced with 'if they get budget approval'. I've worked on proprietary software and know, first hand, that development costs are usually dwarfed by customer support costs. In many projects, bugs only get fixed if there's a good business case for the fix."
profit is a good motive to get things done. If company X doesn't get feature Y, they might not make a profit this year. With OSS, people only work on things they feel like working on, and the result is a never completed project (or 10X the time it should take) or some things just don't get fixed/added.
With a commercial program if they aren't a big enough account to make a ripple at headquarters, then it'll never get fixed unless it happens to pop up on the radar of someone more important
If they aren't getting the support they need/want, they can go to competitor. It happens every day.
Can intra-office communication not be done via RTF?
It easily could - but that's beside the point. THe fact that you can run "virus-free" software on Windows does not preclude you from (inadvertently) running something virus-infected.
You may do all your company internal documents in RTF even in MS Office - but if one of the company secretaries opens up a document sent by an outside source (maybe a seemingly legitimate one), which DOES contain a virus, your system's security is still screwed. Your RTFs might not get infected - but who knows what else the virus might do (e.g. send all documents in your "recent documents" to the attacker -- good chance of snatching some more important documents there...
That office suites alwais will have security flaws as long as they are feature driven (which is what the current user seems to like). Almost any piece of software that is driven by features and functionality becomes unreliable and insecury in time.
Can we stop complaining about MS Office now? Can we all get back to reality and go to work?
Consider the source ... ah, ok, let's look at your blog, dude : ... , please, would someone responsible down-mod this racist prick ?
Lebanon has openly declared war on Israel. I am in full support of Israel and will continue to be in support of them forever.
Need you say anything at all about the French ? I just love pseudo-intellectuals
Read this: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=op enoffice
u lnerability-in-the-openoffice-suite/
Note that 2.0.3 fixes (at least) 3 flaws, one of which involves a buffer overflow that happens when you open any kind of openoffice document: http://www.ngssoftware.com/advisories/high-risk-v
Now, this doesn't mean OpenOffice security is bad, or that it's good, it just means that OpenOffice is subject to exactly the same kinds of security issues that happen whenever a complex app parses a complex data format. To pretend that it's somehow magically immune to this class of problem because of open source pixie dust is utter rubbish. Read the code.
Now don't get me wrong. I *only* use OO for home use (MSO is required for office work), but it would be incredibly bad assumption that OO has less exploits than MSO. It's simply that the bad guys have bigger fish to fry. OO is a teeny target compared to MSO but as more and more businesses and governments start to use it, that situation will change. OO has many of the same flaws as MSO including macro scripting, so it seems likely that sooner or later someone might produce something bad that works through it. It's not the scripting that worries me, but what objects are visible through the scripting, the sandbox model and whether scripting should be an all or nothing affair. For example, should a script have unfettered ability to do what it likes with any available class or should be restricted to a subset. Does OO allow you to import any dangerous packages into a BeanShell script, or restrict you to safe and security audited ones?
Why does MS Office have all these fancy features that only a few people use, yet they open up a world of vulnerabilities? I use MS Excel to write a spreadsheet with some basic formulas, and MS Word to write documents that I could just have easily written in WordPad (minus the spell check). Turn off macros by default, and have a generic "you're running a macro and this is unsafe" popup (which I beleive they already do). If the user clicks yes unwittingly, then they're probably too stupid to read the dialog asking them about the signature, and they're screwed anyhow.
HRESULT WinAPIGetSystemProcessThreadMetricsMenu...
LibraryVolumeModuleHandlePtrEx(PHSPTMMLVM PHndl);
of course I have. I do this at my own risk. Yes the risk is low, but there (rememer the WMF exploit doing the rounds). Let's not mention all the picture.jpeg.exe files. Obviously if you know something about computers most of these problems can be easily avoided, but for many it's difficult. As for word documents, I have never opened one from an untrusted source, and if a trusted source sends me one I always ensure that it's actually them sending it. It's basic common sense and I am definitely NOT an incredible exception.
I'm not saying this kind of caution is necessary for every type of document, I commonly view images, movies and sometimes pdfs from sources that I cannot validate the trust of (otherwise I would never get anything done). But for Office documents I never have and barring some incredible security innovation that makes it unnecessary, I never will. Hell it's bad enough just visiting an untrustworthy site in IE let alone actually downloading a file from it nowadays.
To be honest, I've never really had a situation where I absolutely NEEDED to view a word doc at a site I was visiting (except at uni to look at assignment specifications. In many cases I believe google has a "view as html" feature which is quite handy...
being vague is almost as cool as doing that other thing...
France bashing - the acceptable face of racism on Slashdot.
Seriously, is it acceptable to similar jokes about Israelis?
Sucessful FUD attack against an emerging competitor ... priceless
Think global, act loco
I agree with Red Alastor on point ten. It's easier to penetrate when you're unzipped.
Defining Statistics and Social Research
Including executable code (or macros or whatever) in a file that the users think of as simple data is ALWAYS a security mistake. Even emacs used to allow automatically executable macros in data files, but that feature was turned off by default long long ago, because of its nasty security implications.
Shortly after the first PostScript printer appeared, files that contained bad Postscript appeared that were designed to attack the original Apple LaserWriter.
Just because OpenOffice.org is an open source product doesn't mean that repeating the mistakes that Microsoft made in Office won't be just as bad in OpenOffice.org
Javascript in Firefox can lead to security problems. Macros in OpenOffice.org can lead to security problems. Executable content in anything can lead to security problems.
Unfortunately, Microsoft does NOT have a monopoly on bad security decisions.