MS Office Zero-Day Under Attack

paulBarbs writes "Microsoft is warning users to be on the lookout for suspicious Excel files that arrive unexpectedly — even if they come from a co-worker's e-mail address. In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite. Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk."

How old are you?

[HomelessInLaJolla]

Dear Exploit,

How old are you? How long have you been available in the wild? How long did your brother exist in SP1 before you came along in SP2? Do you have a cousin which works in Win98/SE? How long have corporate managers been using you to spy on their employees?

Signed,

Secret Admirer

Re:How old are you?

[hebertrich]

Sounds more like some guy that's been using it
as mentioned in his comment ... .... who knows ?

MU HA HA HA HA HA HA HA

When will people and businesses learn?!

How many more exploits will we need to encounter with Microsoft products before people realize that it's just not worth it to use such flawed software?

I would have thought that businesses would be the first to learn. They are the ones who tend to be the most affected by situations like this, especially when hundreds or thousands of Windows-based computers on their internal networks become compromised. It costs them a lot of money to clean up those systems.

Of course, such expenditure could have been prevented in the first place were they using suitable office software. And that doesn't mean OpenOffice.org on Linux. There are many other alternatives, especially when using Mac OS X. Those alternatives can often exceed Microsoft's products in terms of quality, usability, features and security.

Re:When will people and businesses learn?!

Well, in Microsoft's defense, the next version of Windows is going to be even more secure! Stick with us, because we care, damn it! Honest! I swear!

. .. and if anyone disagrees, I will throw a chair at them to prove just how much we care!

Signed,

Ballmer

Re:When will people and businesses learn?!

[Technician]

I would have thought that businesses would be the first to learn. They are the ones who tend to be the most affected by situations like this, especially when hundreds or thousands of Windows-based computers on their internal networks become compromised. It costs them a lot of money to clean up those systems.

At my place of employment (100% MS shop) they have had too many of these kinds of problems. As a solution, all attachments are filtered and removed. It it was an attachment we were expecting, then we could apply to recieve the attachment unless it is an executable. To send an executable file (including MS documents) we are advised to send them as encrypted zip files.

I don't expect this exploit of the week to be much of an issue for us Monday morning except for a couple road warriers who may have gotten it from home.

Re:When will people and businesses learn?!

[Joebert]

Reminds me of a joke.

What do *nix & hackers have in common ?
They both hate Microsoft.

Re:When will people and businesses learn?!

[Jessta]

You obviously aren't paying attention.
There have been many security flaws reported for OpenOffice.

The problem is not Microsoft specific. It's a problem with overly complex software. Word processors are overly complex which means that there is a lot of code that can contain errors. Most users don't use the full functionality of the software and therefore don't require it to be so complex.

One of the great advantages of gentoo(and other source based package management) is that you can leave out functionality in a program that you're not going to use. This means less code that can be exploited.

Re:When will people and businesses learn?!

[SkyDude]

There are many other alternatives, especially when using Mac OS X. Those alternatives can often exceed Microsoft's products in terms of quality, usability, features and security.

Corporations are the customers that drive Microsoft to make the products that they do, because a few big business results in hundreds of thousands of licenses. Corporations are notoriously slow to change. Remember the old adage - no one ever got fired for buying IBM. They may have not been the best, but they were the biggest and most stable and that's what big corps like.

Re:When will people and businesses learn?!

How many more posts will it take before idiotic coments like the OP stop. The problem is not just a MS one as you would see if you bothered to check the vulnerabilities in other office suites or OS's. today's software is incredibly complex and hence has a lot of ways it can be made vulnerable, you Attack MS when if you look around you will find they may be the most public offender but they are by no means the worst.

Re:When will people and businesses learn?!

[LeDopore]

Serious question: "How many gentoo users actually DO hand pick the features they compile?" My guess is that:

1 It might be hard to know what you can safely leave out of a compile and not break anything
2 It's difficult to foresee every function you are going to want in a program at compile-time, even if you're familiar with it
3 There are so many programs on a typical Linux box that to hand-choose modules for them all would take ages.

I guess in some environments (like cash register systems) you're doing only one thing and you want many identical machines, so it's possible to trim a bit more. However, for my desktop needs, selecting exactly the features I want wouldn't work for the above 3 reasons.

Re:When will people and businesses learn?!

[Jessta]

That is true. The php ebuild has a scary number of use flags.
I guess that's a problem that needs solving.
A nice module loader, like in the linux kernel would be nice but having it automatically load required modules wouldn't solve the problem. So users would need to know what modules they needed loaded.

I'm still amazed at the size and complexity of office related programs.

Re:When will people and businesses learn?!

[rahrens]

The Agency I work for filters and blocks .zip files, too. They have proven to contain harmful executables in past malware attacks, too.

Re:When will people and businesses learn?!

> There have been many security flaws reported for OpenOffice.

> The problem is not Microsoft specific.

Most of the OOo problems seem to occur only on the Windows versions and seem to be because OOo is using MS APIs and functions.

For example there was a vulnerability when using WMF files, and there are problems with other programs using WMF too.

So, yes, the problems are mainly Microsoft specific.

Re:When will people and businesses learn?!

[Beer_Smurf]

We use a system that is so hosed that we smash every computer with a hammer before it comes in the door.
Great.

Re:When will people and businesses learn?!

[Technician]

The Agency I work for filters and blocks .zip files, too. They have proven to contain harmful executables in past malware attacks, too.

I wasn't very clear.. We filter ALL attachments including zip files. Un-encrypted is deleted. Encrypted is held and can be requested if you were expecting it.

We know about the short note telling you how to use this password to decrypt the attached encrypted zip. It was a hack to get past filters. It is still a way to get past filters, but with the additional step of confirming your were expecting the zip attachment. An unexpected zip is not delivered.

Re:When will people and businesses learn?!

[LiquidFire_HK]

This is wandering offtopic, but nevertheless..

1 It might be hard to know what you can safely leave out of a compile and not break anything

Everything, that's why they're USE flags, they're optional. And if something requires something else built with a specific flag, it tells you so (it is an entirely different matter that the way of it telling you sucks)

2 It's difficult to foresee every function you are going to want in a program at compile-time, even if you're familiar with it

True, though USE flags have descriptions, and you can always recompile.

3 There are so many programs on a typical Linux box that to hand-choose modules for them all would take ages.

I fully agree. But that is exactly where USE flags come into play, since many of them are quite general. Don't want X? Disable flags like X, qt, gtk. Don't want sound? Disable alsa, oss, esd, arts, jack. Don't ever work with SVGs? -svg. Rarely do you have to actually hand-pick every single USE-flag, provided you've set sensible global ones.

Re:When will people and businesses learn?!

[Nasarius]

To send an executable file (including MS documents) we are advised to send them as encrypted zip files.

What the fuck? Why not just eliminate ALL these problems by requiring the use of PGP internally? Enigmail is absurdly easy to use, and I'm sure there are plugins even for Outlook.

Re:When will people and businesses learn?!

[Espinas217]

That's what USE flags are for. You're don't have to select every function of every ebuild. The idea is you set the flags with the functions you want in or out and then every time you install something with Portage it looks your settings to include or exclude the relevant parts of the code. Of course some complex ebuilds have lots of flags and some especifig ones too but in the end is a really nice system.

Re:When will people and businesses learn?!

[Fred_A]

So you have to first send a postcard with the password and the hash to the zip file and then email the zip file ?

I'm so glad I don't work with large corps any more. This is getting completely insane. The people I switched to FOSS desktops don't know how happy they ought to be...

Reminds me of that Dilbert strip where the PHB sent some file to someone then instructed his secretary to fax a copy as well "in case he didn't read his mail" and then to snail mail a printout "so that he'd have a clean copy".

Re:When will people and businesses learn?!

[ultranova]

I'm still amazed at the size and complexity of office related programs.

You shouldn't be, really. After all, it's perfectly logical. The number of features is a selling argument for a word processor that needs to compete not only against other products but also its own earlier versions. That's why the number of features - and thus complexity - can only ever grow.

What I'd like to see is something completely different, a document making system that would cleanly separate content and presentation, a bit like LyX but with a nice graphical editor for creating and editing the document classes instead of having to manuall edit (La)TeX files. That would be a truly remarkable improvement over the glorified typewriters we have today.

For extra credits, make the presentation work like CSS in that you could use per-document internal templates or external ones, and integrate the whole thing so it works with CVS or similar version control system - it would be very nice to have different people working on the content of different chapters at the same time while the graphical designer works with the look of the document.

And of course it should create good-quality PDF files. And have good-quality SVG import (altought that is propably too much to ask for; better be thankful if basic paths will get imported in a somewhat recognizable form, at least according to my experience with various programs).

Re:When will people and businesses learn?!

[rifter]

The problem is not Microsoft specific. It's a problem with overly complex software. Word processors are overly complex which means that there is a lot of code that can contain errors. Most users don't use the full functionality of the software and therefore don't require it to be so complex.

I never saw the point of allowing scripting within word processing documents, for instance. It violates the fundamental premise of seperating code from data. It was bound to cause problems, it has, and it pretty much is only ever used to cause trouble in the first place, probably because there just isn't a legitemate use for it. Yet Microsoft insists on continuing to use it and expand the scriptability of their software and thus the points of entry for trouble, with no good to show for it.

Re:When will people and businesses learn?!

[Jessta]

I never saw the point of allowing scripting within word processing documents
It's about making MS Office a development platform, which to me sounds really expensive. At $700 AUD per user before you even start development, it's not very competitively priced.

what?

[macadamia_harold]

MS Office Zero-Day Under Attack

*rereads headline* what?

Re:what?

[JoshJ]

It's simple. Microsoft's "Zero-Day" product has been under attack by Offices. Probably for being so full of zeros. They need to fill in more of the 0's with 1's.

Re:what?

[HomelessInLaJolla]

The zeroes and ones also need to be properly sorted. You may have your zeroes and ones for free but you'll have to pay someone (I'm homeless and available to start work tomorrow morning) to arrange them correctly.

Re:what?

[__aaclcg7560]

Relax, it's part of Bill Gates plan to prove that Windows Vista and Office is more secured than Mac OS X. Pay no attention to any alarmist reports put out by rabid Mac fanbois. Nothing to see here, please move along.

Re:what?

[jZnat]

Well, it's redundant to say that because "zero-day" implies there are exploits in the wild already.

I open Excel files 1 day after I receive them

[product+byproduct]

to protect myself against 0-day attacks.

because it's not that easy

businesses need to be able to share documents with their business partners and clients, thusly, they must support the same file formats as their business partners and clients.

Re:because it's not that easy

[grcumb]

businesses need to be able to share documents with their business partners and clients, thusly, they must support the same file formats as their business partners and clients.

The moral of the story is: If everyone else jumped off a cliff, why yes, we would jump too.

It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety.

Re:because it's not that easy

It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety. you missed the moral, friend. The moral is that we value our ability to conduct business above our individual safety.

Re:because it's not that easy

[pallmall1]

businesses need to be able to share documents with their business partners and clients...

Does that include sharing bank and credit card passwords, and social security numbers with spammers and phishers?

Re:because it's not that easy

The moral of the story is: If everyone else jumped off a cliff, why yes, we would jump too.

The trick is to wait until everyone else has jumped so their bodies can cushion your fall. Metaphorically, I suppose this would be waiting for the first few big patches before purchasing the new product.

Re:because it's not that easy

99% of the documents business need to share don't need to be edited. in fact it's better if they aren't. that's WHY we have PDF's.

Now let's repeat for the mentally slow. .doc files are for editing. PDF's are for sharing.

got it, good.

Re:because it's not that easy

[zcat_NZ]

If only there were a single, well defined and completely open document format that could be used by anyone, with any office suite. That would be just great.

Re:because it's not that easy

[HomelessInLaJolla]

Too bad. The world forgot plain text in favor of featureware a long time ago.

Re:because it's not that easy

[a_n_d_e_r_s]

If only there were a single, well defined and completely open document format that could be used by anyone, with any office suite. That would be just great.

ISO 26300 aka Open Document

Re:because it's not that easy

Exactly. I'm on OS X and if a client or contractor sends me a Microsoft file I nicely ask for a PDF document instead. I even send them a URL to a freeware Windows PDF printer. If they don't comply I simply send them a reply.... written with Pages 2, archived in .sit

Re:because it's not that easy

[zcat_NZ]

~~ swish ~~

Re:because it's not that easy

[c6gunner]

We value conf.....listen stinkynuts, standards have nothing to do with conformity, and everything to do with making day-to-day life possible. If you "don't want to conform", fine, feel free. Wear a clown costume to work, cook your breakfast on top of your VCR, make up your own language, and fuel your car with lemonade. Me, I can maintain my individuality while still following common-sense standards.

Re:because it's not that easy

[grcumb]

We value conf.....listen stinkynuts, standards have nothing to do with conformity, and everything to do with making day-to-day life possible.

Precisely. And that's why I didn't say a word about standards.

If, however, you accept that the de facto 'let's use this format because everyone else does' way of working constitutes a sufficiently complete definition of 'standard', and if you are going to claim that the risks, in terms of security, cost and flexibility, cannot be mitigated by mere virtue of the inertial force of this standard, then I can't come to any other conclusion than that you value conformity over your own (or in this case your company's) security.

There are processes in place to determine and enforce workable standards in computing. Virtually none of those mechanisms is being used in the area of office documents.

And lastly, stop sniffing my nuts.... 8^)

Re:because it's not that easy

[ElephanTS]

It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety.

Although you're exaggerating a little for effect you're right. However, conformity is essential for the coherence of societies and not necessarily 'unfortunate' all of the time. That point is well established in socio-biology. If you took away the very strong drives for conformity society would quickly collapse. Knowing this though, we have to be on guard for symptoms of group-think that are detrimental such as the virtual monopoly called 'Windows'. Actually, slashdot is full of groupthink itself which often annoys me.

Re:because it's not that easy

I'm on OS X and if a client or contractor sends me

Most businesses can not afford or would not like to treat their a client like that. They are your client because you work for them. Unless your business is "IT general awareness" or "Subtle OS agenda pushing", you are not providing them a very good service. Maybe you are from the bizzaro world where the customers and clients do not come first or your clients have no choice to come your way because of prior arrangements and/or you are part of a much larger group that does not have the same feelings as you.

Re:because it's not that easy

[c6gunner]

Christ. Let me guess - you still own a betamax machine, right?

These decisions are more difficult that simply looking at competing products and seeing which one is "superior". If you can't understand that there are literally dozens of factors which play into these decisions then I don't know what else I can say to you. As a quick overview: businesses need to consider long term support costs, compatibility with other users, and re-training costs for their employees. Those would be the minimal considerations for a business thinking of moving to a new product, and for 99% of them switching away from MS Office is not worthwhile. It's the same reason most businesses won't switch to linux - it's simply not viable for most companies.

Re:because it's not that easy

[bursch-X]

Common-sense standards. ...of which MS is part of? What do you mean with "common-sense" standards? The non-open pseudo standards that have been pushed down our throat, just because mister Monopoly says so? I do have a problem with "standardizing" on the complete mess that MS Windows and MS Office actually is. There's no consistency in file formats, even MS' own products more often than not bungle when it comes to opening an older version of their file formats.

Re:because it's not that easy

It's unfortunate that you would confuse individual safety with computer security. I actually feel quite safe at home or at work working on my computer, even if god forbid, it ever gets hacked! Shudders... Where I live, it's the cars or the petty criminals on the streets that put my physical safety at risk, it's not really the hackers.

Re:because it's not that easy

[civilizedINTENSITY]

In what way is betamax more inherently safe? Is there anything about its design that is inherently more secure? Can a VHS tape virus even ever "own" your system? Please try to understand the issue. The rant at hand isn't against standards, it is against de facto standards that are insecure. Everyone drives a car. No on uses horses. This doesn't mean that saying a Corvair blows up and is dangerous means we want to go back to horses. It means we want the companies who make unsafe products to get their act together.

Re:because it's not that easy

[civilizedINTENSITY]

Actually such matters as what document formats to use should be negotiated.

Re:because it's not that easy

~~ swish ~~

Re:because it's not that easy

[c6gunner]

Ah. So this is really just another "Microsoft is unsafe" rant. Well. That's been done to death, all the dumb claims have been answered, and people still continue spreading the myths. Whatever. I'm not getting into a pointless religious argument with an Open-Source zealot.

Re:because it's not that easy

[indifferent+children]

So this is really just another "Microsoft is unsafe" rant. Well. That's been done to death

Excuse me sir, but did you read the summary at the top of this page? I don't mean RTFA, just the summary.

That's been done to death, all the dumb claims have been answered, and people still continue spreading the myths.

If by 'people' who are spreading 'myths', you meant Microsoft officially warning their customers about 'risks', then I guess you're right.

Re:because it's not that easy

[BlackSnake112]

There's no consistency in file formats, even MS' own products more often than not bungle when it comes to opening an older version of their file formats. ?? What? please cite examples. The only time I ever saw a newer version have issues opening a old files was when lots (and I mean lots) of custom coding was done in that old file. This was with excel (the spreadsheet program that is way to big for it's own good). I have never seen a newer version of word, or pp screw up. I uninstall access whenever I see it. That dam thing is just wrong.

Re:because it's not that easy

[grcumb]

Actually, slashdot is full of groupthink itself which often annoys me.

I would argue that 'groupthink' is not at all a helpful term, as it indulges in the very thing it objects to.

But without it, I would have a hard time describing the individual(s) who modded me 'over-rated' in retaliation for having an unpopular point of view. 8^/

Re:because it's not that easy

[ElephanTS]

happens all the time here. It can be crushingly narrow minded IMHO

Re:because it's not that easy

[rifter]

There's no consistency in file formats, even MS' own products more often than not bungle when it comes to opening an older version of their file formats. ?? What? please cite examples. The only time I ever saw a newer version have issues opening a old files was when lots (and I mean lots) of custom coding was done in that old file. This was with excel (the spreadsheet program that is way to big for it's own good). I have never seen a newer version of word, or pp screw up. I uninstall access whenever I see it. That dam thing is just wrong.

I see it all the time with normal documents with minimal formatting like paragraphs and bolds and such. But the most common problmes come with documents with simple tables and bulleted lists. Opening files saved in older formats, like Word 6.0 (which used to be pretty universally acceptable) on a newer version of word has been broken Word 97 at the very least. Saving as that format in another version of Word on another platform (like the Mac vs Windows) or using StarOffice, ( or I believe even with the same version on the same platform ) will result in bullets missing or wrong or out of place, differences in whether the gridlines are visible and printed on the tables, etc, etc. This is quite apart from the fact that opening a document with a new version of Word converts that document by default and when you go to save it it saves as the new version by default, thus locking your document into the previous version.

There's also the fact that saving a document in any office program as any other format than the native one results in a file that does not look like what you just saved, which means you'd better double check by opening the new file before you move forward. (To be fair this is an annoyance that the GIMP shares as well).

There is no guarantee that the document you save will look the same from one computer to another even with the same version of Office. Default printer settings used to be a major factor in this, but nowadays things like font availability and other considerations are more likely to affect your document. Even Microsoft was quoted as recommending PDF for documents that must look the same from one system to another. Word just wasn't meant for that (despite the fact it was originally touted as a WYSIWYG editor). And now you can print Word docs to PDF anyhow on the Mac natively and on the PC thanks to open source efforts based on ps2pdf, primopdf being one of many.

Still, I never did see the justification in features like bulleting, tables, and simple paragraph formatting which have been around since the beginning of Word should be so different from one Word format to the next that the style of bullets and other such features cannot remain uniform through filter transformations. It just defies logic unless you realize that most changes to MSOFFICE formatting come from a need for planned obsolescence. After all, consider formats like TeX, html, PostScript, etc, which have been around as long as Word or longer, and have many of the complexities of Word formats, have had changes over the years just like Word, but have not required the removal or appreciable change of past functionality and have remained basically 100% backwards compatible over the years. That is because they were well designed and designed with extensibility in mind, two things clearly missing from Microsoft's plan.

Re:because it's not that easy

[rifter]

"I'm on OS X and if a client or contractor sends me"

Most businesses can not afford or would not like to treat their a client like that. They are your client because you work for them. Unless your business is "IT general awareness" or "Subtle OS agenda pushing", you are not providing them a very good service. Maybe you are from the bizzaro world where the customers and clients do not come first or your clients have no choice to come your way because of prior arrangements and/or you are part of a much larger group that does not have the same feelings as you.

Funny, that seems to be the world where Microsoft lives, which is what leads us to this problem in the first place. :D

Does not affect Office 2007

[ThinkFr33ly]

The fact that this does not affect Office 2007 suggests that Microsoft is learning from their mistakes.

This is further supported by other software they have released that went throught their "secure development lifecycle" initiative, including IIS 6.0, IIS 7.0, Windows Vista, Windows Server 2003, etc.

Of course, IIS 7 and Vista have only been out there for a few months now... so, obviously, the jury is still out on them.

Re:Does not affect Office 2007

[HomelessInLaJolla]

True. O'07 is in the 0-15 day section. It'll take the original exploit author a few more days to track down the new memory location, recompile, and test. Maybe the new memory location floats. That might take another day or two to peruse the proper .dll and determine the floating method.

Re:Does not affect Office 2007

[kosmosik]

> The fact that this does not affect Office 2007 suggests that Microsoft
> is learning from their mistakes.

Not really. It also may be that nobody targets bugs in these products yet.

FreeDOS also has not many known vulnerabities. ;)

Re:Does not affect Office 2007

[cnettel]

From the article, it's not just that it fails to work in O2007, it's stated that it's not vulnerable. I'm pretty sure that the current file won't work on Office 2004 for Mac, but that's still listed as vulnerable. If they're consistent, the codepath is really fixed/changed in the new version.

Anyway, I'm surprised to see Access in the list of "possibly vulnerable". I guess it might be some part of the VBA parsing, since, except for that, lots of the file logic is different (the databases are not compound OLE documents).

Re:Does not affect Office 2007

[HomelessInLaJolla]

You didn't read far enough

Load KERNEL32.DLL using a hardcoded address specific to Windows XP Service Pack 2. On other versions of Windows, Excel will simply crash All of the other actions listed in the exploit sequence seem to be legitimate actions which, unless Microsoft wants to rewrite legitimate function calls or handle the "XOR shellcode" on a case by case basis (apparently, if it's allowed, there was/is a legitimate use for it someplace), cannot be blocked without creating major compatibility/useability issues for legit users.

If the exploit can be written for one hardcoded address, which can be found, then it can be written for any hardcoded address, which can still be found.

Re:Does not affect Office 2007

[fermion]

The fact that this does not effect MS Office 2007 merely indicates that MS has closed previously exploitable holes, and the pros have not had time to package current exploits into the framework needed by the script kiddies. Even if we see fewer attacks in the future, that could still mean several different things. It could mean that MS Office 2007 is more secure. It could mean a growing competence by users to compensate for MS failure to provide a secure system. Or it could mean that such exploits have become so monetized that the pros are not wasting the secrets on script kiddies, but rather using the exploits to covertly control a users machines. This is precisely what happened in the old days when viruses stopped simply reformatting your disk and began to concentrate on real long term damage.

Re:Does not affect Office 2007

[ThinkFr33ly]

The fact that this does not effect MS Office 2007 merely indicates that MS has closed previously exploitable holes Actually, that's probably not the case here. If Microsoft knew about this particular hole, they would have issued a patch for in for previous versions. They probably had no idea about this hole. The reason it doesn't affect Office 2007 is probably because Office 2007's basic approach to handling documents is different from previous versions. They treat all documents as potential threats. In other words, the secure development lifecycle made Office a more secure product, and this prevented a previously unknown hole from affecting it.

It could mean a growing competence by users to compensate for MS failure to provide a secure system. Huh? How so? How do users have anything to do with Office 2007 not being affected by this exploit?

Re:Does not affect Office 2007

Have you not been paying attention? Win2k3 server has been getting owned regularly. Just check the past security bulletins. Our server guys at work have just as much MS patching work to do as the desktop guys. I don't remember a month when they have been idle.

Bill was RIGHT.

The other day, Bill Gates suggested to Newsweek the the Mac is super-insecure due to lack of code base drama within Mac OS X:

The number [of Vista security flaws] will be way less because we've done some dramatic things in the code base. Apple hasn't done any of those things. He was so right. It is time for Mac users to upgrade to Vista, after all, TFA says:

Confirmed vulnerable: [...]Office 2004 v. X for Mac. There you have it fanboyz... CMD-. your life away! Vista all the way baby!

It's past time for a better approach

[haruchai]

After all these years, the same software bugs seem to continually crop up. I guess that no currently available platform is safe but can't we do better? It has been 2 decades of worrying about viruses, worms,trojans, format string errors, buffer overflows, etc. Microsoft was a latecomer to the "make software secure" game but it has been about 5 years now and the song remains the same. So, my question is, who's doing it right and how ?

Re:It's past time for a better approach

[HomelessInLaJolla]

> So, my question is, who's doing it right and how ?

Code has become so enormous that the answer is, more than likely, nobody.

I'm still puzzled. Spreadsheet programs, word processors, database programs, etc. etc. etc. all fit on one, maybe two, floppy disks at one time. If anyone wonders how to write secure code the largest starting point is: cut out the advertising glitz and cruft.

But then the rest of the population would happily go back to sticky notes, $2.99 calculators, pencils, the telephone, US Mail, and the kitchen table (for solitaire) and that wouldn't be profitable for the market sector. So, love it or hate it, just view the security industry not as a problem to be solved but as a tiger to be fed and groomed.

Re:It's past time for a better approach

[cnettel]

Well, I think you'll find that apps of that era were NOT resilient to malformed input. Maybe we could get them right if we aimed for the same functionality now, but I almost doubt it. (Well: if you put a workforce equivalent to the complete Excel team onto making a console app with the functionality of the original 1-2-3, I guess they could make it reasonable safe. At least until you press some F key to recalculate.)

Re:It's past time for a better approach

[HomelessInLaJolla]

> apps of that era were NOT resilient to malformed input

What? Again I say, what?

Apps of that era only had 8-bit character sets to deal with. Malformed input was so much easier to check for. Not that the expanded character sets of today are any real excuse but still, again I saw, what?

Re:It's past time for a better approach

[flyingfsck]

MS wrote loads of stuff with C++ and the C stings library especially, is total crap. Also, with C++, it is fundamentally impossible to know when it is safe to destroy an object and free its memory. MS is therefore suffering from a bad choice of compiler and coding methods years ago. Their problems won't go away anytime soon.

Re:It's past time for a better approach

[Watson+Ladd]

Lisp, J, O'caml, Erlang, Smalltalk all look like safe languages to write in. And yes, they have operating systems in Lisp.

Re:It's past time for a better approach

His point was that malformed input is how exploits occur, and those old spreadsheets were no better at dealing with that than today. If all the computers in the DOS era had broadband and the same number of files being transferred between them they would also have regularly been exploited in the same way.

I think the point is that instead of adding features coders should work on security. Hard to sell though - "Exactly the same as last year's but now more secure!" for $50, hmm...

Re:It's past time for a better approach

>>So, my question is, who's doing it right and how ?

>Code has become so enormous that the answer is, more than likely, nobody. ...So, love it or hate it, just view the security industry not as a problem to be solved but as a tiger to be fed and groomed.

I'm sorry but I seriously cannot believe this answer. "Rampant security problems are an inevitable result of complex code, that we just have to accept"?

I never have to deal with any of this virus, etc, etc, crap. Is it because my programs all fit on floppy disks? Is it a miracle? No, I use Mac OS. Good, smart design. No of course it's not invulnerable... but so far they've done a pretty damn good job.

The existence of a thing is a pretty good proof of its possibility.

So it's not "inevitable" that complex code will be as amazingly riddled with security problems as Microsoft's is. Now why theirs is is an interesting question. As is, why so many people put up with it.

ps do my best to avoid Excel and Word too (who is the moron who thought it was a bright idea to put macro capabaility in a *word processor*? inviting virus writers!)

sheesh

Re:It's past time for a better approach

So let me guess, you're one of those fat idiots who think that all software should be written in Perl? Good luck with that.

Re:It's past time for a better approach

[pe1chl]

There are a couple of things that you can do to avoid this kind of mishap:

- office workers should not work under an account with administrator privileges. when applications exist in the company that require administrator rights, they should be phased out. there is no excuse for still having such bad program code around in 2007.

- the user account being used should not have write permission in directories like /windows /program files etc. in our systems, the only directory with write permission is the user's own directory in /documents and settings.

- you can use a tool like "TrustNoExe" to allow program execution only from read-only directories (allow from C:\ deny from C:\Documents and Settings). this will prevent the user from executing programs written in %Temp%, like this exploit does. It also prevents execution of programs and pifs received by mail.

- you could also refuse incoming mail at the external mail MX with a source address internal to the company. that may be a problem in some special cases, though.

OO

[len_p]

I'll open the XLS file in OpenOffice. I use Linux anyway :) Len

Re:OO

[jaimegarcia]

Linux? never heard about it...

Re:OO

[zCyl]

Linux? never heard about it...

It's simple. Linux is to Windows what Data was to Hal.

Re:OO

Does that mean Lore is the Mac??

Gates asked for it...

[bigredgiant1]

Maybe this is related to Bill Gates' recent comments, saying he dares someone to do to Microsoft what has recently happened with OS X and zero-days. Careful what you wish for. http://apple.slashdot.org/article.pl?sid=07/02/02/ 1940232

totally offtopic

[DragonTHC]

I'm shocked that Billy Joel needed a vocoder to perform the national anthem at the superbowl

Re:totally offtopic

[HomelessInLaJolla]

I'm homeless. I wasn't able to see it. Let me know how funny the commercials were.

Re:totally offtopic

[maxume]

This Bud(the one in my hand) is pleasingly generic. Mmmmmmmmh. Beer.

Just wondering if this IS MS marketing?

[zappepcs]

Lately we've seen memos and emails suggesting just how far MS is willing to go, perhaps in the future we'll see emails or memos describing how malicious software was released into the wild to help people decide to buy the new 2007 applications to go with their new Vista PCs?

Re:Just wondering if this IS MS marketing?

[TubeSteak]

You can embed excel spreadsheets in Office, PowerPoint, even a simple html file.

I wonder if this exploit is specific to files with the .xls extension? or is it a just an exploit that requires excel to load.

If it's the latter, that's a much bigger problem than the former, especially considering the fact that you can embed spreadsheets in html.

Do we know this for sure?

Do we know for sure that Office 2007 is not affected? Without the source code being available to us under an open source license, I don't think we can, as a community, safely say that it is not affected. All we can do is speculate, or blindly trust Microsoft if they say it's not affected.

Re:Do we know this for sure?

[DelawareBoy]

If you follow that logic, anything not open source is open to that vulnerability, Microsoft or not...

However, if you actually try the code which does impact Office 2003 and earlier additions, it does NOT work. Makes me glad I got my free copy of Office 2007.

Re:Do we know this for sure?

[DelawareBoy]

My Word 2007 allows me to save in the new Word format, Word 1997 - 2003 (which allows reading things TEN years older, not 3 as you have said), PDF, XPS (which I don't know why I'd use), .txt, RTF, HTML, and a few others..

Why spread this FUD?
Hate Microsoft because of legitimate reasons (like anti-trust), NOT for reasons made up, like a little girl.

Re:Do we know this for sure?

[zCyl]

Makes me glad I got my free copy of Office 2007.

Uh huh. I bet the exploit doesn't work on my free copy of Open Office either. :-P

Re:Do we know this for sure?

[ThinkFr33ly]

Very true... except that if you're worried about involuntary lock-n, there are 16 file types you can save your documents in, many of which are very widely support. You can also install additional file type support, such as the Open Document Format.

So I guess it's not true at all. Never mind.

Re:Do we know this for sure?

[civilizedINTENSITY]

Our physics department keeps OpenOffice around especially for its ability to deal with MS Word documents. So many students use such a variety of MS Word versions, and Word isn't all that great at opening various versions. When Word can't open Word, that is a sad state of affairs.

Glad I switched

[AlphaLop]

I am so glad I switched to open office. Now whenever one of these things happens I send the article to my friends along with a link for OpenOffice

Re:Glad I switched

[risk+one]

You must be so popular...

Re:Glad I switched

[mccalli]

I am so glad I switched to open office. Now whenever one of these things happens I send the article to my friends along with a link for OpenOffice

Do you send links to any of these OpenOffice vulnerabilities as well?

Cheers,
Ian

Re:Glad I switched

[maxume]

You should send them the article embedded in a compromised Word file. That'll show em.

You're sig is borked by the way.

Re:Glad I switched

[caseih]

Vulnerabilities in OO.org notwithstanding, a few things we must keep in mind: The cost of getting the latest openoffice? Do you need a "genuine" copy of OpenOffice to qualify for patches? Seems like OpenOffice, for all its warts, still comes out ahead in this one area. For home users, this can be a huge point. Of course, the underlying OS (as of windows XP) is still a huge security problem, despite using firefox and oo.org.

Re:Glad I switched

For which vulnerabilities? The ones without any known exploits or the ones that have already been patched?

Re:Glad I switched

[smoker2]

Interesting how most of those results are announcing *patches* for OO vulnerabilities, and the OO on MS contingent is by far the biggest proportion anyway.

I can't be the only one

[antifoidulus]

who thought of the grunt voice from Warcraft II when they read the headline.

Re:I can't be the only one

[sharkey]

You see "MS Office" and think "Will you stop touching me"?

upgrade to something better

[user_ecs]

Again it isn't just Microsoft windows that is the problem.

For Christmas I bought a system from CSS.
http://www.curtissystemssoftware.com/preloads.htm

It came preloaded with a OpenOffice.org. Has quality hardware (unlike a Dell which has the lowest bidder components). Even had ECC memory

Even with out anti-virus software it is immune to all this crap. I also don't have to worry about the vendor shutting down my OS or apps remotely in the future.

If only 50% of the population used MS Office

[Colin+Smith]

What would be the chance of successful propagation?

1st transmission: 100%
2nd: 50%
3rd: 25%
4th: 12%
5th: 6%

As you can see, the chance of successfully propagating beyond the current system drops off rapidly. It's the fact that so many people out there choose to run Microsoft Office that viruses and trojans can propagate so easily. If there were several different but compatible office suites which could share the same file formats we wouldn't have nearly the problem we have with security.

Re:If only 50% of the population used MS Office

[cnettel]

Yeah, cause we know that pyramid schemes and MLM require each and every recipient to join the game. If only 50 % of the population used Office, but each infected machine sent out two copies (and each was opened), we would have a steady state of fresh infections. Logic like yours might have worked when the primary vector was the actual work documents, or floppy disks. With mass mailings, even a very small fraction could ensure a significant outreach. The question is simply if the explosive phase will be delayed enough to put extra countermeasures into place.

Re:If only 50% of the population used MS Office

[Colin+Smith]

but each infected machine sent out two copies (and each was opened), we would have a steady state of fresh infections I think we can take it as read that the number of mailings and openings are related to the size of the addressbook and human psychology respectively. Both of which will be comparatively constant. Even with a mass mailing the effect would be massively reduced. You go from an explosion to a trickle.

Um... That's why standards exist

[Colin+Smith]

businesses need to be able to share documents with their business partners and clients, thusly, they must support the same file formats as their business partners and clients. That simply means you need standardised file formats, you don't need the same software.

Re:Um... That's why standards exist

Right, the same file format means different implementations, which is why WINE had a WMF flaw just like Windows did

Re:Um... That's why standards exist

WMF's specification was flawed. Guess who designed it?

Re:Um... That's why standards exist

[Bearhouse]

But you know what they say about standards, "the advantage of standards is that there are so many, you can pick the one you want" BYW, didn't M$ just change the format of 'Office' files again? Despite having said in the past that they'd keep the same format for future releases? Oh, of course, all this is beside the point since we have XML and PDF (Open SOurce!)...eh, no. Standard or exchange file formats, (OO fanboys) are no use if your application diplays/prints them differently from the source app.

Re:Um... That's why standards exist

[mgiuca]

That simply means you need standardised file formats, you don't need the same software.

What are you on about? Office 2007 has a fully open and standardised file format - Open XML! Just because it's designed such that nobody other than Microsoft will ever be able to fully implement it doesn't mean we shouldn't all jump on the bandwagon!

Re:Um... That's why standards exist

[nostrad]

That might have been due to WINE's goal: '"bug-for-bug" compatibility with Windows'.

Mac vulnerable?

[Angostura]

That's odd - the advisory suggests that Mac Office v.x and 2004 are vulnerable, but that certainly doesn't chime with the mechanism quoted. What's going on here?

Re:Mac vulnerable?

[steeviant]

Bill Gates is right! Apple are lying to everyone about how secure their OS is!

It's really vulnerable to all the same problems as Windows, and this is proof.
Absolute irrefutable proof from an utterly incorruptible independent source!

Paedophilia?

Why does that letter sound like it was written by a child abuser?

Nevermind that...

[Sodki]

... look how pretty Ribbon is!

Re:I propose a Fix it or Fuck it week for MS code

[Architect_sasyr]

I was going to suggest a Month Of Office Bugs to the lists, but the only way I can see it working is if we have 8 bugs a day for a year...

Troll

Because if enough trolls all hide on the internet and point in one direction then the people who don't know any better will mob in that direction.

Someone should log your IP and prosecute you.

It's not funny, why laugh?

[suv4x4]

I fail to see why posts talking about vulnerabilities in widely used software is tagged "haha". Is it really so funny?

The zombies that will result from those attacks will send spam even to your tricked out Linux PC. You're laughing at your own expense. Have fun.

Re:It's not funny, why laugh?

[EllynGeek]

That's a good point. Being collateral damage is not funny. But it is funny that the richest software company on the planet, run by two of the most arrogant lying blowhards alive, can't code its way out of a wet paper bag.

Re:It's not funny, why laugh?

The zombies that will result from those attacks will send spam even to your tricked out Linux PC. You're laughing at your own expense. Have fun. And my open source anti-spam software will block it.

Re:It's not funny, why laugh?

Yeah, it's funny. Funny as hell. Funny because it doesn't affect me. Funny because it's just rewards for people STILL willfully subjecting themselves to this BS. How many times have they allowed MS to get away with it? First time, shame on MS. Subsequent times, shame on them.

And don't give me that BS about not having a choice. You *always* have a choice.

So I laugh at all of you suckers.

Re:It's not funny, why laugh?

And if we burnt Ballmer's naked corpse that would be bad for the environment, but it'd still warrant a 'haha' tag!

I'm joking of course - obviously we'd leave his clothes on. Ew.

for crying out loud

They're not "zero days" unless the exploits are released/in the wild before the product is available to consumers, but after the manufacturer can do anything about it. If these were security issues with MS Office 2007 and Office remained vulnerable when released, they'd be zero days. But these are vulnerabilities in software that's been out for years, including Office 2000!

We can't just throw the phrase around like this; it has a real and verifiable meaning.

Re:for crying out loud

[Woek]

Why isn't this AC modded up? He's absolutely right!

Re:for crying out loud

[miro+f]

try reading the article you linked to

0-day exploits are released before, or on the same day the vulnerability -- and, sometimes, the vendor patch -- are released to the public. The term derives from the number of days between the public advisory and the release of the exploit.

the zero day you're referring to is 0 day warez, that is, warez that are released before the actual product. A 0-day exploit means that the exploit is in the wild before the vendor knows about it.

Re: eComStation and OpenOffice.org

[user_ecs]

eComStation and OpenOffice.org is the cure I use.

eComStation is more stable than windows but a lot easier than Linux

For Christmas I bought a system from CSS.
http://www.curtissystemssoftware.com/preloads.htm

It came preloaded with a OpenOffice.org. Has quality hardware (instead of the Dell's lowest bidder components). Even had ECC memory.

Even with out anti-virus software it is immune to all this crap. I also don't have to worry about the vendor shutting down my OS or apps remotely in the future.

Falling Sales?

[mckniffen]

Seems kinda suspicious to me that the only way to avoid this attack it to upgrade to the latest piece of software. This means their Office 2007 sales are low. You'd think they could just release a patch instead of being so money grubbing.

Re:Falling Sales?

[sqlrob]

You can also avoid the attack by setting %TEMP% to no execute permissions. Interesting that they don't say that.

Re:Falling Sales?

[idiotwithastick]

Or maybe it could mean that they haven't written a patch yet, hence why it's a Zero-Day attack.

Re:Falling Sales?

[TheThiefMaster]

Unfortunately a lot of installers seem to extract themself to %temp% and then run one of the extracted files to continue, so this isn't a permanent solution. Unless you're not ever going to install anything that is.

It will be news when...

[EllynGeek]

...a day goes by when Office and Windows are not exploited with trivial ease.

Re:It is your PC

[user_ecs]

businesses need to be able to share documents with their business partners and clients, thusly, they must support the same file formats as their business partners and clients.
Shouldn't the businesses be more worried about THEIR intellectuual property rather than microsoft's. The words typed and spreadsheets, presentations the employees create is owned by the business. Seems like the tool, microsoft office gets more protection than the work results created.

All documents should be in open file formats.
http://openoffice.org/

It is your PC

Your thoughts expressed in documents, spreadsheets, drawing, etc should be primary. The proprietary document computer file formats should not be used to lock you out of YOUR intellectuual property. Microsoft proprietary document Word/Office (.doc) and Excel (.xls) force you to pay an upgrade ransom to keep using or sharing YOUR intellectual property.

http://lists.ufl.edu/cgi-bin/wa?A2=ind0510&L=ccc&P =10169

Subject: Introduction to OpenDocument
Date: Thu, 20 Oct 2005
From: Ken Sallot

Get virus resistant computer preloaded with OpenOffice
http://www.curtissystemssoftware.com/preloads.htm

+1 Funny

Sorry to ruin your delusions of grandeur, but its got nothing to do with conformity. Its to do with *being able to share documents with your business partners*. Why are you slashbots so insecure that you always need to put people down like this? I suppose if in real life you're always the victim and never have the courage to stand up to anyone you need somewhere to vent, eh?

Re:+1 Funny

[grcumb]

[I]ts got nothing to do with conformity. Its [sic] to do with *being able to share documents with your business partners*.

It has everything to do with conformity. I have no problem with the importance of being able to 'share documents with your business partners'. That's reasonable and universally appealing. I do find it unfortunate, though, that people continue to do it in a way that is neither secure, sustainable nor cost-effective, and then refuse to make any effort whatsoever to mitigate the problems inherent in the system they've created, because 'everyone does it this way'.

Again, the statement isn't against standards, it's about an innate shortcoming in our societal make-up, one which I am prepared to accommodate, even if I don't think it makes sense. So I'm not arguing against your reality; I'm actually saying there's no point in arguing against it.

I suppose if in real life you're always the victim and never have the courage to stand up to anyone you need somewhere to vent, eh?

I have no idea where this came from, but I can assure you that one thing I have never been is a victim. 8^)

HTH HAND

Re:+1 Funny

it's about an innate shortcoming in our societal make-up, one which I am prepared to accommodate, even if I don't think it makes sense.

I agree but not because of a societal make-up. It is a business or employee decision, not a personal one. I build, support, and maintain MS servers all day. I speak my opinion either in voice or in writing about decisions that are IT related that someone at the company made that I feel should be revisted or clarified. Sometimes I am asked for more details and sometimes not. I did my job either way. If we get nailed by a huge worm via an XLS file, I will still be working here, still collecting a pay check and I will feel confident that I did everything I was capable of doing prior to such an incedent and I will have no problem cleaning up after the storm. I am dedicated to my job but I am not an evangalist. Like I said, I add my $.02 and let the decisions be made.
Not everyone going along with the program is a CIO/CEO and can get something changed. IT departments do not run companies. The IT opinion is considered but ultimatley the decision is made after viewing the overall effect, not just how it effects the IT department.

Re:Gates and Microsoft deserve all the scorn

[steeviant]

I say we just put up with the problems in Windows.
Windows just needs time to mature.
At the moment Microsoft are undergoing a big shake up.
Everyone has their foibles, and Windows is no different.
No software is perfect.
Microsoft are really trying to turn things around.

Re: eComStation and OpenOffice.org

[imemyself]

Wow. People are still using OS/2 and its derivatives? Not only still using it, but switching to it? I haven't heard anything from OS/2 zealots in a long time.

Re: eComStation and OpenOffice.org

[Planesdragon]

I also don't have to worry about the vendor shutting down my OS or apps remotely in the future.

Hi. I'm a PC user, with an HP laptop, and Office 2007. Not too long ago I had Vista Beta on this thing. And you know what? I don't have to worry about the vendor shutting me down ever. You know why? Because I live in a country that follows the rule of law, and can prove in a court that I purchased these things legally.

Part of me wishes they'd try -- it's amazing how good the upgrade from "punative damages" would be.

Re:Gates and Microsoft deserve all the scorn

You're trying to be funny, right? Sweet Jesus, no one in their right mind would call Windows a product that enables its users to excel. I had to talk with Gates several times in the 80's and my impression has always been that he's a shit who makes middlebrowwear. Now he's a mega-billionare little shit who makes slightly more functional middlebrowware. Fucking sharky little dick is ol' Billy. Glad I'm out of that crappy business: pushing shit Microsoft software.

To be fair...

[Xenographic]

VERY few image formats are allowed by the specification to contain arbitrary code...

(The other times you hear it happening, someone has managed to find a buffer overrun, the executable bit isn't part of the image format itself.)

It's obvious!

If they didn't have bugs like this... no one would need to buy Office 2007.

It's called Schadenfreude

[BearRanger]

http://en.wikipedia.org/wiki/Schadenfreude/

Especially after that interview with Bill Gates in Newsweek. It's not that people don't feel for Microsoft's victims. It's just that when you make the claims Gates did you have to be able to back them up. Time and time again Microsoft has shown that they can't.

Re:Gates and Microsoft deserve all the scorn

The thing about MS products is they sell very well (for various reasons), and each new version requires more horsepower. This makes hardware manufacturers very happy to support Windows. Eager, in fact. How many products did you see that had "Vista Ready" proudly displayed months before Vista was officially released...?

It's all part of the money-go-round. Microsoft effectively markets bloated software, which feeds sales to the hardware industry, and sales to retail outlets. To return the favour, the hardware manufacturers work furiously to support Windows in promises of greater income.

No wonder hardware manufacturers are not keen on supporting Linux. OSS users do their best to run Linux on hardware they *already* own. This doesn't push sales.

I mean, look at DirectX10. It's a sales tools for both Vista *and* hardware. It's a great business model, from a consumerist society stand point. Linux, and in many ways OSX, fails in this way.

I have a serious question.

Why was it decided that Office documents could be loaded with scripts that would have the power to manipulate (or delete) files on a hard disk? I'm not an expert on viruses, and I might not have a full understanding of how these exploits work, but it seems to me that most of these problems arise because MS products are given way too much control over a user's computer. Why can't we go back to the days where a document was just that--a document, containing nothing but data and basic functions to display that data within the appropriate Office application? I know MS are just trying to give the end user maximum flexibility, but I think they've gone too far. I don't know of a single legitimate reason for why someone would like their Word document to delete files on their drive when it's opened, or send data over the internet. And why doesn't Office display a message whenever a document tries to do something that could be seen as destructive? "Warning: This document is attempting to delete the following file. Are you sure you want to allow this?" That would still work for legitimate files, as the user would simply click "Yes" and everything works as intended.

Throw ActiveX into a lake, and take VB Script out of office documents. These things are simply unnecessary.

Re: eComStation and OpenOffice.org

[kjart]

Could you tell those CSS folks that Geocities called and they want their website back? Thanks.

I just recieved one today

[zx-15]

All I got was a boring multi-tabbed document with some financial info. I thought someone just sent it to me by mistake.
OpenOffice just opened it, no harm done.

Re: eComStation and OpenOffice.org

[dr.badass]

For Christmas I bought a system from CSS.

Did you get an employee discount?

Re:Gates and Microsoft deserve all the scorn

[steeviant]

Bill Gates is a great man, he is giving all his money away to charity.
Without Microsoft computers would be much harder to use and more expensive.
Etc.

I wasn't so much trying to be funny as regurgitating some of the sugar-coated bullshit I've been spoon-fed by the media over the past couple of years leading up to the release of Vista.

My honest opinion from what I've seen of Bill Gates is that he seems very insincere most of the time, like he is trying to hide deep seated insecurities behind a veneer of smugness. I suspect he is really fixated on how people perceive him.

Continuing in the amateur psychology vein, I think that his deep seated insecurities shaped Microsoft and guided it's behavior.

Would a company that was proud of it's creations feel that they had to constantly intimidate hardware partners in order to ensure they keep using that software, or specifically adjust their software to make it incompatible with competing software?

Personally I think those are the actions of a company that believes that their customers, given a choice, would rather migrate away.

Re: eComStation is OS/2

lol

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: eComStation and OpenOffice.org

[glindsey]

I don't have to worry about the vendor shutting me down ever. You know why? Because I live in a country that follows the rule of law, and can prove in a court that I purchased these things legally.

So your solution is that we keep receipts of every single thing we purchase because the burden is upon us, the consumers, to prove that everything we have purchased is legal?

Gee, that sounds like a wonderful solution. "Why are you so worried about the government mandating cameras in your house? Surely, if you're not a criminal, you have nothing to hide!"

Re: eComStation and OpenOffice.org

[bogd]

From what I've heard, Vista will disable some of its features if it considers itself a pirated version. Considering the track record of its predecessor (the many cases where XP flagged down legal versions as being pirated), you may just come to the point where that happens. I wish you lots of luck going to court with that...

And I really mean it - if enough people do that (and manage to actually win the case), maybe MS will reconsider its policy of "stop the pirates, no matter how many legitimate users get caught in the middle".

code paths...

once you start taking stuff out you are potentially opening up code paths that have minimal coverage/testing... this is not a recipe for stable or secure software.

Re:code paths...

[Jessta]

once you start taking stuff out you are potentially opening up code paths that have minimal coverage/testing
Really depends on how the code is structured.

Re: eComStation and OpenOffice.org

[Anpheus]

Yes. Because if the onus were upon the corporation, could you trust them not to do what is in their favor already?

The point isn't whether it's ethical for them to say "Oops, we lost your receipt." or not, the point is, there's a reason that every time you purchase something, you are handed a receipt. It's an unwritten rule that the receipt is an agreement between you and the company. The company is explaining to you that you will bare the burden of proof of ownership, because their product is sold in many stores, and privacy agreements often keep them from even acquiring evidence of your ownership via purchase at some other place. Or in the case of buying goods or services directly, the company is establishing an agreement on the goods or services exchanged. It allows them to defend themselves if you accuse them of unfairly charging, and it allows you to defend yourself in the same situation.

Nevertheless, if you dare imagine a world in which the onus is entirely upon the corporation and that the consumer never saw a receipt... oh, that's a scary world indeed. -- Upon finding one's bank statements, one might exclaim, "What the hell is this $5000 charge for blinker fluid?"

Receipts

[Dobeln]

"So your solution is that we keep receipts of every single thing we purchase because the burden is upon us, the consumers, to prove that everything we have purchased is legal?"

No - just for the expensive stuff. I certainly do - I don't expect them to repair my LCD TV out of the goodness of their hearts if it breaks, etc. Validation failure in Vista seems even less likely than my TV giving up.

I should add I presently run XP Corp PE (Pirate Edition). Works like a charm, but I won't pretend to get all morally indignated if MS found some way of shutting me down.

The Irony

[Tom]

Hi Bill. Didn't you just brag about windos security?

I dare anybody to do that once a month on the Windows machine. February: check

Timing a little odd

1. Users seem unwilling to upgrade office
2. Publish previously "unknown" exploits for old office programs
3. ?????
4. Profit!

Any numbers on proliferation?

[DickieRay]

It's Day 5 and I can't find anything referencing how much of this is getting around on http://www.virus-radar.com/. Sure, it's not the most important characteristic, but anyone seen it?

Re:Gates and Microsoft deserve all the scorn

[Bert64]

What you have to consider when looking at charitable donations is:

How much is actual cash, and how much is given away as products (remember microsoft's products cost them virtually nothing to reproduce).

What kick-back do they get in the form of tax breaks? (when donating products, assuming the tax break is based on the retail cost, they can still make huge profits purely from that because the reproduction cost is so minimal).

How much is the PR worth? Donating to charity is simply a form of marketing, how cost effective is it compared to other forms of marketing?

Re:I propose a Fix it or Fuck it week for MS code

[gelfling]

I work for a large company that probably spends several tens of millions of dollars a year over and above the green dollar cost for the licenses just downloading and installing patches and fixes for an endless series of 'maybe' threats in Windows. The problem is that with all of these fixes you can't really know which are real and which are theoretical and which can be ignored and which can be mitigated some other way. We just mooooove! along like cattle installing one patch after another wasting time and money. But what if people, say end users just said "screw it Redmond" What if we made THEM the bad guys and showed them and everyone else the results of us not doing THEIR jobs for them? How screwed up would the net become? How much would just stop running? And then we could go back to Redmond and point this out, saying "Hey this is what happens when we get sick of putting up with your crap. Now feel free to fix this or let it all crash in flames. Your choice, but in either case if you want the customers you've been screwing for 27 years to contine to work for you for free - well that's not going to happen. Sorry.

Re: eComStation and OpenOffice.org

[profplump]

Couldn't the onus be on the accuser to say, I don't know, prove that their accusation? Something like innocent until proven guilty? I know it's novel concept but we could, in fact, just assume that people are acting within the law until they demonstrate otherwise. Yes, people could use that assumption to do bad things, but it also lets people who aren't doing bad things get on with their lives without inteference.

The company is explaining to you that you will bare the burden of proof of ownership

That's pattently ridiculous. They aren't explaining anything, nor are you entering any sort of agreement with them, written or otherwise, they're just documenting the transaction. I don't need the receipt to prove ownership, and depending on the specificity and verifiable authenticity of the receipt, it may not even be very useful to that effect.

Take for example a reciept that says "Jan 14: Company A: Services Rendered: $98.00: Cash Tendered: $98.00". Being in possetion of such a document is not proof of any of the following: 1) That any services were rendered, 2) that you recieved any services if they were rendered, 3) that you paid $98.00. There's some evidence that there was an agreement to render services and that someone gave Company A $98.00, but there's no evidence of your involvement, or that the services specified were actually rendered. In such a case a work log from Company A that shows an that an employee was dispatched to render services is probably much better evidence than the receipt. Likewise your personally accounting statements (self-generated or otherwise) may be more useful in proving that you personally rendered payment.

In any case, handing me a reciept is not sufficient cause for you to challenge my ownership of anything, nor is my failure to retain that receipt sufficient evidence that I am not the owner.

Hey, user_ecs: Are you an ad-bot troll?

[KWTm]

You have made 11 posts so far, and EVERY SINGLE ONE is an ad for the E-com Station business that sells computers.

In the past 24 hours, you made FOUR posts, all within TWO HOURS of each other. They were all ALL ads for E-com Station. Other than those four posts, there was nothing else for the past year-and-a-half.

Prior to that, two years ago you made FIVE posts, all within ONE HOUR of each other. They ALL advertised E-com Station.

There were two posts prior to that. Guess what they ALL advertised?

No, it's not illegal. No, I'm not going to sue you. But you'll pardon me if I take your posts with a heavy dose of sodium chloride.

.xls

[june_c21]

this topic is not something new for microsoft. they always come up with new things and there always way for people to put something in. I think they need to work hard on security issue. :)