MS Office Zero-Day Under Attack

paulBarbs writes "Microsoft is warning users to be on the lookout for suspicious Excel files that arrive unexpectedly — even if they come from a co-worker's e-mail address. In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite. Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk."

When will people and businesses learn?!

How many more exploits will we need to encounter with Microsoft products before people realize that it's just not worth it to use such flawed software?

I would have thought that businesses would be the first to learn. They are the ones who tend to be the most affected by situations like this, especially when hundreds or thousands of Windows-based computers on their internal networks become compromised. It costs them a lot of money to clean up those systems.

Of course, such expenditure could have been prevented in the first place were they using suitable office software. And that doesn't mean OpenOffice.org on Linux. There are many other alternatives, especially when using Mac OS X. Those alternatives can often exceed Microsoft's products in terms of quality, usability, features and security.

Re:When will people and businesses learn?!

[Jessta]

You obviously aren't paying attention.
There have been many security flaws reported for OpenOffice.

The problem is not Microsoft specific. It's a problem with overly complex software. Word processors are overly complex which means that there is a lot of code that can contain errors. Most users don't use the full functionality of the software and therefore don't require it to be so complex.

One of the great advantages of gentoo(and other source based package management) is that you can leave out functionality in a program that you're not going to use. This means less code that can be exploited.

Re:When will people and businesses learn?!

[LeDopore]

Serious question: "How many gentoo users actually DO hand pick the features they compile?" My guess is that:

1 It might be hard to know what you can safely leave out of a compile and not break anything
2 It's difficult to foresee every function you are going to want in a program at compile-time, even if you're familiar with it
3 There are so many programs on a typical Linux box that to hand-choose modules for them all would take ages.

I guess in some environments (like cash register systems) you're doing only one thing and you want many identical machines, so it's possible to trim a bit more. However, for my desktop needs, selecting exactly the features I want wouldn't work for the above 3 reasons.

because it's not that easy

businesses need to be able to share documents with their business partners and clients, thusly, they must support the same file formats as their business partners and clients.

Re:because it's not that easy

[grcumb]

businesses need to be able to share documents with their business partners and clients, thusly, they must support the same file formats as their business partners and clients.

The moral of the story is: If everyone else jumped off a cliff, why yes, we would jump too.

It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety.

Re:because it's not that easy

It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety. you missed the moral, friend. The moral is that we value our ability to conduct business above our individual safety.

Re:because it's not that easy

99% of the documents business need to share don't need to be edited. in fact it's better if they aren't. that's WHY we have PDF's.

Now let's repeat for the mentally slow. .doc files are for editing. PDF's are for sharing.

got it, good.

Does not affect Office 2007

[ThinkFr33ly]

The fact that this does not affect Office 2007 suggests that Microsoft is learning from their mistakes.

This is further supported by other software they have released that went throught their "secure development lifecycle" initiative, including IIS 6.0, IIS 7.0, Windows Vista, Windows Server 2003, etc.

Of course, IIS 7 and Vista have only been out there for a few months now... so, obviously, the jury is still out on them.

Do we know this for sure?

Do we know for sure that Office 2007 is not affected? Without the source code being available to us under an open source license, I don't think we can, as a community, safely say that it is not affected. All we can do is speculate, or blindly trust Microsoft if they say it's not affected.

Re:Do we know this for sure?

[DelawareBoy]

If you follow that logic, anything not open source is open to that vulnerability, Microsoft or not...

However, if you actually try the code which does impact Office 2003 and earlier additions, it does NOT work. Makes me glad I got my free copy of Office 2007.

Re:It's past time for a better approach

[flyingfsck]

MS wrote loads of stuff with C++ and the C stings library especially, is total crap. Also, with C++, it is fundamentally impossible to know when it is safe to destroy an object and free its memory. MS is therefore suffering from a bad choice of compiler and coding methods years ago. Their problems won't go away anytime soon.

Re:Gates and Microsoft deserve all the scorn

[steeviant]

Bill Gates is a great man, he is giving all his money away to charity.
Without Microsoft computers would be much harder to use and more expensive.
Etc.

I wasn't so much trying to be funny as regurgitating some of the sugar-coated bullshit I've been spoon-fed by the media over the past couple of years leading up to the release of Vista.

My honest opinion from what I've seen of Bill Gates is that he seems very insincere most of the time, like he is trying to hide deep seated insecurities behind a veneer of smugness. I suspect he is really fixated on how people perceive him.

Continuing in the amateur psychology vein, I think that his deep seated insecurities shaped Microsoft and guided it's behavior.

Would a company that was proud of it's creations feel that they had to constantly intimidate hardware partners in order to ensure they keep using that software, or specifically adjust their software to make it incompatible with competing software?

Personally I think those are the actions of a company that believes that their customers, given a choice, would rather migrate away.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: eComStation and OpenOffice.org

[glindsey]

I don't have to worry about the vendor shutting me down ever. You know why? Because I live in a country that follows the rule of law, and can prove in a court that I purchased these things legally.

So your solution is that we keep receipts of every single thing we purchase because the burden is upon us, the consumers, to prove that everything we have purchased is legal?

Gee, that sounds like a wonderful solution. "Why are you so worried about the government mandating cameras in your house? Surely, if you're not a criminal, you have nothing to hide!"

Re: eComStation and OpenOffice.org

[bogd]

From what I've heard, Vista will disable some of its features if it considers itself a pirated version. Considering the track record of its predecessor (the many cases where XP flagged down legal versions as being pirated), you may just come to the point where that happens. I wish you lots of luck going to court with that...

And I really mean it - if enough people do that (and manage to actually win the case), maybe MS will reconsider its policy of "stop the pirates, no matter how many legitimate users get caught in the middle".

Re:Falling Sales?

[TheThiefMaster]

Unfortunately a lot of installers seem to extract themself to %temp% and then run one of the extracted files to continue, so this isn't a permanent solution. Unless you're not ever going to install anything that is.