Slashdot Mirror
MS Office Zero-Day Under Attack
paulBarbs writes "Microsoft is warning users to be on the lookout for suspicious Excel files that arrive unexpectedly — even if they come from a co-worker's e-mail address. In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite. Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk."
The fact that this does not affect Office 2007 suggests that Microsoft is learning from their mistakes.
This is further supported by other software they have released that went throught their "secure development lifecycle" initiative, including IIS 6.0, IIS 7.0, Windows Vista, Windows Server 2003, etc.
Of course, IIS 7 and Vista have only been out there for a few months now... so, obviously, the jury is still out on them.
It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety. you missed the moral, friend. The moral is that we value our ability to conduct business above our individual safety.
If you follow that logic, anything not open source is open to that vulnerability, Microsoft or not...
However, if you actually try the code which does impact Office 2003 and earlier additions, it does NOT work. Makes me glad I got my free copy of Office 2007.
MS wrote loads of stuff with C++ and the C stings library especially, is total crap. Also, with C++, it is fundamentally impossible to know when it is safe to destroy an object and free its memory. MS is therefore suffering from a bad choice of compiler and coding methods years ago. Their problems won't go away anytime soon.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
You obviously aren't paying attention.
There have been many security flaws reported for OpenOffice.
The problem is not Microsoft specific. It's a problem with overly complex software. Word processors are overly complex which means that there is a lot of code that can contain errors. Most users don't use the full functionality of the software and therefore don't require it to be so complex.
One of the great advantages of gentoo(and other source based package management) is that you can leave out functionality in a program that you're not going to use. This means less code that can be exploited.
...and that is all I have to say about that.
http://jessta.id.au
Serious question: "How many gentoo users actually DO hand pick the features they compile?" My guess is that:
1 It might be hard to know what you can safely leave out of a compile and not break anything
2 It's difficult to foresee every function you are going to want in a program at compile-time, even if you're familiar with it
3 There are so many programs on a typical Linux box that to hand-choose modules for them all would take ages.
I guess in some environments (like cash register systems) you're doing only one thing and you want many identical machines, so it's possible to trim a bit more. However, for my desktop needs, selecting exactly the features I want wouldn't work for the above 3 reasons.
Expected time to finish is 1 hour and 60 minutes.
Comment removed based on user account deletion