Slashdot Mirror
MS Office Zero-Day Under Attack
paulBarbs writes "Microsoft is warning users to be on the lookout for suspicious Excel files that arrive unexpectedly — even if they come from a co-worker's e-mail address. In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite. Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk."
Dear Exploit,
How old are you? How long have you been available in the wild? How long did your brother exist in SP1 before you came along in SP2? Do you have a cousin which works in Win98/SE? How long have corporate managers been using you to spy on their employees?
Signed,
Secret Admirer
the NPG electrode was replaced with carbon blac
How many more exploits will we need to encounter with Microsoft products before people realize that it's just not worth it to use such flawed software?
I would have thought that businesses would be the first to learn. They are the ones who tend to be the most affected by situations like this, especially when hundreds or thousands of Windows-based computers on their internal networks become compromised. It costs them a lot of money to clean up those systems.
Of course, such expenditure could have been prevented in the first place were they using suitable office software. And that doesn't mean OpenOffice.org on Linux. There are many other alternatives, especially when using Mac OS X. Those alternatives can often exceed Microsoft's products in terms of quality, usability, features and security.
MS Office Zero-Day Under Attack
*rereads headline* what?
Push Button, Receive Bacon
to protect myself against 0-day attacks.
The fact that this does not affect Office 2007 suggests that Microsoft is learning from their mistakes.
This is further supported by other software they have released that went throught their "secure development lifecycle" initiative, including IIS 6.0, IIS 7.0, Windows Vista, Windows Server 2003, etc.
Of course, IIS 7 and Vista have only been out there for a few months now... so, obviously, the jury is still out on them.
After all these years, the same software bugs seem to continually crop up. I guess that no currently available platform is safe but can't we do better? It has been 2 decades of worrying about viruses, worms,trojans, format string errors, buffer overflows, etc. Microsoft was a latecomer to the "make software secure" game but it has been about 5 years now and the song remains the same. So, my question is, who's doing it right and how ?
Pain is merely failure leaving the body
I'll open the XLS file in OpenOffice. I use Linux anyway :) Len
The moral of the story is: If everyone else jumped off a cliff, why yes, we would jump too.
It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety.
Crumb's Corollary: Never bring a knife to a bun fight.
Maybe this is related to Bill Gates' recent comments, saying he dares someone to do to Microsoft what has recently happened with OS X and zero-days. Careful what you wish for. http://apple.slashdot.org/article.pl?sid=07/02/02/ 1940232
Vic
I'm shocked that Billy Joel needed a vocoder to perform the national anthem at the superbowl
They're using their grammar skills there.
Lately we've seen memos and emails suggesting just how far MS is willing to go, perhaps in the future we'll see emails or memos describing how malicious software was released into the wild to help people decide to buy the new 2007 applications to go with their new Vista PCs?
Support NYCountryLawyer RIAA vs People
Do we know for sure that Office 2007 is not affected? Without the source code being available to us under an open source license, I don't think we can, as a community, safely say that it is not affected. All we can do is speculate, or blindly trust Microsoft if they say it's not affected.
It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety. you missed the moral, friend. The moral is that we value our ability to conduct business above our individual safety.
I am so glad I switched to open office. Now whenever one of these things happens I send the article to my friends along with a link for OpenOffice
It's only paranoia if your wrong...
who thought of the grunt voice from Warcraft II when they read the headline.
Monstar L
3 things about computers: they're alive, they're self-aware, and they hate your guts.
Again it isn't just Microsoft windows that is the problem.
For Christmas I bought a system from CSS.
http://www.curtissystemssoftware.com/preloads.htm
It came preloaded with a OpenOffice.org. Has quality hardware (unlike a Dell which has the lowest bidder components). Even had ECC memory
Even with out anti-virus software it is immune to all this crap. I also don't have to worry about the vendor shutting down my OS or apps remotely in the future.
Deleted
That's odd - the advisory suggests that Mac Office v.x and 2004 are vulnerable, but that certainly doesn't chime with the mechanism quoted. What's going on here?
... look how pretty Ribbon is!
I was going to suggest a Month Of Office Bugs to the lists, but the only way I can see it working is if we have 8 bugs a day for a year...
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
Yeah, cause we know that pyramid schemes and MLM require each and every recipient to join the game. If only 50 % of the population used Office, but each infected machine sent out two copies (and each was opened), we would have a steady state of fresh infections. Logic like yours might have worked when the primary vector was the actual work documents, or floppy disks. With mass mailings, even a very small fraction could ensure a significant outreach. The question is simply if the explosive phase will be delayed enough to put extra countermeasures into place.
I fail to see why posts talking about vulnerabilities in widely used software is tagged "haha". Is it really so funny?
The zombies that will result from those attacks will send spam even to your tricked out Linux PC. You're laughing at your own expense. Have fun.
If only there were a single, well defined and completely open document format that could be used by anyone, with any office suite. That would be just great.
455fe10422ca29c4933f95052b792ab2
Deleted
Too bad. The world forgot plain text in favor of featureware a long time ago.
the NPG electrode was replaced with carbon blac
If only there were a single, well defined and completely open document format that could be used by anyone, with any office suite. That would be just great.
ISO 26300 aka Open Document
Just saying it like it are.
eComStation and OpenOffice.org is the cure I use.
eComStation is more stable than windows but a lot easier than Linux
For Christmas I bought a system from CSS.
http://www.curtissystemssoftware.com/preloads.htm
It came preloaded with a OpenOffice.org. Has quality hardware (instead of the Dell's lowest bidder components). Even had ECC memory.
Even with out anti-virus software it is immune to all this crap. I also don't have to worry about the vendor shutting down my OS or apps remotely in the future.
Seems kinda suspicious to me that the only way to avoid this attack it to upgrade to the latest piece of software. This means their Office 2007 sales are low. You'd think they could just release a patch instead of being so money grubbing.
Communism, its a party!
...a day goes by when Office and Windows are not exploited with trivial ease.
we will end no whine before its time
Shouldn't the businesses be more worried about THEIR intellectuual property rather than microsoft's. The words typed and spreadsheets, presentations the employees create is owned by the business. Seems like the tool, microsoft office gets more protection than the work results created.
All documents should be in open file formats.
http://openoffice.org/
It is your PC
Your thoughts expressed in documents, spreadsheets, drawing, etc should be primary. The proprietary document computer file formats should not be used to lock you out of YOUR intellectuual property. Microsoft proprietary document Word/Office (.doc) and Excel (.xls) force you to pay an upgrade ransom to keep using or sharing YOUR intellectual property.
http://lists.ufl.edu/cgi-bin/wa?A2=ind0510&L=ccc&
Subject: Introduction to OpenDocument
Date: Thu, 20 Oct 2005
From: Ken Sallot
Get virus resistant computer preloaded with OpenOffice
http://www.curtissystemssoftware.com/preloads.htm
~~ swish ~~
455fe10422ca29c4933f95052b792ab2
I say we just put up with the problems in Windows.
Windows just needs time to mature.
At the moment Microsoft are undergoing a big shake up.
Everyone has their foibles, and Windows is no different.
No software is perfect.
Microsoft are really trying to turn things around.
Wow. People are still using OS/2 and its derivatives? Not only still using it, but switching to it? I haven't heard anything from OS/2 zealots in a long time.
Every time you post an article on Slashdot, I kill a server. Think of the servers!
I also don't have to worry about the vendor shutting down my OS or apps remotely in the future.
Hi. I'm a PC user, with an HP laptop, and Office 2007. Not too long ago I had Vista Beta on this thing. And you know what? I don't have to worry about the vendor shutting me down ever. You know why? Because I live in a country that follows the rule of law, and can prove in a court that I purchased these things legally.
Part of me wishes they'd try -- it's amazing how good the upgrade from "punative damages" would be.
We value conf.....listen stinkynuts, standards have nothing to do with conformity, and everything to do with making day-to-day life possible. If you "don't want to conform", fine, feel free. Wear a clown costume to work, cook your breakfast on top of your VCR, make up your own language, and fuel your car with lemonade. Me, I can maintain my individuality while still following common-sense standards.
VERY few image formats are allowed by the specification to contain arbitrary code...
(The other times you hear it happening, someone has managed to find a buffer overrun, the executable bit isn't part of the image format itself.)
Especially after that interview with Bill Gates in Newsweek. It's not that people don't feel for Microsoft's victims. It's just that when you make the claims Gates did you have to be able to back them up. Time and time again Microsoft has shown that they can't.
Could you tell those CSS folks that Geocities called and they want their website back? Thanks.
All I got was a boring multi-tabbed document with some financial info. I thought someone just sent it to me by mistake.
OpenOffice just opened it, no harm done.
For Christmas I bought a system from CSS.
Did you get an employee discount?
Don't become a regular here -- you will become retarded.
It has everything to do with conformity. I have no problem with the importance of being able to 'share documents with your business partners'. That's reasonable and universally appealing. I do find it unfortunate, though, that people continue to do it in a way that is neither secure, sustainable nor cost-effective, and then refuse to make any effort whatsoever to mitigate the problems inherent in the system they've created, because 'everyone does it this way'.
Again, the statement isn't against standards, it's about an innate shortcoming in our societal make-up, one which I am prepared to accommodate, even if I don't think it makes sense. So I'm not arguing against your reality; I'm actually saying there's no point in arguing against it.
I have no idea where this came from, but I can assure you that one thing I have never been is a victim. 8^)
HTH HAND
Crumb's Corollary: Never bring a knife to a bun fight.
Precisely. And that's why I didn't say a word about standards.
If, however, you accept that the de facto 'let's use this format because everyone else does' way of working constitutes a sufficiently complete definition of 'standard', and if you are going to claim that the risks, in terms of security, cost and flexibility, cannot be mitigated by mere virtue of the inertial force of this standard, then I can't come to any other conclusion than that you value conformity over your own (or in this case your company's) security.
There are processes in place to determine and enforce workable standards in computing. Virtually none of those mechanisms is being used in the area of office documents.
And lastly, stop sniffing my nuts.... 8^)
Crumb's Corollary: Never bring a knife to a bun fight.
It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety.
Although you're exaggerating a little for effect you're right. However, conformity is essential for the coherence of societies and not necessarily 'unfortunate' all of the time. That point is well established in socio-biology. If you took away the very strong drives for conformity society would quickly collapse. Knowing this though, we have to be on guard for symptoms of group-think that are detrimental such as the virtual monopoly called 'Windows'. Actually, slashdot is full of groupthink itself which often annoys me.
spoonerize "magic trackpad"
Bill Gates is a great man, he is giving all his money away to charity.
Without Microsoft computers would be much harder to use and more expensive.
Etc.
I wasn't so much trying to be funny as regurgitating some of the sugar-coated bullshit I've been spoon-fed by the media over the past couple of years leading up to the release of Vista.
My honest opinion from what I've seen of Bill Gates is that he seems very insincere most of the time, like he is trying to hide deep seated insecurities behind a veneer of smugness. I suspect he is really fixated on how people perceive him.
Continuing in the amateur psychology vein, I think that his deep seated insecurities shaped Microsoft and guided it's behavior.
Would a company that was proud of it's creations feel that they had to constantly intimidate hardware partners in order to ensure they keep using that software, or specifically adjust their software to make it incompatible with competing software?
Personally I think those are the actions of a company that believes that their customers, given a choice, would rather migrate away.
Christ. Let me guess - you still own a betamax machine, right?
These decisions are more difficult that simply looking at competing products and seeing which one is "superior". If you can't understand that there are literally dozens of factors which play into these decisions then I don't know what else I can say to you. As a quick overview: businesses need to consider long term support costs, compatibility with other users, and re-training costs for their employees. Those would be the minimal considerations for a business thinking of moving to a new product, and for 99% of them switching away from MS Office is not worthwhile. It's the same reason most businesses won't switch to linux - it's simply not viable for most companies.
Common-sense standards. ...of which MS is part of? What do you mean with "common-sense" standards? The non-open pseudo standards that have been pushed down our throat, just because mister Monopoly says so? I do have a problem with "standardizing" on the complete mess that MS Windows and MS Office actually is. There's no consistency in file formats, even MS' own products more often than not bungle when it comes to opening an older version of their file formats.
There are two rules for success:
1. Never tell everything you know.
Comment removed based on user account deletion
I don't have to worry about the vendor shutting me down ever. You know why? Because I live in a country that follows the rule of law, and can prove in a court that I purchased these things legally.
So your solution is that we keep receipts of every single thing we purchase because the burden is upon us, the consumers, to prove that everything we have purchased is legal?
Gee, that sounds like a wonderful solution. "Why are you so worried about the government mandating cameras in your house? Surely, if you're not a criminal, you have nothing to hide!"
And I really mean it - if enough people do that (and manage to actually win the case), maybe MS will reconsider its policy of "stop the pirates, no matter how many legitimate users get caught in the middle".
Yes. Because if the onus were upon the corporation, could you trust them not to do what is in their favor already?
The point isn't whether it's ethical for them to say "Oops, we lost your receipt." or not, the point is, there's a reason that every time you purchase something, you are handed a receipt. It's an unwritten rule that the receipt is an agreement between you and the company. The company is explaining to you that you will bare the burden of proof of ownership, because their product is sold in many stores, and privacy agreements often keep them from even acquiring evidence of your ownership via purchase at some other place. Or in the case of buying goods or services directly, the company is establishing an agreement on the goods or services exchanged. It allows them to defend themselves if you accuse them of unfairly charging, and it allows you to defend yourself in the same situation.
Nevertheless, if you dare imagine a world in which the onus is entirely upon the corporation and that the consumer never saw a receipt... oh, that's a scary world indeed. -- Upon finding one's bank statements, one might exclaim, "What the hell is this $5000 charge for blinker fluid?"
"So your solution is that we keep receipts of every single thing we purchase because the burden is upon us, the consumers, to prove that everything we have purchased is legal?"
No - just for the expensive stuff. I certainly do - I don't expect them to repair my LCD TV out of the goodness of their hearts if it breaks, etc. Validation failure in Vista seems even less likely than my TV giving up.
I should add I presently run XP Corp PE (Pirate Edition). Works like a charm, but I won't pretend to get all morally indignated if MS found some way of shutting me down.
In what way is betamax more inherently safe? Is there anything about its design that is inherently more secure? Can a VHS tape virus even ever "own" your system? Please try to understand the issue. The rant at hand isn't against standards, it is against de facto standards that are insecure. Everyone drives a car. No on uses horses. This doesn't mean that saying a Corvair blows up and is dangerous means we want to go back to horses. It means we want the companies who make unsafe products to get their act together.
Actually such matters as what document formats to use should be negotiated.
Why isn't this AC modded up? He's absolutely right!
Assorted stuff I do sometimes: Lemuria.org
Ah. So this is really just another "Microsoft is unsafe" rant. Well. That's been done to death, all the dumb claims have been answered, and people still continue spreading the myths. Whatever. I'm not getting into a pointless religious argument with an Open-Source zealot.
being vague is almost as cool as doing that other thing...
Excuse me sir, but did you read the summary at the top of this page? I don't mean RTFA, just the summary.
That's been done to death, all the dumb claims have been answered, and people still continue spreading the myths.
If by 'people' who are spreading 'myths', you meant Microsoft officially warning their customers about 'risks', then I guess you're right.
Censorship is telling a man he can't have a steak just because a baby can't chew it. --Mark Twain
It's Day 5 and I can't find anything referencing how much of this is getting around on http://www.virus-radar.com/. Sure, it's not the most important characteristic, but anyone seen it?
What you have to consider when looking at charitable donations is:
How much is actual cash, and how much is given away as products (remember microsoft's products cost them virtually nothing to reproduce).
What kick-back do they get in the form of tax breaks? (when donating products, assuming the tax break is based on the retail cost, they can still make huge profits purely from that because the reproduction cost is so minimal).
How much is the PR worth? Donating to charity is simply a form of marketing, how cost effective is it compared to other forms of marketing?
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
There's no consistency in file formats, even MS' own products more often than not bungle when it comes to opening an older version of their file formats. ?? What? please cite examples. The only time I ever saw a newer version have issues opening a old files was when lots (and I mean lots) of custom coding was done in that old file. This was with excel (the spreadsheet program that is way to big for it's own good). I have never seen a newer version of word, or pp screw up. I uninstall access whenever I see it. That dam thing is just wrong.
I work for a large company that probably spends several tens of millions of dollars a year over and above the green dollar cost for the licenses just downloading and installing patches and fixes for an endless series of 'maybe' threats in Windows. The problem is that with all of these fixes you can't really know which are real and which are theoretical and which can be ignored and which can be mitigated some other way. We just mooooove! along like cattle installing one patch after another wasting time and money. But what if people, say end users just said "screw it Redmond" What if we made THEM the bad guys and showed them and everyone else the results of us not doing THEIR jobs for them? How screwed up would the net become? How much would just stop running? And then we could go back to Redmond and point this out, saying "Hey this is what happens when we get sick of putting up with your crap. Now feel free to fix this or let it all crash in flames. Your choice, but in either case if you want the customers you've been screwing for 27 years to contine to work for you for free - well that's not going to happen. Sorry.
Couldn't the onus be on the accuser to say, I don't know, prove that their accusation? Something like innocent until proven guilty? I know it's novel concept but we could, in fact, just assume that people are acting within the law until they demonstrate otherwise. Yes, people could use that assumption to do bad things, but it also lets people who aren't doing bad things get on with their lives without inteference.
The company is explaining to you that you will bare the burden of proof of ownership
That's pattently ridiculous. They aren't explaining anything, nor are you entering any sort of agreement with them, written or otherwise, they're just documenting the transaction. I don't need the receipt to prove ownership, and depending on the specificity and verifiable authenticity of the receipt, it may not even be very useful to that effect.
Take for example a reciept that says "Jan 14: Company A: Services Rendered: $98.00: Cash Tendered: $98.00". Being in possetion of such a document is not proof of any of the following: 1) That any services were rendered, 2) that you recieved any services if they were rendered, 3) that you paid $98.00. There's some evidence that there was an agreement to render services and that someone gave Company A $98.00, but there's no evidence of your involvement, or that the services specified were actually rendered. In such a case a work log from Company A that shows an that an employee was dispatched to render services is probably much better evidence than the receipt. Likewise your personally accounting statements (self-generated or otherwise) may be more useful in proving that you personally rendered payment.
In any case, handing me a reciept is not sufficient cause for you to challenge my ownership of anything, nor is my failure to retain that receipt sufficient evidence that I am not the owner.
You have made 11 posts so far, and EVERY SINGLE ONE is an ad for the E-com Station business that sells computers.
In the past 24 hours, you made FOUR posts, all within TWO HOURS of each other. They were all ALL ads for E-com Station. Other than those four posts, there was nothing else for the past year-and-a-half.
Prior to that, two years ago you made FIVE posts, all within ONE HOUR of each other. They ALL advertised E-com Station.
There were two posts prior to that. Guess what they ALL advertised?
No, it's not illegal. No, I'm not going to sue you. But you'll pardon me if I take your posts with a heavy dose of sodium chloride.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
I would argue that 'groupthink' is not at all a helpful term, as it indulges in the very thing it objects to.
But without it, I would have a hard time describing the individual(s) who modded me 'over-rated' in retaliation for having an unpopular point of view. 8^/
Crumb's Corollary: Never bring a knife to a bun fight.
happens all the time here. It can be crushingly narrow minded IMHO
spoonerize "magic trackpad"
this topic is not something new for microsoft. they always come up with new things and there always way for people to put something in. I think they need to work hard on security issue. :)
There's no consistency in file formats, even MS' own products more often than not bungle when it comes to opening an older version of their file formats. ?? What? please cite examples. The only time I ever saw a newer version have issues opening a old files was when lots (and I mean lots) of custom coding was done in that old file. This was with excel (the spreadsheet program that is way to big for it's own good). I have never seen a newer version of word, or pp screw up. I uninstall access whenever I see it. That dam thing is just wrong.
I see it all the time with normal documents with minimal formatting like paragraphs and bolds and such. But the most common problmes come with documents with simple tables and bulleted lists. Opening files saved in older formats, like Word 6.0 (which used to be pretty universally acceptable) on a newer version of word has been broken Word 97 at the very least. Saving as that format in another version of Word on another platform (like the Mac vs Windows) or using StarOffice, ( or I believe even with the same version on the same platform ) will result in bullets missing or wrong or out of place, differences in whether the gridlines are visible and printed on the tables, etc, etc. This is quite apart from the fact that opening a document with a new version of Word converts that document by default and when you go to save it it saves as the new version by default, thus locking your document into the previous version.
There's also the fact that saving a document in any office program as any other format than the native one results in a file that does not look like what you just saved, which means you'd better double check by opening the new file before you move forward. (To be fair this is an annoyance that the GIMP shares as well).
There is no guarantee that the document you save will look the same from one computer to another even with the same version of Office. Default printer settings used to be a major factor in this, but nowadays things like font availability and other considerations are more likely to affect your document. Even Microsoft was quoted as recommending PDF for documents that must look the same from one system to another. Word just wasn't meant for that (despite the fact it was originally touted as a WYSIWYG editor). And now you can print Word docs to PDF anyhow on the Mac natively and on the PC thanks to open source efforts based on ps2pdf, primopdf being one of many.
Still, I never did see the justification in features like bulleting, tables, and simple paragraph formatting which have been around since the beginning of Word should be so different from one Word format to the next that the style of bullets and other such features cannot remain uniform through filter transformations. It just defies logic unless you realize that most changes to MSOFFICE formatting come from a need for planned obsolescence. After all, consider formats like TeX, html, PostScript, etc, which have been around as long as Word or longer, and have many of the complexities of Word formats, have had changes over the years just like Word, but have not required the removal or appreciable change of past functionality and have remained basically 100% backwards compatible over the years. That is because they were well designed and designed with extensibility in mind, two things clearly missing from Microsoft's plan.
"I'm on OS X and if a client or contractor sends me"
Most businesses can not afford or would not like to treat their a client like that. They are your client because you work for them. Unless your business is "IT general awareness" or "Subtle OS agenda pushing", you are not providing them a very good service. Maybe you are from the bizzaro world where the customers and clients do not come first or your clients have no choice to come your way because of prior arrangements and/or you are part of a much larger group that does not have the same feelings as you.
Funny, that seems to be the world where Microsoft lives, which is what leads us to this problem in the first place. :D
once you start taking stuff out you are potentially opening up code paths that have minimal coverage/testing
Really depends on how the code is structured.
...and that is all I have to say about that.
http://jessta.id.au