Slashdot Mirror
MS Office Zero-Day Under Attack
paulBarbs writes "Microsoft is warning users to be on the lookout for suspicious Excel files that arrive unexpectedly — even if they come from a co-worker's e-mail address. In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite. Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk."
Dear Exploit,
How old are you? How long have you been available in the wild? How long did your brother exist in SP1 before you came along in SP2? Do you have a cousin which works in Win98/SE? How long have corporate managers been using you to spy on their employees?
Signed,
Secret Admirer
the NPG electrode was replaced with carbon blac
MS Office Zero-Day Under Attack
*rereads headline* what?
Push Button, Receive Bacon
to protect myself against 0-day attacks.
The fact that this does not affect Office 2007 suggests that Microsoft is learning from their mistakes.
This is further supported by other software they have released that went throught their "secure development lifecycle" initiative, including IIS 6.0, IIS 7.0, Windows Vista, Windows Server 2003, etc.
Of course, IIS 7 and Vista have only been out there for a few months now... so, obviously, the jury is still out on them.
Lately we've seen memos and emails suggesting just how far MS is willing to go, perhaps in the future we'll see emails or memos describing how malicious software was released into the wild to help people decide to buy the new 2007 applications to go with their new Vista PCs?
Support NYCountryLawyer RIAA vs People
It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety. you missed the moral, friend. The moral is that we value our ability to conduct business above our individual safety.
I am so glad I switched to open office. Now whenever one of these things happens I send the article to my friends along with a link for OpenOffice
It's only paranoia if your wrong...
> So, my question is, who's doing it right and how ?
Code has become so enormous that the answer is, more than likely, nobody.
I'm still puzzled. Spreadsheet programs, word processors, database programs, etc. etc. etc. all fit on one, maybe two, floppy disks at one time. If anyone wonders how to write secure code the largest starting point is: cut out the advertising glitz and cruft.
But then the rest of the population would happily go back to sticky notes, $2.99 calculators, pencils, the telephone, US Mail, and the kitchen table (for solitaire) and that wouldn't be profitable for the market sector. So, love it or hate it, just view the security industry not as a problem to be solved but as a tiger to be fed and groomed.
the NPG electrode was replaced with carbon blac
I would have thought that businesses would be the first to learn. They are the ones who tend to be the most affected by situations like this, especially when hundreds or thousands of Windows-based computers on their internal networks become compromised. It costs them a lot of money to clean up those systems.
At my place of employment (100% MS shop) they have had too many of these kinds of problems. As a solution, all attachments are filtered and removed. It it was an attachment we were expecting, then we could apply to recieve the attachment unless it is an executable. To send an executable file (including MS documents) we are advised to send them as encrypted zip files.
I don't expect this exploit of the week to be much of an issue for us Monday morning except for a couple road warriers who may have gotten it from home.
The truth shall set you free!
Deleted
Yeah, cause we know that pyramid schemes and MLM require each and every recipient to join the game. If only 50 % of the population used Office, but each infected machine sent out two copies (and each was opened), we would have a steady state of fresh infections. Logic like yours might have worked when the primary vector was the actual work documents, or floppy disks. With mass mailings, even a very small fraction could ensure a significant outreach. The question is simply if the explosive phase will be delayed enough to put extra countermeasures into place.
If you follow that logic, anything not open source is open to that vulnerability, Microsoft or not...
However, if you actually try the code which does impact Office 2003 and earlier additions, it does NOT work. Makes me glad I got my free copy of Office 2007.
I fail to see why posts talking about vulnerabilities in widely used software is tagged "haha". Is it really so funny?
The zombies that will result from those attacks will send spam even to your tricked out Linux PC. You're laughing at your own expense. Have fun.
If only there were a single, well defined and completely open document format that could be used by anyone, with any office suite. That would be just great.
455fe10422ca29c4933f95052b792ab2
MS wrote loads of stuff with C++ and the C stings library especially, is total crap. Also, with C++, it is fundamentally impossible to know when it is safe to destroy an object and free its memory. MS is therefore suffering from a bad choice of compiler and coding methods years ago. Their problems won't go away anytime soon.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
You obviously aren't paying attention.
There have been many security flaws reported for OpenOffice.
The problem is not Microsoft specific. It's a problem with overly complex software. Word processors are overly complex which means that there is a lot of code that can contain errors. Most users don't use the full functionality of the software and therefore don't require it to be so complex.
One of the great advantages of gentoo(and other source based package management) is that you can leave out functionality in a program that you're not going to use. This means less code that can be exploited.
...and that is all I have to say about that.
http://jessta.id.au
I also don't have to worry about the vendor shutting down my OS or apps remotely in the future.
Hi. I'm a PC user, with an HP laptop, and Office 2007. Not too long ago I had Vista Beta on this thing. And you know what? I don't have to worry about the vendor shutting me down ever. You know why? Because I live in a country that follows the rule of law, and can prove in a court that I purchased these things legally.
Part of me wishes they'd try -- it's amazing how good the upgrade from "punative damages" would be.
You can also avoid the attack by setting %TEMP% to no execute permissions. Interesting that they don't say that.
Serious question: "How many gentoo users actually DO hand pick the features they compile?" My guess is that:
1 It might be hard to know what you can safely leave out of a compile and not break anything
2 It's difficult to foresee every function you are going to want in a program at compile-time, even if you're familiar with it
3 There are so many programs on a typical Linux box that to hand-choose modules for them all would take ages.
I guess in some environments (like cash register systems) you're doing only one thing and you want many identical machines, so it's possible to trim a bit more. However, for my desktop needs, selecting exactly the features I want wouldn't work for the above 3 reasons.
Expected time to finish is 1 hour and 60 minutes.
For Christmas I bought a system from CSS.
Did you get an employee discount?
Don't become a regular here -- you will become retarded.
Comment removed based on user account deletion
We use a system that is so hosed that we smash every computer with a hammer before it comes in the door.
Great.
Assorted stuff I do sometimes: Lemuria.org