Adobe Hopes Pop-up Warnings Will Stop Office-Borne Flash Attacks

tsamsoniw writes "In the wake of the most recent zero-day attacks exploiting Flash Player, Adobe claims that it's worked hard to make Player secure — and that most SWF exploits stem from users opening infected Office docs attached to emails. The company has a solution, though: A forthcoming version of Flash Player will detect when it's being launched from Office and will present users with a dialog box with vague warnings of a potential threat."

Separate the code and the data

[Gothmolly]

This is why your data should not be executable.

Re:Separate the code and the data

[Darinbob]

People want convenience. And convenience is the mortal enemy of security.

Re:Separate the code and the data

[davester666]

WTF is so convenient about having Word being able to display Flash content?

Do a significant/noticeable number of people embed Flash content in their Word documents?

How about Flash just preventing itself from running in non-browsers [and maybe their standalone Flash app]?

Re:Separate the code and the data

And now a public service message from the Rolling Stones.

Re:Separate the code and the data

[rudy_wayne]

WTF is so convenient about having Word being able to display Flash content?

Do a significant/noticeable number of people embed Flash content in their Word documents?

The number of people actually doing this for legitimate reasons is probably very small. The problem is, companies like Microsoft and Adobe must constantly release new versions of their software in order to keep a constant revenue stream. And that means constantly adding new "features" of questionable value.

Re:Separate the code and the data

[nmb3000]

This is why your data should not be executable.

I'm trying to figure out what possible reason to have Flash embeddable inside an Office document someone might have. Maybe you could argue that it's worth being able to embed in a PowerPoint slide, but even that is reaching.

A forthcoming version of Flash Player will detect when it's being launched from Office and will present users with a dialog box with vague warnings of a potential threat.

I think a better solution is to disable Flash entirely* when run from an Office document and instead display a message that says:

"Flash has been disabled. To enable Flash content, contact your system administrator and he will come back there and hit you on the head with a tack hammer 'cause you are a retard ."

* of course with the obligatory registry-key-bypass for corporate users

Re:Separate the code and the data

[hedwards]

And, this is why Adobe should have removed the ability of Flash to expand randomly to trick the user into clicking on something they clearly didn't want to click on in the first place.

Well, not Adobe, that's why Macromedia should have done it and why webmasters shouldn't be doing it.

Re:Separate the code and the data

[thegarbz]

While that may be true for flash specifically, the number of people who embed complex programming scripts into word documents is incredibly large. I've never worked for a company which didn't have some bizarre use for it.

A small Pizza joint used a complicated array of javascript to automate their ledgers which were kept in an excel file rather than an accounting program.
A biscuit factory I worked for actually managed to turn a very large collection of excel files into a rudimentary database with an insanely complicated set of scripts embedded in each file. This surprisingly worked, though you pushed a button and it would open many files in excel at once and the computer ground to a halt while computing the necessary ingredients for the next batch.
Now I work for a large fortune 500 company and every word document is embedded with complicated scripting to automagically update footers and synchronise with a 3rd party document management system.

While I haven't seen flash specifically it is not at fault here security wise, embedding programming languages into content files is, and that is incredibly common.

Re:Separate the code and the data

You can thank John von Neumann for this. Ever since his work on the EDVAC and ENIAC, it has been possible to execute data.

Re:Separate the code and the data

[symbolset]

Why fix on flash? Word can be Pwned by an image, an embedded spreadsheet, a document template, one of a hundred forgotten media formats - or even a font. It's a beautiful gateway to being pwned that requires no user interaction. You don't even have to open a document: it installs pwnable services to facilitate remote management by random strangers.

Re:Separate the code and the data

[symbolset]

Code is data.

Re:Separate the code and the data

[symbolset]

What does it matter? Office may as well be considered a remote access terminal server backend with system privileges for a metasploit frontend remote desktop client. The document preparation features are optional and in most cases redundant.

Re:Separate the code and the data

[Nyder]

People want convenience. And convenience is the mortal enemy of security.

I thought being cheaper was the mortal enemy of convenience.

For example, "convenience" stores are only convenient because they are closer, not because they sell stuff at twice the price of grocery stores.

But then I can see your point, because the convenience store doesn't hire a security guard, while the grocery store usually has 1 or 2.

So yes, I guess your correct.

Re:Separate the code and the data

[DNS-and-BIND]

I've noticed this in reverse: app reviewers on Google Play complain if the app hasn't been updated in a while - even if it is complete and stable. To the modern user, updating frequently doesn't mean "broken-ass program with lazy programmers", it means "normal".

Re:Separate the code and the data

This is unfortunately where remote code execution exploits come into play, it doesn't matter if your data is executable, it matters whenever the code interpretting your data is a buggy piece of crap.

Re:Separate the code and the data

[ewanm89]

Excel technically is an accounting program, spreadsheets were first created to do double entry book keeping.

It's better than most the other uses I've seen for it, like excel based databases.

Re:Separate the code and the data

You have something against Lisp??? :(

Re:Separate the code and the data

[TitusGroan8856]

this is why they're moving to software as a service. they've realised that the feature bloat is not sustainable.

Re:Separate the code and the data

[TitusGroan8856]

just because the software is flexible enough to do the job doesn't make it the right tool for that job. this system can indeed be built in house by those who don't have a full understanding of programming but do have a better insight in to the data that's being manipulated. it's going to be poorly documented and when it breaks or goes wrong very few people are going to be able to fix it for you. Do the job properly from the outset - hire a programmer and have custom software written to your spec. The false economy of using off the shelf products has led to many companies downfall.

Re:Separate the code and the data

And a related question: if I have Flash installed, does this mean that this "Flash in an MS Office document" vector is automatically installed by default? I hadn't even heard of this dubious feature. As you say, why????

Is there a way to completely disable this almost useless feature within MS Office?

Re: Separate the code and the data

Really? Do you have any examples of companies who fell down because of poor use of spreadsheets? I agree with the main point, but haven't seen it tank a company yet.

Re:Separate the code and the data

[cellocgw]

Word can be Pwned by an image, an embedded spreadsheet, a document template...

Exactly. Add to that the fact that any jackass who's learned to click on "Developer" can create a macro. I recall one horrible Word macro provided to our company from a customer (this is in the DoD world, where all sorts of 'mandatory forms' are passed around). The concept was stupid enough: when this document template was opened, an autorun macro created an extra Menu item (back in the heavenly days before the cursed Ribbon) full of special macro-backed commands we had to use to fill the Word doc with hours/dollars estimates. Yep- they stuck math macros in there to do spreadsheet summations. Then when the user was done, quitting Word ran *Another* autorun macro to clean out the extra menu crapola.
Anyone see the craptastic FAIL yet? :-) . If you close this particular document but have other Word docs open, the autorun_on_close macro doesnt' execute. But since the document containing said macro is closed, when you quit Word the extra Menu remains!
Extreme hilarity results. (not really)

Re:Separate the code and the data

[__aaltlg1547]

I could not disagree more. An off-the-shelf program is very often a perfectly adequate tool for the job and has all the features you want. Most small businesses need the same things to do their accounting and only need slight customization within the range of what standard programs can be easily configured to do.

It's easy to find somebody to explain how to use it or set up your custom installation. And your data will all be in a standard format. If later on you decide that LitteWare Accounting doesn't fit your business needs any more, you can usually just import your old data into BigWare Accounting. But you might not have to do that in which case you're way ahead, or LittleWare may offer an upgrade. If you want to switch programs and you can't import your old data, you might have to hire a programmer to figure out how to translate formats, that's a lot less of a task than writing the whole thing from scratch.

Seriously, how many standard programs does a programmer use every day? I only consider writing code when there is not a standard, canned program available even if it costs me money. Because it's MUCH more efficient to use standard tools. I only write my own programs or consider hiring somebody to do it for me if there's no standard tool available (because it's a one-off task that nobody else has seen fit to publish) or the standard tools all have glaring deficiencies.

On top of that, there are trust issues. It's easier to trust that the well-known and widely used software has been checked for serious errors and security deficiencies. Who's going to be checking the hired programmer's work? How do you know it will be done on schedule? What if the schedule is, I HAVE TO HAVE SOMETHING TOMORROW?

Re:Separate the code and the data

+100. Any Office program, any browser, anything else with embeddable content: the developer should default programmed content OFF until the user manually turns it on.

How many badwares have to be passed in PDF before the default is "just display the content- do not run the code inside the PDF? I never have a use case where I want to script a PDF but it's the default! I know there is a rabid group that does scripting- no problem- but why put 99% of web users who want to download a manual at risk?

Re:Separate the code and the data

[Joce640k]

+100. Any Office program, any browser, anything else with embeddable content: the developer should default programmed content OFF until the user manually turns it on.

Which they will (all the virus has to do is promise them Britney Bewbs or whatever...)

Clever move

[physlord]

Yeah!. Since the average user totally understands the situation, that "vague warnings of a potential threat" will, obviously, solve the problem. Pure genius.

Re:Clever move

[PNutts]

The "vague" warning on Office 2008 or earlier is below. The default is do not allow content to play. It's inline with other generic warnings so let's try to keep the FUD to a minimum.

Also, Office 2010 has a Protected Mode sandbox. If it's from the Internet or Untrusted Zone the Protected View feature prevents it from running by default.

"This document contains embedded content that may be harmful to your computer.
Choose from one of the following options:
- Do not allow content to play (Recommended).
- I recognize this content. Allow it to play."

Re:Clever move

[the_Bionic_lemming]

Which gets blindly clicked thru since they see that pop up dozens of times a day.

I am a fan of microsoft up until after win xp, but UAC and the effing annoyance it causes with legit apps was definitely not the way to go to improve security.

Re:Clever move

upto win XP?

Those warnings are in office 2000 if not 97 fucktard

Re:Clever move

[symbolset]

It's from my boss. It must be OK. Even if it isn't, I don't dare not read it.

Re:Clever move

[someones]

no. win 2000 did not have them.
And it does have nothing to do with the office package but with the system.

Re:Clever move

[10101001+10101001]

Of course it solves the problem...for Adobe. Just like ActiveX warnings solved the problem for MS or UAC solved the problem for MS. Instead of fundamentally fixing a broken system by removing or mitigating all the attack issues, the onus is put on the user to make the correct choice up front by giving very vague information on just precisely might happen without any possibility to mitigate or revert what actually happens. Hence not even a genius could make the correct choice because there's often too little information on what it means to allow something to proceed and to little ability to stop bad things from happening once you allow a harmless looking program (Internet Explorer or "Internet Explorer" want to do system wide changes!) to start.

It's one to say that a user deserves a system format if they ignorantly type in their password for "rm -rf /". It's quite another when "MS Word wants to run a flash object in a low-security context" results in a system format because flash and Windows are flawed. But, *shrug*. Keep CYOA Adobe.

Just remove Flash from office machines

There's absolutely no reason to have Flash installed on machines in an office. Remove it and give the users regular accounts so it can't be re-installed, and you'll be fine.

Re:Just remove Flash from office machines

[hawguy]

There's absolutely no reason to have Flash installed on machines in an office. Remove it and give the users regular accounts so it can't be re-installed, and you'll be fine.

Except of course, for the web-based trainings that employees have to take that rely on Flash.

Re:Just remove Flash from office machines

[spcebar]

There's absolutely no reason to have Flash installed on machines in an office.

Slow down there, that's not really fair. Considering that not all offices in the world perform the same work, generalizing that Flash is of no use in any office is sort of counter productive. Flash may be losing its ubiquity, but I can still think of a number of practical uses that aren't cat videos and games.

Re:Just remove Flash from office machines

[fermion]

This is why *nix should really be installed on production machines.It can be customized, locked down, and secured in a way that MS WIndows cannot. Years ago, before Apple integrated all the entertainment stuff into the OS, I often argued that APple products were the preferable machine for production work. MS simply included too many toys that were ultimately security risks.

Of couse the expectation quickly became that a 'modern; OS was primarily used as a toy, i.e. Mac OS was inferior to MS windows because it did not have a solid game base.

Re:Just remove Flash from office machines

Slow down there, that's not really fair. Considering that not all offices in the world perform the same work, generalizing that Flash is of no use in any office is sort of counter productive. Flash may be losing its ubiquity, but I can still think of a number of practical uses that aren't cat videos and games.

Genuinely interested... what would you use Flash for in an office? Not counting people who develop Flash games for work, since they ought to be clueful enough not to get pwned.

Re:Just remove Flash from office machines

[chronokitsune3233]

As a child, I loved the Math Blaster series of games, and I played them on various versions of Mac OS (Classic). These people who wanted "games" had no idea what value was! Plus if they wanted those sorts of games, there were consoles that looked and performed considerably better!

Re:Just remove Flash from office machines

You truly are ignorant. Consider never putting forth your ideas again. They only degrade whatever discussion is occurring.

Re:Just remove Flash from office machines

[ColdWetDog]

Genuinely interested... what would you use Flash for in an office? Not counting people who develop Flash games for work, since they ought to be clueful enough not to get pwned.

At least in the medical field, every damned 'training' company, every manufacturer, every news site uses Flash. And uses it poorly. But it's not going away any time soon.

Re:Just remove Flash from office machines

[sunderland56]

Except of course, for the web-based trainings that employees have to take that rely on Flash.

Web-based training is a virus. It both decreases productivity and makes users unhappy.

Re:Just remove Flash from office machines

[hawguy]

Except of course, for the web-based trainings that employees have to take that rely on Flash.

Web-based training is a virus. It both decreases productivity and makes users unhappy.

No arguments here, but tell that to the state of California that requires 2 hours of sexual harassment training for all workers that supervise other employees. The training itself decreases productivity and makes users unhappy, making it web based doesn't make it moreso. A least I can browse the web while clicking through the tedious training with "quizes" with answers that anyone with a modicum of common sense can answer.

Re:Just remove Flash from office machines

[sumdumass]

I said that once, then got a stern talking to when one of the partners couldn't watch a video of a dog walking on it's front legs peeing on everything.

You are right, but how do you convince those in charge of it?

I had another place that made their company website so it would only work correctly on internet explorer. The web designer said it come stock on 98% of all computers so it was enough. I solved that issue by telling the CFO to try to surf it on his Iphone and then asked why they would have features for customers who couldn't use whatever device they wanted to and whether or not they are losing any business because of it.

Some issues aren't solved that easily though.

Re:Just remove Flash from office machines

[symbolset]

I knew the author of Math Blaster. He was a teacher at my high school. I alpha tested pre-release versions for him on the Apple ][. I hope he got the full benefit of his work - he was a great guy. Mr. Smith I believe (yeah, I know. "Smith. Yeah, right.")

Re:Just remove Flash from office machines

You need special training for sexual harassment? Now I just wing it, but with training, I'll get to be a professional harasser.

Re:Just remove Flash from office machines

[stewbacca]

Nearly every rapid e-learning authoring tool creates Flash output. It's easy for people who develop training but have no experience in developing multimedia. It can be created by a novice with PowerPoint skills then tweaked by someone skilled in javascript or actionscript.

Mind you, the entire industry is not "in bed" with Flash...they are using the tool that works for them and are mostly oblivious to the technology in the background. All they know is they can make their training in Captivate, Articulate, whatever by scripting a scenario then recording their mouse movements, then they can add a few user-interactions (requiring the user to click in the right spot or whatever) and then they have an interaction that is assured to work on more configurations of PCs than not. Of course, mobile is taking over, computers are using Flash less-and-less, but I don't expect people in my industry to be techy enough to stay ahead of the curve, which is why I have a staff of javascript and design professionals and make everything from scratch and leave those rapid e-learning suites for the amateurs.

Re:Just remove Flash from office machines

[glassware]

The Davidsons did very well indeed. They used their profits from Math Blaster to buy a little videogame company called Silicon & Synapse.

Re:Just remove Flash from office machines

[symbolset]

Ah, Davidson. That's right. It was long ago.

Re:Just remove Flash from office machines

[colinrichardday]

But at least he wasn't Granny Smith.

Tango Waltz Whatever

This is also why i cant believe that Microsoft made jpg and gif files hold executable code themselves. What use case does a picture need to be executable. Anyway data executable has been Microsoft default behaviour since they made software so this is unsurprising. Thats why they are so very often compromised and have the worst ever industry record for compromised software and why i still cant believe anyone still uses their pile of crap.

Re:Tango Waltz Whatever

[hedwards]

It's a moot point because MS decided to hide the file extension from the user and let the file contain the icon for the file.

Re:Tango Waltz Whatever

[symbolset]

It's worse than that. NTFS includes for EVERY file a potentially executable hidden resource fork that can't even be seen without special tools.

what a great idea for a virus

[decora]

Warning: Adobe has detected this file may be infected. Click here to report this to Corporate IT security and secure your workstation.

Re:what a great idea for a virus

[__aaltlg1547]

Warning: Adobe has detected this file may be infected. Click here to report this to Corporate IT security and secure your workstation.

Does it uninstall Flash, then?

aaand it won't help much

[v1]

"So what's wrong with it?"

"You have the latest flash virus. Have you opened any Word documents lately?"

"Of course! I use Word all day."

(scans hdd, finds the one in email that started it)

"Did you open this?"

"Of course I did. It's the weekly report."

"Didn't it WARN you there may be a virus?"

"Yes it opened up a box I hadn't seen before. But I needed to see the report, so I clicked the Open Anyway button."

"Didn't you get the memo last week about not clicking Open Anyway?"

"Of course I read the memo. But I need to read that report. I had to open it."

aaaand this is why this doesn't work anywhere near as well as Adobe says it will. No matter how many times you tell them to call you and NOT open it anyway, they still will. And you'll be at her desk again. Maybe later today even. Because she opened it anyway, because she "had to". (speaking from experience here)

The only reasonably effective way to implement this is with a policy that is system-wide, that allows administrators to disable the Open Anyway button for the users that can't be trusted with it. (which will be most of them)

Re:aaand it won't help much

[Darinbob]

People sometimes don't realize that people they know may be sending malware (not on purpose), or that someone may be pretending to be people they know. Just because the email is from the head of your church committee doesn't mean it's safe to open the "look at these kitties!" file.

Some people also just click yes to everything. I was helping my mother figure out some new problem on Firefox, which involves telling her the names of a particular menu to choose and the like. And I couldn't figure out why she wasn't find the menus or buttons I was talking about. Then I realized she had updated her Firefox whenever it popped up and said "hey, please update me!", and now she had a UI she was unfamiliar with. This also means she occasionally ends up with google bars or yahoo bars or something else stupid that I have to uninstall every time I visit.

It's not just mothers that do this, I see professionals in the office doing the same thing.

Re:aaand it won't help much

that is system-wide, that allows administrators to disable the Open Anyway button for the users that can't be trusted with it. (which will be most of them)

Sure. Activate this. 10seconds to the first call of a user "ordering" you to reactivate it, because he/she need's it, 30seconds until your boss get's a call from him/her cause you refused it, 60seconds 'til the department head get's a call from his/her boss, ordering your boss to order you to reenable it.

Re:aaand it won't help much

[v1]

Sometimes you get people who only care about getting their job done. I had to deal with a couple that flat out told me they didn't care if it had a virus in it or not, they needed to open it, and come hell or high water, they were going to open it. Sort of a "reports are my job, dealing with viruses is your job" kind of attitude.

And then the virus traffic detection tags the machine and tells the switch to turn off her port and we get lots of waaaaah.

Re:aaand it won't help much

And that's the rational user subspecies. Most average drones will click any button they're presented. CONFIRM GLOBAL NUCLEAR WAR button gets instantly clicked. Too many deadly proprietary EULAS and spam popups have been too much for their poor brains...

Even when users are presented an error message, most of them cannot tell you what the message said after 10 seconds in their passionate plea for help. Makes life hard, for everybody.

It would kinda help if people read what the computer is trying to tell you but no. Won't do jack shit is my bet.

Re:aaand it won't help much

She /did/ have to. You ended up at her desk (again), but not her manager. She only knows something is really wrong to do if her manager shows up. And not opening the report /would/ bring her manager.

She's not wrong. She's doing as trained to do.

Causing you more work isn't her problem. And within the logic that bears down on her job, if you were any good at what you do, there wouldn't be a security problem that makes you come to her desk to clean up. Don't you do a 'firewall' or thingy that protects them?

Yup, facepalm. But it's working logically. She's not the problem. Your authority level is the company in the problem.

Re:aaand it won't help much

[rudy_wayne]

that is system-wide, that allows administrators to disable the Open Anyway button for the users that can't be trusted with it. (which will be most of them)

Sure. Activate this.
10 seconds to the first call of a user "ordering" you to reactivate it, because he/she need's it,
30 seconds until your boss get's a call from him/her cause you refused it,
60 seconds 'til the department head get's a call from his/her boss, ordering your boss to order you to reenable it.

You're exactly right, and that's because of the real problem: Word cannot tell if something in a document is malicious or not, so it will display the warning message for all content of that particular type, even if it is perfectly legitimate. And so you are left with an all or nothing choice --

(1) Let people open the documents and take your chances
or
(2) Don't allow users to open ANY document which contains that particular type of content (are you ABSOLUTELY SURE that NOBODY in your company is producing documents with embedded Flash content?)

If you choose number 2 you are guaranteed to experience the scenario described above which will inevitably lead to you right back to number 1.

Re:aaand it won't help much

[DarwinSurvivor]

Which is why these applications need administrator-level permissions that let you prevent those warning and instead show an error message (without an "ok" button).

Better yet, corporations could wake up and start demanding their software and infrastructure stop requiring the use of flash player to access their services.

Re:aaand it won't help much

[rabtech]

Here's the real version of that conversation:

"So what's wrong with it?"

"You have the latest flash virus. Have you opened any Word documents lately?"

"Of course! I use Word all day."

(scans hdd, finds the one in email that started it)

"Did you open this?"

"Of course I did. It's the weekly report."

"Didn't it WARN you there may be a virus?"

"No"

"I'm pretty sure it popped up and warned you about the security implications of opening documents containing flash applets from untrusted sources"

"What does that mean?"

"It means it warned you about a possible virus"

"Oh, well stuff pops up all the time and I just click OK so the computer will work. Sometimes it pops up again so I click Cancel"

Users are bombarded with dialog boxes, permission boxes, info bars, tray notifications, software update notifications, and so forth all day long. They don't read them, they just click YES/OK. If it pops up again, they try CANCEL (even if the text is different - remember they don't read it!)

That's why IE's ActiveX scheme was a massive failure - it relied on users to know what ActiveX was, know what digital certificates were, then make an informed security decision for each and every control that wanted to install. Even if the native code execution wasn't a huge hole all by itself the whole scheme is a massive failure because most users don't know what ActiveX is, wouldn't know how to verify a certificate if they wanted to, and can't control what the control does after it's installed.

This is also why Android is a huge security fail. It relies on the user to understand what the permissions mean and what the consequences are at the time of install. Even if you understood exactly what those 18 permissions were (including scrolling down to expand the list and finding identically named permissions but with slightly different detail text under them)... you can't enable-disable them if you decide the app shouldn't have some of them. Should App X be able to modify or delete USB storage? maybe... depends on what it wants to do! Should it be able to make phone calls or send text messages? Maybe... too bad you won't be asked about it when it signs you up for $9.99/mo SMS services. What about manage accounts? Maybe the app wants to legitimately manage accounts... or maybe it will delete your entire google account. Who knows, but you sure won't be prompted about it.

Any system that relies on the user to make potentially dangerous security decisions is an automatic failure; doubly so if the decision is irreversible and persistent for all time (which covers the vast majority of security systems in use today).

I'm almost certain that in the future we'll grant permissions to different apps and websites by answering at the time the app wants access to the resource, not forever. Further I think the system will want to keep a history (think git, but for the entire filesystem), allowing you to effectively "roll back" a bad security decision. That probably means browsers and apps all run isolated in their own OS-provided VM/sandbox and all sharing or filesystem access routes through the version control system.

Re:aaand it won't help much

[0123456]

I'm almost certain that in the future we'll grant permissions to different apps and websites by answering at the time the app wants access to the resource, not forever.

Like UAC's wonderfully helpful popups, you mean?

'Application Hello Kitty Screensaver wants to: Access Hard Disk. Allow/Deny?'

Yeah, that's going to make life much easier for Joe Know-Nothing to avoid malware. They'll click yes to everything, then disable it after ten minutes because it's popping up all the time.

The only way it can work is to sandbox every app so it can't infect any files but its own. Even then, it also needs a network sandbox so it can't connect to arbitrary network services.

Re:aaand it won't help much

[LMariachi]

"And now you need to be out of commission for at least an hour so we can fix your computer that you broke. I'm sure your manager will understand."

Re:aaand it won't help much

[tlhIngan]

Users are bombarded with dialog boxes, permission boxes, info bars, tray notifications, software update notifications, and so forth all day long. They don't read them, they just click YES/OK. If it pops up again, they try CANCEL (even if the text is different - remember they don't read it!)

The technical term for it is dancing pigs (or Dancing Rabbits).

The premise is that any security that relies on getting in the user's way of a task will be promptly bypassed. The user will always choose dancing rabbits/pigs/whatever over security every time.

Re:aaand it won't help much

[symbolset]

Usually you get people - quite intelligent, technical, well educated and experience people - who still can't understand why you don't click on the "Stop sending this spam" link in spam, or why they can't have the "Yahoo toolbar" browser add-on installed by some app they downloaded from a some random download portal on the Internet with uncertain provenance, or the prancing horse mouse cursor. But then you have C level executives who don't understand reply-all either also.

Re:aaand it won't help much

[Bearhouse]

Enable Remote Desktop on your mom's PC. It's not as insecure as people claim, if you do it right.

Re:aaand it won't help much

[girlintraining]

It's not just mothers that do this, I see professionals in the office doing the same thing.

It's sad you have to point it out before people can see it as sexist. The geek community here didn't used to be quite like that. There were trolls of course, but lately it's become prevalent even in otherwise perfectly good comments... :(

Re:aaand it won't help much

It was kinda funny when the highest level lawyer in a company I was at hit reply all to a corporate wide e-mail tell everyone what was going on this quarter.

Re:aaand it won't help much

[kevingolding2001]

You need to send these people this... http://www2.b3ta.com/top-10-cutest-kittens/

Re:aaand it won't help much

[DaveGod]

Did it occur to you that maybe she did actually need to open the weekly reports and that the policy was not fit for purpose? The story seems intended to imply the ignorance of the user but I'm left questioning the ignorance of the IT guy.

Re:aaand it won't help much

And you have some people who are either completely retarded or just refuse to listen.
Take this for example:

Each year we do a lifecycle to all the machines within the university libraries. This includes branch campuses and all 6 libraries on our main campus (about 2500 machines). In the past weve used Ghost (or products along those lines) but for the past 2 years for the public (student) machines we've been using IBM Tivoli Endpoint Manager (System Manager/BigFix) so not only can we push individual software updates but we can also wipe the OS and re-install remotely.

This year we've deployed to the staff machines. There's a few sections to how this works. For the initial flash of the machine (new hardware or it hasnt been flashed with sysman yet) you use a thumb drive build key. The formats the hard drive and installs a Pre-Install windows environmen into a hidden partition on the hard drive and saves settings like IP, domain, etc.
The machine then reboots and installs windows on a partition that uses the rest of the hard drive. During this the screen is white and displays whats going on in very general terms. The user can only watch.

The fun begins when the machine reboots. It does 3 or 4 phases of installing software packages or configuring settings, rebooting after each phase. *BUT* during this procress, since its now the actual installed windows running, theres the message of "press control + alt + delete to log on" ON a gray background with a big red stop sign in the lower left of the screen and a message about not using the machine as the build procress is going on (if they do log on it messes up installs since it then tries to do so under there account which prompts for admin privilege escalation.
You wouldnt believe that some people hit ctrl+alt+del even with the screen showing and us telling them not to during that screen, wait until the normal blue bsckground (with no stop sign) is back.

Re:aaand it won't help much

[amoeba1911]

This is exactly what I was going to post, I searched to see if anyone had posted the dancing rabbits problem yet and there it is.

If you leave it up to the user to decide whether or or not to bypass the security protocols, then you have no security protocol. It's like getting the most secure door installed on your house but allowing your 4 year old to open the door to strangers.

Re:aaand it won't help much

"Yes it opened up a box I hadn't seen before. But I needed to see the report, so I clicked the Open Anyway button."

"Didn't you get the memo last week about not clicking Open Anyway?""

"Yes. I remember it because I had to click Open Anyway to read the memo."

Re:aaand it won't help much

[drinkypoo]

Usually you get people - quite intelligent, technical, well educated and experience people - who still can't understand why you don't click on the "Stop sending this spam" link in spam,

No, those are not intelligent people (or you aren't.) Forget all the other adjectives. If someone cannot comprehend that clicking a link in an email can provide information to a spammer after your explanation then there's something wrong with one of you.

or why they can't have the "Yahoo toolbar" browser add-on installed by some app they downloaded from a some random download portal on the Internet with uncertain provenance

Again, either they're stupid or your explanation is poor.

But then you have C level executives who don't understand reply-all either also.

They just don't care enough to understand. And frankly I've run into that with a lot of people who are supposedly intelligent. They have decided that something isn't their job and therefore they shouldn't have to care and therefore they refuse to care -> don't care -> aren't interested in what you have to say about it -> therefore aren't capable of learning. They're not actually unintelligent, but their obstinacy achieves stupidity.

Re:aaand it won't help much

But it does give the sociopaths the power to fire you.

http://careereq.com/articles/emotional-intelligence/workplace-psychopaths-how-to-deal-with-them/

http://www.youmeworks.com/sociopaths.html

http://www.uncommon-knowledge.co.uk/articles/strings-psychopathy.html

http://www.lovefraud.com/blog/2012/02/10/the-gray-rock-method-of-dealing-with-psychopaths/

http://www.lovefraud.com/blog/2008/01/11/ask-dr-leedom-are-there-psychological-tactics-for-dealing-with-a-psychopath/

http://mytherapy.com/discussion/default.asp?group=14

http://psychopathtracker.com/WhatYouCanDo.cfm

Re:aaand it won't help much

[v1]

I dunno, that might be NSFW ?

Re:aaand it won't help much

[v1]

Deal with psychopaths much do you? It's not healthy to have that many cope-links on hotkey.

"Just show me auntie's e-card!"

[chronokitsune3233]

"This document contains macros which may harm your computer. Do you wish to allow them to run?" (Clicks "Yes" blindly.)

Some (or maybe all...IDK) Word documents that were actually templates contained macros in the absence of an actual wizard. This meant that in versions of Office that recognized the security hazard, you got a pop-up before the document actually opened. I personally clicked "Yes" or "Open Anyway" or "Allow" or whatever it said without even bothering to read it because I usually got the document from a trusted source (as in someone I trust, not someone a company/corporation trusts using an actual whitelist/blacklist). I presume many got tired of seeing the message as I did, and they did the same thing. Similar events will probably happen with this Flash issue. Your aunt sent you an e-card for your birthday from her virus-infested computer? Sweet! Allowed!

And before people ask, yes I was speaking in the past tense. I no longer use Microsoft Office, in favor of Google Drive's Office-like features that started out as "Google Docs & Spreadsheets". It may not be as full-featured, but I don't need it to be either.

Re:"Just show me auntie's e-card!"

[v1]

Macro viruses were annoying also. For awhile Word/Excel gave you only one check box in security prefs, to pop a dialog when a document contained macros. (you could not disable them, only turn on the dialog)

Then when the user opened a doc with a macro (or more often, a virus) it would pop and give just TWO options... (A) open and run macros, or (B) do not open.

Gotta love microsoft for that one. Took them insane ages to add the (C) Open with macros disabled. Until then we had to deal with the "but I HAD to open it" people. But then I could continue to bash on them for not having a "flush macros" button anywhere, and the ability to create a "hidden" macro, and every macro virus creator's all-time-favorites, the "run on open" and "copy macro to other closed document" options. But that's drifting somewhat OT.

Re:"Just show me auntie's e-card!"

Mod parent up!

I wish I'd saved another mod pt for this but I just used my last one on another posting of yours here (posting as AC so I don't undo it). Cheers!

Better answer...

[jonwil]

Stop allowing Flash to be embedded in things like Word documents and PDF files.
I have yet to see a single valid use of Flash in PDF or other document formats that couldn't be done as a web page instead.

Re:Better answer...

[rudy_wayne]

Stop allowing Flash to be embedded in things like Word documents and PDF files. .

This is the correct answer. Yes, Adobe needs to get their shit together and stop producing software with new security flaws being discovered almost daily. But what about Microsoft's responsibility? Flash embedded in a Word document? What.The.Fuck

Re:Better answer...

[hedwards]

Well, didn't MS pretty much invent documents as an attack vector. Perhaps my memory isn't so good, but the first cases I remember of that were for Word.

Re:Better answer...

[cellocgw]

But what about Microsoft's responsibility? Flash embedded in a Word document?

Yeah, not to mention the idiotic capability to embed entire Office documents inside other Office docs. I knew people who thought this was far better than, say, a nice zip archive. I used to get even by doing helpful things like converting a Word doc to PDF (try opening that embedded spreadsheet NOW, Dr. Doom!), or embedding a PowerPoint doc in a Word doc., embedding that Word doc in an Exel workbook, etc. in an EmbeddedTurtles Allthe Way Down sequence, and giving that back to them.

Meanwhile Gnash

[Ceriel+Nosforit]

Meanwhile Gnash supports Youtube just fine, which remains Flash's sole legitimate use.

It even supports audio out of the box.

Re:Meanwhile Gnash

[jfengel]

Is it demonstrably more secure? Or is it just too obscure for anybody to target?

Re:Meanwhile Gnash

how about hulu.com?

Re:Meanwhile Gnash

[Ceriel+Nosforit]

I don't have an authoritative answer, but Chromium keeps telling me Adobe Flash is out of date with its bright yellow Load Anyway dialogue. I see that bar on a lot of sites which should not have any reason to use SWF, even though adblock removes the worst offenders.

Re:Meanwhile Gnash

[Ceriel+Nosforit]

Says "...currently our video library can only be watched from within the United States." Can't be bothered to find a local TOR exit...

Re:Meanwhile Gnash

hulu isn't legitimate? mainstream flash game? flash embedded in office documents -- that's what is not a legitimate use of flash. why the hell is that even allowed in the first place?

Re:Meanwhile Gnash

[tepples]

Youtube [...] remains Flash's sole legitimate use.

Is there a reason that you feel that showing web animations (such as Homestar Runner or animutations) without converting to MP4 and thereby bloating the download size by a factor of 10 is not "legitimate"

Re:Meanwhile Gnash

[tlambert]

I don't have an authoritative answer, but Chromium keeps telling me Adobe Flash is out of date with its bright yellow Load Anyway dialogue. I see that bar on a lot of sites which should not have any reason to use SWF, even though adblock removes the worst offenders.

Flash is often embedded in web pages with no UI in order to implement "super cookies" (LSO's or Local Shared Objects) in order to be able to track you even if you have cookies disabled, since people want to be able to see their videos. So they leave Flash enabled.

The workaround for the user is to install something like "ClickToFlash", but that can get annoying pretty fast, especially on sites like abc.com or cbs.com, which have very short timeouts on reading the data back out, and so claim you have flash disabled, even though you don't, because you don't click in under a second. So you enable the bypass for that website, and they are back to tracking you again.

Re:Meanwhile Gnash

[VortexCortex]

Are you saying that you'll play those legitimate animations written in ActionScript (a flavor of ECMAScript) in a Flash format outside of a web browser that already supports JavaScript (a flavor of ECMAScript) and Vector Graphics? Adobe hates Flash. They make money making tools that create flash content, and they would MUCH rather simply sell the same tools and generate HTML5 content with them instead. Same revenue, no cost to maintain the "player" becuase it's in the damn browser. You can even embed JavaScript in HTML documents......

Not him, but Flash has no legitimate use. IMHO, neither does JavaScript, but that's beside the point.

Re:Meanwhile Gnash

[mister_playboy]

You can deal with super cookies by using an add-on like FF's BetterPrivacy.

Even more basically, you can make Flash's hidden .adobe and .macromedia folders read-only.

Re:Meanwhile Gnash

[Boltronics]

...and that's when you use something like BetterPrivacy (in Firefox at least). http://fixtracking.com/

Re:Meanwhile Gnash

[at_slashdot]

Even better, join the youtube html5 trial, no flash needed (I don't think though it works for all the videos yet): http://www.youtube.com/html5

Re:Meanwhile Gnash

[tepples]

Are you saying that you'll play those legitimate animations written in ActionScript (a flavor of ECMAScript) in a Flash format outside of a web browser that already supports JavaScript (a flavor of ECMAScript) and Vector Graphics?

Solve these three issues and I'll consider joining you in bashing Flash:

• ActionScript comes with a tweening library. JavaScript does not.
• Not all deployed web browsers support vector graphics. An outdated version of Internet Explorer is especially common on the kinds of computers most likely to have PowerPoint installed. All computers running Windows XP, for example, run a version of Internet Explorer that lacks SVG. I'm under the impression that corporate IT departments are far more likely to authorize deployment of Flash Player than Chrome Frame.
• Not everybody who has made existing SWFs 1. is contactable and 2. is willing to laboriously remake them using HTML5 authoring tools.

Re:Meanwhile Gnash

[WD]

It's definitely the latter. It's pretty easy to find bugs in Gnash. However due to the obscurity of Gnash itself combined with the diversity of the platforms that Gnash runs on, Flash is a much more interesting target for attackers.

What you get for not using Libre software...

You wouldn't have this sort of issues if you were using liberated/free (as in speech) software. Adobe allows their third party shills to pollute their software so they also become a shill. Whenever I see a computer with flash, I resolve to format and repurpose it immediately.

People using M$ Office are just sheeple who deserve everything they get.

A solution...

[noobermin]

to the problem of liability.

slaps head

[decora]

have you heard of 'flashback'?

dealing with viruses is your job

[decora]

welcome to corporate america, you are responsible for shit you have no way to control or to fix.

just like everyone else.

those people who have to open those reports are in the same boat as you. if they dont open the report, then xyz doesnt get done, then a shit storm rolls down the hill and destroys the entire department.

Minitube does not use the Flash Player

http://flavio.tordini.org/minitube

Linux, Mac OS X, Windows

"Light on your computer. By consuming less CPU, Minitube preserves battery life and keeps your laptop cool. That's because Minitube does not use the Flash Player.

High Definition. Minitube plays HD videos up to 1080p. Go full-screen and watch them play smoothly.

1-Click Downloads. Download your favorite clips to your computer and put them on your portable device. Downloaded files are in MPEG4 format which is compatible with most devices, including Apple ones.

Stop fiddling. Just search for something. Minitube automatically plays videos one after another. Sit back and enjoy."

http://packages.ubuntu.com/quantal/minitube
http://packages.debian.org/sid/minitube

Re:Minitube does not use the Flash Player

[Skapare]

Where are the 64 bit binaries? But more importantly, where is the source code?

Re:Minitube does not use the Flash Player

for Linux - it should be posted on their site.

Even more importantly, where is the source code for Adobe Flash?

Re:Minitube does not use the Flash Player

mod parent up!

Yes another popup message is the fix!

[chopthechops]

After 18 years or so of increasingly frequent popup messages appearing in popular software you would think everyone realises by now how useless they are. Normal users don't read popups, and those who do read them don't know or care what they mean, and/or they just choose to ignore them. Actually I think software vendors know exactly how useless they are, and in the case of security-related popups it's just the vendor saying "security is the end user's problem, not ours". Kinda like the warnings you get on cigarette packets.

Re:Yes another popup message is the fix!

[10101001+10101001]

"Warning: Smoking Adobe/Microsoft/Apple/etc products has been shown that it may increase the chances of cancer and hallucinations about said software being good."

Sounds about right.

Office 2008?

[idontusenumbers]

"To protect users of Office 2008 and earlier"

Refer to Office 2008 then post a Windows screenshot? Par for the course I suppose.

And fluffy bunnies

[Ralph+Spoilsport]

will protect all the unicorns.

Oh god, this is marked insightful

[symbolset]

I hate to tell you this but code is data. Specifically it is the data about what you want the machine to do. There are methods to separate operators from operands, but none of them deliver the utility we demand.

* Hopes popup warnings will stop * attacks

[Chas]

Sorry.

It doesn't happen that way.

It just doesn't.

They tried this with browsers. It was egregiously cumbersome and conditioned people to auto-click YES to everything.

They tried this with Windows. It's still egregiously cumbersome and is still just conditioning people to blindly auto-click YES to everything.

So...NOW...they're adding MORE crap to click YES automatically to?

Third time's the charm?

FUCK NO!

Three strikes and you're out fuckers!

Warning popups prevent a small amount of infestations up front.
HOWEVER, down the road, as people get conditioned to the popups, they just click past without looking. Because the popups ARE IN THEIR WAY.

Adding a stupid popup is basically an admission that they're too goddamn stupid or lazy (or both) to secure their software properly. Or that their software is, inherently not secure or not able to BE secured.

At which point, it's crap that needs to be replaced with a better solution. Even if it means giving up the convenience of "Well this works right now".

Re:* Hopes popup warnings will stop * attacks

And that's why I install Chrome to my parents computer, it doesn't show dialogs for updating. Unlike Firefox, which still throws those.

Also I'm considering Chrome OS for their next computer, it should do all the updates automatically.

Re:* Hopes popup warnings will stop * attacks

Do you have some numbers to back up the notion that everyone eventually ignores warning messages and that they do absolutely no good? Adobe hasn't spun this as a perfect solution. It's there to help improve the problem. In all likelihood, it will. People aren't often presented with popups when opening Word documents. It will stand out as unusual, and if you look at the UI design of the message box, it's not something where they can blindly click a button to continue. They have to read it, change the radio button selection, and then click Continue to screw themselves. In other words, Adobe already thought of what you're talking about and adjusted for it.

what counts for lolcats and porn in China?

Related to dancing pigs is the cute cat theory of digital activism which suggests that China "circumvent[s] the cute-cat problem because the government is able to provide people with access to cute-cat content on domestic, self-censored sites while blocking access to Western sites". So the question is: what counts for lolcats and porn in China and does it differ substantially from Western sites?

Noscript

[drolli]

I use noscript.

A site has to be really important to me for me to activate plugins on it. If newspapers cant put in a static image but reduce all news reports to 5 lines of non-descriptive generic text and a link to a video they bought from somwhere, i dont need that.

Re:Noscript

[drinkypoo]

I use noscript.

Where do you get Noscript for Microsoft Office?

How About Killing E-Mail Attachments Altogether?

[Secret+Agent+Man]

This is an idea I had just now, could be completely useless, impossible to get users to adapt to, and would just shift the problem from one domain to another, but here goes anyway: How about we do away with e-mail attachments? Adapt a policy that forbids any e-mail attachments from being downloaded, period (sorry, people who feel the need to include a fancy e-mail signature image, guess you'll just to have to use boring text). Obligate employees, etc. to retrieve files from another source outside of e-mail. With the advent of technologies like DropBox, SkyDrive, etc. (or, heck, network shares), sharing files is dead simple, and doesn't require having to "send" files to anyone anymore. Instead, they get a link to said file(s) to download, from a trusted source (internal network, corporate web site, and so on).

While this wouldn't prevent "your Facebook account has been hacked! Click here and give us your info to fix, because we're totally Facebook" style spam/malware, it would shut and lock the door to any malicious e-mail that relies on viewing/downloading an e-mail attachment instantly.

Is it possible to setup a group policy to disable e-mail attachment downloading in, say, Outlook? I'm sure Company Policy could state "never never download e-mail attachments, period," but I'm guessing that would get ignored once co-worker X just has to see those new pretty kitty pictures.

office?

when I saw the word "office" I thought of OpenOffice.org. I was like, 'since when did OpenOffice (odt, odf)start opening Macromedia flash animations? Version 3?" lol

Why do we want Flash outside of browsers, anyway?

[manu0601]

I wonder is there are really useful usages of SWF in MS Office. I would be happy if I had the opportunity to make flash installation visible only to the browser. Anyone has a trick for that? Moving DLL to a place where only Firefox looks for them?

Re:How About Killing E-Mail Attachments Altogether

[kamikaze_late2party]

Your Security policy allows you to put work files into 3rd party "cloud" services? That's soooo nice for you. I'd love to get rid of email attachments, but i cant see it happening, unless there is something else that allows drag and drop easy file transfers (not FTP because port 21 is always blocked already) and stays within our network.

Re:How About Killing E-Mail Attachments Altogether

[Secret+Agent+Man]

Mine doesn't allow 3rd party services, but that was just a potential example. We have an internal network that everyone has access to (it's divided up so you don't have access to ~every~ folder, but you can still setup easy sharing between any number of individuals). For your scenario, why not use a network? Open it up just like a folder on your computer, drop the file(s) there, done and done.