Windows 0-Day Exploited In Ongoing Attacks

← Back to Stories (view on slashdot.org)

Windows 0-Day Exploited In Ongoing Attacks

Posted by Soulskill on Wednesday October 22, 2014 @02:23AM from the gift-that-keeps-on-giving dept.

An anonymous reader writes: Microsoft is warning users about a new Windows zero-day vulnerability that is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects. The vulnerability is currently being exploited via PowerPoint files. These specially crafted files contain a malicious OLE (Object Linking and Embedding) object. This is not the first time a vulnerability in OLE has been exploited by cybercriminals, however most previous OLE vulnerabilities have been limited to specific older versions of the Windows operating system. What makes this vulnerability dangerous is that it affects the latest fully patched versions of Windows.

114 comments

Min score:

Reason:

Sort:

Yikes by Anonymous Coward · 2014-10-22 02:26 · Score: -1

First Post?
1. Re: Yikes by Anonymous Coward · 2014-10-22 02:56 · Score: 1
  
  Computers suck. Gotta love how an office document can compromise your system. Can we just use txt files and get away from Executable documents
2. Re: Yikes by NotInHere · 2014-10-22 03:14 · Score: 1
  
  +1
  Why do we need multiple rendering engines? There should be one to rule them all. It seems that even large companies like microsoft can't fix all issues, and microsoft has to maintain multiple rendering engines, like Trident or the Office rendering engine. If microsoft would use trident for office documents, too, and all plug-ins were made in js (or NaCL if you like binary), Office could profit by the huge efforts Microsoft (and Google) puts into securing Browsers.
3. Re: Yikes by neilo_1701D · 2014-10-22 03:44 · Score: 4, Insightful
  
  ... and if the one rendering engine was used, the moment an exploit becomes available, all systems are vulnerable. Haven't we learned about the dangers of monocultures yet?
4. Re: Yikes by eneville · 2014-10-22 04:41 · Score: 1
  
  Yes, tones of people do that already, it's called TeX or LaTeX. It probably takes about as long to learn as Word does anyway. The huge benefit of using LaTeX is that its fairly backward/forward compatible, unlike Word. Want a text based visio replacement? Try dot. Powerpoint? Don't know, don't care, make a multipade LaTeX document and just page up/down the output pdf/dvi. I don't really care much for powerpoint. Get started with LaTeX now.
  
  --
  Why UNIX?
5. Re: Yikes by davester666 · 2014-10-22 05:47 · Score: 1
  
  We're working on it. We got rid of monocles, except in very isolated instances, so monocultures are next, alphabetically.
  
  --
  Sleep your way to a whiter smile...date a dentist!
6. Re: Yikes by lgw · 2014-10-22 05:57 · Score: 1
  
  PowerPoint - nothing else even comes close. As engineers we don't care about it, but there are just as many people who live and die by the PowerPoint presentation (literally in some cases, as the US military leadership is sadly all about the PPT these days).
  SmartArt is freaking magic for some people. It's exactly the sort of automation that LaTeX would be great at, but presented visually, not as "yet another programming language for those geeks." Like VI or EMACS, PowerPoint will always be with us: it's that central to a culture.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
7. Re: Yikes by Anonymous Coward · 2014-10-22 06:20 · Score: 0
  
  Want a text based visio replacement? Try Visio.
  FTFY.
  IIRC, Powerpoint uses the same DatadiagramML standard. And these "whatever-ML" standards that Office uses are now part of OOXML (yeah, yeah, ODF blah blah blah), and are embedded into a zip file for packaging. That's all the docx, xlsx, pptx, and vsd formats are anymore. Everything since Office 2007 has used this XML-in-a-zip-archive format by default, with ever-more deprecated support for OLE with each new version.
  Runner-up for text-based Visio replacement goes to: Visio (again) for it's SVG export capability. To be fair, its SVG export is no better than anyone else's. It's just that Visio's interface (IMO, of course) beats all comers until they're a gelatinous pile of formerly-structured matter. Even the "mighty" Adobe Illustrator is an imprecise pain-in-the-ass by comparison. It is, however, more "artsy" (and possibly more "fartsy" as well) and less "boring-ass systems diagrammy".
  Word sucks, though. It's gotten better with 2010 and later, but it still pretty much sucks. Too much baggage, not enough actual need for pretty documents beyond what HTML can provide. I only use it when I just don't have the time or give-a-damn to make up an HTML document. I've never had sufficient give-a-damn to even start using *TeX (or click your "get started" link).
Only for root users by mwvdlee · 2014-10-22 02:27 · Score: 2

UAC will display a warning, this exploit only touches users who run as admin.
I don't think any still supported version of Windows defaults to admin.

--
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
1. Re:Only for root users by fisted · 2014-10-22 02:29 · Score: 4, Insightful
  
  You do know the common way for users to deal with UAC prompts, right?
  
  --
  CLI paste? paste.pr0.tips!
2. Re: Only for root users by Anonymous Coward · 2014-10-22 02:34 · Score: 0
  
  the first local user on all Windows installations is by default admin. UAC is the only protection and most users are trained by habit to accept those without question.
3. Re:Only for root users by afidel · 2014-10-22 02:34 · Score: 4, Insightful
  
  Yes, but in a well managed environment users won't get a UAC prompt because they won't be local admins, if the folks you've trusted enough to grant local admin to are still dumb enough to click ok to a UAC prompt when opening an Office file then there's literally no security system that will help you.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
4. Re: Only for root users by Russ1642 · 2014-10-22 02:37 · Score: 1
  
  People accept these when it's expected. When a UAC prompt comes up when opening a PowerPoint presentation downloaded off the internet I think even most casual users will wake up and cancel the request... unless it's my sister-in-law. She'll install anything.
5. Re:Only for root users by dbIII · 2014-10-22 02:41 · Score: 2
  
  However when you have inhouse software that only runs as admin because your VB jockeys haven't worked out that it's no longer 1995 then you are fucked - frequently - when each new wave of malware hits.
  MS Windows is no longer the problem. Losers who treat it like MSDOS and write software are the problem.
6. Re:Only for root users by ArcadeMan · 2014-10-22 02:41 · Score: 1
  
  Switch to MS-DOS?
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
7. Re: Only for root users by ruir · 2014-10-22 02:42 · Score: 2
  
  No, most casual users install just any shit, anytime, anywhere. Even in shady sites for watching "TV" or "films" they installs "codecs", or "antivirus" offered by any page at all, even if they are searching for p0rn.
8. Re:Only for root users by gweihir · 2014-10-22 02:47 · Score: 2
  
  As Windows slowly gets where Unix already was 30 years ago, the problem in cases like this is less with Windows and more with Windows-users.
  Still, OLE was a pretty bad idea from day 1.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
9. Re: Only for root users by gweihir · 2014-10-22 02:51 · Score: 1
  
  Sorry, but for Windows users what you say is already in the "knowledgeable power-user" class, i.e. most users will get caught by this. On Linux, you would maybe get 50% "WTF?"s, or maybe even a bit more if the sudo warning message is intact, but forget that being any working protection on Windows.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
10. Re:Only for root users by gstoddart · 2014-10-22 02:55 · Score: 1
  
  Well, if the solution is to run as admin so you don't get those pesky notices .... then the outcome is going to be not unlike your nick, and entirely self inflicted.
  Because, you will be fisted by the first exploit to come along.
  
  --
  Lost at C:>. Found at C.
11. Re:Only for root users by Anonymous Coward · 2014-10-22 02:56 · Score: 0
  
  The losers are those who exploit the users for their own selfish purposes.
12. Re: Only for root users by Anonymous Coward · 2014-10-22 03:04 · Score: 0
  
  Newbie Linux users might type in the administrator password even more unsuspectingly, as Linux asks the password more often than Windows for basic tasks, such as for installing updates.
13. Re:Only for root users by Khyber · 2014-10-22 03:06 · Score: 1
  
  "UAC will display a warning, this exploit only touches users who run as admin."
  I run as admin on my Windows7 machine and I get UAC prompts.
  Next.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
14. Re:Only for root users by DarkOx · 2014-10-22 03:08 · Score: 1
  
  Have not looked at the vuln yet but does it necessarily pop a UAC given its OLE, i assume this is some kind of memory overwrite. So might be possible to step all over the users data without calling any privileged operations.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
15. Re: Only for root users by NotInHere · 2014-10-22 03:17 · Score: 2
  
  ... and you don't need privilege escalation if you want to write an X keylogger. You only need to be abled to execute code as the user you want to track.
16. Re:Only for root users by The+MAZZTer · 2014-10-22 03:19 · Score: 1
  
  If an "exploit" requires the user to manually give it complete access to the PC to work... it's not an exploit.
17. Re: Only for root users by parkinglot777 · 2014-10-22 03:25 · Score: 3, Insightful
  
  I think even most casual users will wake up and cancel the request
  This actually makes me laugh :P Sadly, a casual user is not as logical as you think.
18. Re:Only for root users by Qzukk · 2014-10-22 03:27 · Score: 1
  
  well managed environment
  Number one target for this will be grandpa forwarding that patriotic slideshow with God Bless America playing as it pages through sunsets and crying eagles and a root kit on the 4th slide.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
19. Re: Only for root users by bill_mcgonigle · 2014-10-22 03:32 · Score: 1
  
  If it's in-house software then it can be fixed - no excuses. If people don't fix problems they know about and can fix then they get what they deserve.
  Show me somebody who has a huge investment into a physical machine controlled by some proprietary software where the vendor has gone out of business and there's no source available and then I'll have a bit of sympathy, but even then put it on a VM on its own VLAN - these are not extremely difficult problems.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
20. Re:Only for root users by Anonymous Coward · 2014-10-22 03:35 · Score: 0
  
  It is when it is Microsoft Security(tm)
  Microsoft Security involves throwing meaningless prompts at users so much that it conditions them to close them as soon as they see them, regardless of what it says.
  I still laugh when they suggested Linux should take up that security. Laughable.
  Linux is actually secure as OSes can get without user intervention. (which is being eroded as we speak by a group of developers trying to force a catch-all process in to Linux, aka systemd, which will add a huge potential exploit vector if even the slightest problem arises)
  UAC has been regularly ripped to shreds even without user intervention some times.
21. Re:Only for root users by imatter · 2014-10-22 03:39 · Score: 1
  
  This is not isolated to in-house software, maybe the VB jockeys though. I have never actually seen one, so do VB jockeys wear multicolored hats?
22. Re:Only for root users by Anonymous Coward · 2014-10-22 03:48 · Score: 0
  
  Not to take the appropriate blame from the programmers violating what has been established proper security guidelines since 1993, but where's the system admin in all of this? Why can't the admin use the provided tools to determine where the application fails when run under a constrained account and then grant a specific whitelist of additional privileges to the users who need to use said application?
  The main reason software like that fails is because it tries to write outside of the user profile. Generally somewhere under %PROGRAMFILES% or HKEY_LOCAL_MACHINE. Identify the exact location and it's simple to provide the user write access to that location and the application will be happy.
  There is no excuse for a user to have to run as a local admin, even with shitty software. I've managed to avoid it since long before UAC since the default domain user profile was always a limited user.
23. Re:Only for root users by Anonymous Coward · 2014-10-22 03:52 · Score: 0
  
  As Windows slowly gets where Unix already was 30 years ago, the problem in cases like this is less with Windows and more with Windows-users.
  Blaming the user is always a priceless maneuver guaranteed to yield productive results.
  
  Still, OLE was a pretty bad idea from day 1.
  Over the years stumbled upon some pretty cool shit implemented very quickly using OLE.
  Especially impressed by in-house solutions using OLE linking within MS Access databases using no or minimal code.
  It isn't like you can't disable most of this shit from the trust center or that office does not ship with document protected mode enabled by default.
24. Re:Only for root users by Anonymous Coward · 2014-10-22 04:10 · Score: 0
  
  Actually, Windows offers much more comprehensive security toolkit with ASLR, NX, EMET, UAC, Windows Defender, and Windows Resource Protection.
  If Linux was any more popular on desktop than it is today, all you have to do is create a "birthday_card.deb" which during installation runs any scripts that it wants as root. The users would happily type in their password, as it is constantly asked for simple tasks like installing updates. What makes the situation even worse is that the normal user and administrator password are often the same in Linux.
25. Re: Only for root users by Anonymous Coward · 2014-10-22 04:19 · Score: 0
  
  Users still get UAC prompts they just can't do anything with them. Not without valid admin credentials.
26. Re: Only for root users by Anonymous Coward · 2014-10-22 04:20 · Score: 0
  
  Personally I woild never "install" a birthday card.
27. Re: Only for root users by jd2112 · 2014-10-22 04:25 · Score: 1
  
  Some do, however I've seen a few that are incapable of finding their head let alone placing a hat on it. Generally these are still stuck developing on VB6 rather than the vastly improved .NET versions (and are still whining about it after all these years...)
  
  --
  Any insufficiently advanced magic is indistinguishable from technology.
28. Re:Only for root users by chipperdog · 2014-10-22 04:30 · Score: 1
  
  Try running dpkg as non-root...won't work...
29. Re:Only for root users by Anonymous Coward · 2014-10-22 04:32 · Score: 1
  
  In every well managed environment you always have that one executive that is above best practices.
30. Re:Only for root users by NatasRevol · 2014-10-22 04:47 · Score: 1
  
  Only one of the two is actually fixable.
  
  --
  There are two types of people in the world: Those who crave closure
31. Re:Only for root users by afidel · 2014-10-22 05:11 · Score: 1
  
  LUA Buglight from MS helps a ton in that regard, it's been around since Vista Beta and with it you should be able to find exactly what calls require elevation.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
32. Re:Only for root users by Sir_Eptishous · 2014-10-22 05:25 · Score: 1
  
  It's not just in house VB jockeys doing this. All sorts of "enterprise" grade software will only run as admin.
  If you can find the registry keys to tweak and files and folders to manually change perms on than sometimes that problem can be mitigated.
  Really, the problem is that software development gives little priority to security.
  
  --
  We play the game with the bravery of being out of range
33. Re:Only for root users by Anonymous Coward · 2014-10-22 05:43 · Score: 0
  
  I believe the default first account setup at install time is the part of the administrators group with the real administrator account set to disabled.
34. Re:Only for root users by Bacon+Bits · 2014-10-22 05:46 · Score: 3, Informative
  
  No, you just use the Application Compatibility Toolkit which allows you to run an application with the exact level of permissions it requires to get things done regardless of the permissions assigned to the current user. Does your application need to be able to write to it's own program folder, but you want to prevent everything else from doing that, too? Application Compatibility Toolkit.
  Is it easy to use? No, but it does work very well. The tools exist to get what you need done regardless of your environment. Granting users admin rights when they don't need them is just lazy.
  
  --
  The road to tyranny has always been paved with claims of necessity.
35. Re:Only for root users by steelfood · 2014-10-22 06:16 · Score: 1
  
  Even power users get the UAC prompt for certain things. But if they don't have local admin, the point is still moot.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
36. Re:Only for root users by Anonymous Coward · 2014-10-22 06:16 · Score: 0
  
  Yes, but in a well managed environment users won't get a UAC prompt because they won't be local admins
  So, this will only be a problem on planet Earth, is what you're saying. On other planets, everything will be fine!
37. Re:Only for root users by NotDrWho · 2014-10-22 07:01 · Score: 1
  
  if the folks you've trusted enough to grant local admin to are still dumb enough to click ok to a UAC prompt when opening an Office file then there's literally no security system that will help you
  It's like my grandpa used to say "Kid, you can't make an idiot not be an idiot--and also never fuck a hooker who's coughing."
  
  --
  SJW's don't eliminate discrimination. They just expropriate it for themselves.
38. Re:Only for root users by behrooz0az · 2014-10-22 07:28 · Score: 0
  
  How much did they pay this Microshill to spread this FUD?
  Microsoft's Windows Vista (released January 2007) and later have ASLR enabled for only those executables and dynamic link libraries specifically linked to be ASLR-enabled
  for linux, read: http://en.wikipedia.org/wiki/A...
  NX is a CPU feature(quoting wikipedia):
  The support for this feature in the 64-bit mode on x86-64 CPUs was added in 2004 by Andi Kleen, and later the same year, Ingo Molnar added support for it in 32-bit mode on 64-bit CPUs. These features have been in the stable Linux kernel since release 2.6.8 in August 2004.
  The microsoft version is a tad bit more complicated(no protection in some circumstances): http://en.wikipedia.org/wiki/N...
  Windows Defender and Windows Resource Protection: I honestly don't think they're worth anyones time.
  Debian uses the "_" character to separate package name and version, they use "-" to separate different words in package name.
  And FTR that UAC shit is what we've called su for decades.just to know how much more secure linux is in this context read about the "sudoers file"
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
39. Re:Only for root users by Anonymous Coward · 2014-10-22 10:24 · Score: 0
  
  You do know the common way for users to deal with UAC prompts, right?
  Google how to turn them off. The only sane solution. Do you agree? Yes No.
40. Re:Only for root users by dbIII · 2014-10-22 12:07 · Score: 1
  
  grant a specific whitelist of additional privileges to the users who need to use said application
  So what do you suggest when that is all of them? Apart from of course trying various methods to convince the developer to learn how to do his job properly?
41. Re: Only for root users by gweihir · 2014-10-22 15:58 · Score: 1
  
  Hence my estimate that even 50% of Linux users would get caught....
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
42. Re:Only for root users by gweihir · 2014-10-22 15:59 · Score: 1
  
  So, you prefer functionality over security, _BUT_ you do not want to see the user blamed. I take it you think that you are pretty incompetent?
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
43. Re:Only for root users by fisted · 2014-10-23 03:59 · Score: 1
  
  That is not what i was referring to. The typical technically illiterate user wouldn't know how to do that anyway (or even know what it means)
  
  --
  CLI paste? paste.pr0.tips!
44. Re: Only for root users by Anonymous Coward · 2014-10-23 04:26 · Score: 0
  
  False. I would estimate 19 out of 20 users will literally install anything, prompts be damned. It's how computer repair shops like mine stay in business.
45. Re:Only for root users by behrooz0az · 2014-10-24 05:58 · Score: 1
  
  The downvotes I get for quoting wikipedia, talk about crazy...
  
  --
  Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
46. Re:Only for root users by Pyramid · 2014-10-24 08:22 · Score: 1
  
  BINGO!
  
  --
  ~Any apparent grammatical or typographic errors are caused by defects in your display device.
47. Re:Only for root users by Pyramid · 2014-10-24 08:27 · Score: 1
  
  Set up sudo correctly and it will.
  
  --
  ~Any apparent grammatical or typographic errors are caused by defects in your display device.
Damn linux by ruir · 2014-10-22 02:36 · Score: 4, Funny

Linux is not good, damn full of bugs, heartbleed, shellsock and now THIS!!! Crap, wait, I must have made some mistake ;)
1. Re:Damn linux by 93+Escort+Wagon · 2014-10-22 02:57 · Score: 3, Insightful
  
  It's mildly funny that Server 2003 doesn't have this bug, and also was the last Windows Server that still used some Unix/BSD code.
  (No, I'm not claiming a causal relationship...)
  
  --
  #DeleteChrome
2. Re:Damn linux by Sir_Eptishous · 2014-10-22 05:27 · Score: 1
  
  causal or casual?
  
  --
  We play the game with the bravery of being out of range
3. Re:Damn linux by TemporalBeing · 2014-10-22 05:43 · Score: 1
  
  It's mildly funny that Server 2003 doesn't have this bug, and also was the last Windows Server that still used some Unix/BSD code.
  (No, I'm not claiming a causal relationship...)
  Which makes me think that WinXP was also not affected as it was closely related to Windows Server 2003. However, it's no longer supported so...
  
  --
  Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
4. Re:Damn linux by Anonymous Coward · 2014-10-22 05:54 · Score: 0
  
  Caucasian
Oh Microsoft Windows... by technomom · 2014-10-22 02:51 · Score: 3, Funny

....Don't ever change you magnificant bastard.
1. Re:Oh Microsoft Windows... by Anonymous Coward · 2014-10-22 04:44 · Score: 0
  
  FTFA: "The attack requires user interaction to succeed on Windows clients with a default configuration, as User Account Control (UAC) is enabled and a consent prompt is displayed."
  Um.. yeah. So you need to use PowerPoint, and OLE, and pass the consent prompt? Pretty easy to avoid this one.
2. Re:Oh Microsoft Windows... by Anonymous Coward · 2014-10-23 04:30 · Score: 0
  
  Exactly, so it will only infect 9 out of 10 Windows PCs :)
Definitely Users by blueshift_1 · 2014-10-22 02:55 · Score: 2

Yeah, you defflinitely have "allow" it. But most people don't read half the messages excel or powerpoint throw at them. Just accept, accept, open, enable, install, install. Why do we even make botnets... I'm sure the users would do it on their own if they were prompted.
1. Re:Definitely Users by CauseBy · 2014-10-22 03:09 · Score: 5, Interesting
  
  It's a problem of false negatives. I've never been confronted with a UAC warning for which it was appropriate to say no. Never.
  When 100% of past warnings were unnecessary people don't pay attention to warnings anymore. This isn't a problem with human behavior, this is a problem with the warnings. Warnings need to have a memorably high rate of indicating actual danger -- five or ten percent is enough. One in a million is not enough.
  Windows is like the crazy guy on the corner who says "the end is near!" Yeah, sure, maybe this time he's right, but we've heard that false message too many times to even bother listening to it.
2. Re:Definitely Users by Anonymous Coward · 2014-10-22 03:49 · Score: 1
  
  The solution could be to create random spurious warnings for things that are dangerous. "Confirm delete of c:\windows directory and all subdirectories?" "Confirm sending violent threat email to PotUS?" "Confirm rabid weasel release in your back yard?" Then if they answer "yes", actually do the ones that a computer can do.
3. Re:Definitely Users by Zalbik · 2014-10-22 04:11 · Score: 4, Funny
  
  It's a problem of false negatives. I've never been confronted with a UAC warning for which it was appropriate to say no. Never.
  Well, then you should take a look at the attached powerpoint presentation! It gives an in-depth analysis of exactly why you should be careful when answering "Yes" to UAC prompts.
4. Re:Definitely Users by Anonymous Coward · 2014-10-22 04:51 · Score: 0
  
  > I've never been confronted with a UAC warning for which it was appropriate to say no. Never.
  You would say Yes when opening a simple powerpoint file? I wouldn't. Maybe the problem is PEBCAK, not UAC.
5. Re:Definitely Users by Anonymous Coward · 2014-10-22 13:24 · Score: 1
  
  I've never been confronted with a UAC warning for which it was appropriate to say no. Never.
  If you configure UAC to the highest level you can prevent some explorer mishaps by a tired, drunken administrator.
6. Re:Definitely Users by Anonymous Coward · 2014-10-23 04:35 · Score: 1
  
  99.99999% of Windows users will do exactly this. It is a UAC/Windows problem.
Don't worry, I have a slideshow explaining this! by Grantbridge · 2014-10-22 02:56 · Score: 4, Funny

Just download this handy powerpoint slideshow and I think you'll find it explains how this attacks works in perfect detail...
PowerPoint on a Server? by jdkc4d · 2014-10-22 03:01 · Score: 1

Really? Who installs PowerPoint on the server? Cause you are gonna be all like, hold up let me unrack this server and connect a projector to it...right.
1. Re:PowerPoint on a Server? by ruir · 2014-10-22 03:12 · Score: 2
  
  Dont ask...we had a fantastic team of System administrators here that fortunately when one left the other had the good sense of leaving too, that installed EVERYTHING they could into the servers. The Windows servers had Office, and Linux servers had 30-40GB of software.
2. Re:PowerPoint on a Server? by Anonymous Coward · 2014-10-22 03:18 · Score: 0
  
  They are probably listing it just for completeness.
3. Re:PowerPoint on a Server? by __aaclcg7560 · 2014-10-22 03:33 · Score: 1
  
  Leaving the servers open to all kinds of vulnerability issues by installing unnecessary software. That's a fantastic team of system admiistrators?
4. Re:PowerPoint on a Server? by tlhIngan · 2014-10-22 03:47 · Score: 1
  
  Really? Who installs PowerPoint on the server? Cause you are gonna be all like, hold up let me unrack this server and connect a projector to it...right.
  If your process involves generating Office, documents, it's generally the easiest way. The server automation tools for generation of Office documents are basically scripts and wrappers around.... Office. So if you want to generate some report that spits out an Excel file at the end, you can bet it was generated in Excel the first time around because the reporting tool actually called Excel to fill in the fields.
  This can also apply to tools that email documents to users in the specified format - especially if it's to watermark a presentation or something.
5. Re:PowerPoint on a Server? by ndato · 2014-10-22 04:05 · Score: 1
  
  System administrators job is to install everything and allow every user to access and execute everything, isn't it?
6. Re:PowerPoint on a Server? by Anonymous Coward · 2014-10-22 04:15 · Score: 0
  
  Really? Who installs PowerPoint on the server? Cause you are gonna be all like, hold up let me unrack this server and connect a projector to it...right.
  i dunno.. you ever heard of citrix?
7. Re: PowerPoint on a Server? by jd2112 · 2014-10-22 04:35 · Score: 1
  
  Ciitrix server serving Office to remote users
  Sharepoint addon for searching and indexing Office files.
  I'm sure there are others this is just what I thought up in 30 seconds.
  
  --
  Any insufficiently advanced magic is indistinguishable from technology.
8. Re:PowerPoint on a Server? by __aaclcg7560 · 2014-10-22 04:57 · Score: 1
  
  i dunno.. you ever heard of citrix?
  Citrix is an application server. Powerpoint installed on a server that isn't an application server is a potential security vulnerability.
9. Re:PowerPoint on a Server? by Anonymous Coward · 2014-10-22 06:07 · Score: 0
  
  "Blow Me!"
  
  - Signed, System Administrators everywhere
10. Re:PowerPoint on a Server? by ruir · 2014-10-22 06:35 · Score: 1
  
  Are you so dense to not understand than when I am rejoicing they left, that could only be irony? You could improve your social skills.
11. Re:PowerPoint on a Server? by Anonymous Coward · 2014-10-22 06:38 · Score: 0
  
  Admins that work with incompetent programmers that don't know how to use System.IO.Packaging (or its language-appropriate equivalent) and the OOXML formats to generate Office-formatted documents dynamically.
  If your web app requires an Office install on the server, you're doing it wrong.
12. Re:PowerPoint on a Server? by Anonymous Coward · 2014-10-22 06:51 · Score: 0
  
  If your process involves generating Office, documents, it's generally the easiest way. The server automation tools for generation of Office documents are basically scripts and wrappers around.... Office. So if you want to generate some report that spits out an Excel file at the end, you can bet it was generated in Excel the first time around because the reporting tool actually called Excel to fill in the fields.
  No. Just no. You're the reason developers get a bad rap.
  Read up on System.IO.Packaging and understand why it exists. Learn the OOXML schemas. None of these things require .Net programming to handle them, so you can do this with any language on any platform. Just build your data in the XML schema that it requires (SpreadsheetML, WordprocessingML, DatadiagramML, etc.) then put it into a properly-structured zip file with the correct office file format extension on the end of the name.
  
  This can also apply to tools that email documents to users in the specified format - especially if it's to watermark a presentation or something.
  No, that's not true either. Once you have that office document object (the zip file) in memory, you can write it to a MIME attachment part before you send the email. That too is rather simple. You just have to understand how MIME works, which, being a standard from the early-to-mid-80's, is best described as frickin' simple. It's basically header block, text body, then a repeating set of boundary marker/MIME body pairs, and a closing boundary marker (with an extra "--" after it). The MIME bodies are usually base64 encoded for safe binary-as-text transport.
  It's not goddamned rocket science. Do your job correctly.
13. Re:PowerPoint on a Server? by __aaclcg7560 · 2014-10-22 06:56 · Score: 1
  
  Re-read your original comment. The irony was lost in translation. Maybe you should go back to school to learn proper English?
14. Re:PowerPoint on a Server? by ruir · 2014-10-22 07:10 · Score: 1
  
  Last time I check fortunately is english. Besides being dense you are an idiot too.
15. Re:PowerPoint on a Server? by Anonymous Coward · 2014-10-22 07:27 · Score: 0
  
  No. Just no. You're the reason developers get a bad rap.
  Read up on System.IO.Packaging and understand why it exists. Learn the OOXML schemas.
  
  It's not goddamned rocket science. Do your job correctly.
  Presumably you've never developed LOB software within a large company. Internal software that automates MS Office might have been written long before System.IO.Packaging and OOXML existed, and as long as it still works (regardless of the pains caused to the IS dept), nobody is going to approve funds for a rewrite. Even now, I still sometimes maintain VB6 software for SMBs and large corporations which stubbornly refuse to move on. And then there's the occasional server-side application written entirely in MS Access or MS Excel VBA... Furthermore, even after .Net & OOXML were first available, there was often a requirement to generate the older binary document formats instead because the newer Office versions were not universally installed within the company.
  Finally, legitimate server-side MS Office installations can be found within a Citrix farm hosting it for the users.
  - T
16. Re:PowerPoint on a Server? by __aaclcg7560 · 2014-10-22 08:10 · Score: 1
  
  What does an adverb have to do with my social skills? You're the git hurling insults around here.
17. Re:PowerPoint on a Server? by JDG1980 · 2014-10-22 12:32 · Score: 2
  
  If your process involves generating Office, documents, it's generally the easiest way. The server automation tools for generation of Office documents are basically scripts and wrappers around.... Office. So if you want to generate some report that spits out an Excel file at the end, you can bet it was generated in Excel the first time around because the reporting tool actually called Excel to fill in the fields.
  This may have been correct 5 to 10 years ago, but you should never do this in a modern installation if you can possibly help it. Microsoft's official position is that "Microsoft does not recommend or support server-side Automation of Office."
  You should be using the Open XML SDK to create Office documents in your web application. The default classes and methods are somewhat opaque, but fortunately, there are a lot of helper toolkits that run on top of OOXML SDK to make things much easier. I used Simple OOXML, which hasn't been updated for a while and has limited documentation, but works pretty well, and is free. These solutions are not only much more robust in a server-side situation, but you don't have to devote an Office license to the server.
Favorite Version of Windows? by globaljustin · 2014-10-22 03:08 · Score: 1

...yours

--
Thank you Dave Raggett
Windows = Job Security by __aaclcg7560 · 2014-10-22 03:23 · Score: 4, Insightful

If you're a security remediation specialist for the I.T. department, Windows is job security as these problems will never go away.
1. Re:Windows = Job Security by Anonymous Coward · 2014-10-22 03:38 · Score: 2, Insightful
  
  Do you know any OS that is free of bugs and security risks, including users?
2. Re:Windows = Job Security by Anonymous Coward · 2014-10-22 03:55 · Score: 1
  
  VMS is really, really close to perfect.
3. Re:Windows = Job Security by __aaclcg7560 · 2014-10-22 03:58 · Score: 1
  
  Neither Linux nor Mac is paying my salary. Only Windows. Thanks, Microsoft!
4. Re:Windows = Job Security by Anonymous Coward · 2014-10-22 05:24 · Score: 0
  
  OpenBSD
Broken Windows syndrome, IT version: by Anonymous Coward · 2014-10-22 03:40 · Score: 1

If you leave one hole in Windows unpatched, soon there will be more.
Wait one cotton pickin' minute by OneSmartFellow · 2014-10-22 03:40 · Score: 1

Who the fsck embeds OLE objects in PowerPoint.

I have enough trouble getting text to display.
1. Re:Wait one cotton pickin' minute by neilo_1701D · 2014-10-22 03:50 · Score: 4, Insightful
  
  Visio charts, Project Gantt charts, Excel charts... it's actually a very useful technology, especially if you're pulling data from a live source (eg. query data into Excel, which generates charts). Much easier than querying the data in Excel, updating the graph, exporting (or copying) the graph as PNG then updating the PowerPoint.
2. Re:Wait one cotton pickin' minute by Anonymous Coward · 2014-10-22 07:00 · Score: 0
  
  No, only dumbshits and malware authors use OLE anymore.
  If you're copy-pasting or drag-n-dropping Excel charts and data grid snippets or Visio diagram clippings into a Powerpoint presentation these days (Office 2007 and later, so any time in the last 7 years), you're embedding an OOXML document fragment into the Office Package Format file.
  Word uses WordprocessingML.
  Excel uses SpreadsheetML.
  Visio and Powerpoint use DatadiagramML.
  All office formats use what is essentially a zip archive to contain a pseudo-folder structure with XML files of the above format. References to the things copied in from other programs are handled with XML reference elements to local (to the zip archive) files.
  OLE is only available as a deprecated (and after the patch that will come along from this vulnerability, probably unavailable) last resort option.
3. Re:Wait one cotton pickin' minute by Anonymous Coward · 2014-10-22 07:02 · Score: 0
  
  I have my text as Latex, sketches in Inkscape, and graphs in Gnuplot (Python-matplotlib for special stuff). I change one thing in Inkscape, execute make, PDF ready. I fetch the latest data for the graphs from the computing cluster, execute make, PDF ready. I don't remember what I changed where, no matter, execute make, PDF ready. But maybe I didn't want to keep some of those changes? No matter, being all text the document's directory is versioned, so execute git diff.
  If there are multiple related sketches, there is no duplication of graphics, everything is layered in a single SVG document. In the make target of each figure the appropriate layers are listed, and the SVG document is first pushed through xmlstarlet to make visible only those layers, before going to Inkscape to export the EPS image. After a change in a layer affecting all the related sketches... make, PDF ready.
  80's vision of the future.
4. Re:Wait one cotton pickin' minute by sjames · 2014-10-22 08:02 · Score: 1
  
  People who want to pw0n yer boxen! :-)
OLE _IS_ ActiveX by Anonymous Coward · 2014-10-22 03:50 · Score: 0

One is used in-browser but the same thing.
hum by Anonymous Coward · 2014-10-22 04:17 · Score: 0

The problem is MS never had a small tutorial during windows installation or during the first boot showing users how to create a Standard User account and have an administrative account for elevating your rights for doing administrative stuff. But now, with windows 8 during the install, you can create any type account you like, but again, no tutorial.
1. Re:hum by nabsltd · 2014-10-22 04:45 · Score: 2
  
  The problem is MS never had a small tutorial during windows installation or during the first boot showing users how to create a Standard User account and have an administrative account for elevating your rights for doing administrative stuff.
  The actual problem is that unlike Linux, doing this doesn't help you do a lot of the "administrative stuff" you need to do in Windows.
  In Linux, a normal user with sudo permission can run "sudo su -" and everything run from that terminal will have admin privileges. You can do the same thing in Windows with "RunAs" either from a command prompt or from the Start Menu with Shift+RightClick. The problems then start. First, you have to figure out what command to enter to do something that is normally only done with the GUI. Then, you have to remember that everything is being done as the admin user, so any changes don't get put into the normal user's profile. This causes problems for some programs that don't have the "install for all users" functionality set up correctly.
  In addition, there are some things that stupidly require elevated privileges but affect only the current account (like Control Panel->System->Advanced System Settings->Performance), which are thus impossible to change if your account isn't a member of "Administrators". There are also some things that even "Administrators" don't have permission to do, but "Administrator" does. And, there are some things that can't be done because you can't actually become the account that you need to be in order to do them (like "TrustedInstaller").
2. Re:hum by TemporalBeing · 2014-10-22 05:53 · Score: 3, Informative
  
  The problem is MS never had a small tutorial during windows installation or during the first boot showing users how to create a Standard User account and have an administrative account for elevating your rights for doing administrative stuff. But now, with windows 8 during the install, you can create any type account you like, but again, no tutorial.
  The problem is one of history for Windows.
  
  Windows was originally a place where every user was an Administrator. This encouraged developers to not pay attention to APIs used, so then applications came to be reliant on running only under users that were Administrators. Even Microsoft Office did that for a long time.
  
  Then Microsoft split users up and now there was a special Administrator account and group. Except users wanted to continue using all the software they had from before that split. The solution? Make all users administrators. Developers kept designing software that required administrative access - even Microsoft Office.
  
  Then came Windows Vista and UAC. Microsoft Office got fixed up; but many developers did not listen to years of warning. So then UAC started prompting the hell out of everyone. Windows 7 came along and most developers had fixed their software so UAC could be scaled back in its prompting some (really, that's the only difference between Win7 and Vista - the default threshold setting for UAC - in this matter).
  
  Of course no where along the road did Microsoft make it easy to switch between users. Sure, there's "Run As..." but it's (a) not well known, (b) a PITA to use, and (c) doesn't solve every use case. UAC doesn't quite either. In neither case do either work like the priviledge escalation in Linux/Unix with "su" and "sudo" and their graphical equivalents. So everyone still must have the administrative access to do certain tasks.
  
  And of course people are still trained that their user needs to be the Admin user for the system.
  
  So there's still work to be done on Windows to bring a real "su"/"sudo" experience to Windows; but overall it's still very much a user issue since they're all trained to and expect that their Windows user will have admin rights whether they really need them or not.
  
  --
  Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
MS Office doesn't help by Radical+Moderate · 2014-10-22 05:51 · Score: 1

... almost every doc I open is opened in a locked state, Windows tosses up a message asking if I want to unlock it to make changes, or even to print it, I believe. That's a great way to train your users to click "OK" to every message they see.

--
Never let a lack of data get in the way of a good rant.
Damn linux by Anonymous Coward · 2014-10-22 06:18 · Score: 0

That's an office software vulnerability, which is slightly less bad than heartbleed or shellshock
Libreoffice? by BellyJelly · 2014-10-22 07:06 · Score: 3, Interesting

Well, we mostly use Libreoffice at work. Are we vulnerable if we open a powerpoint file in Impress?
Broken Windows syndrome, IT version: by Anonymous Coward · 2014-10-22 07:53 · Score: 0

***not exclusive to windows
Linux by stooo · 2014-10-22 08:03 · Score: 0

Use Linux.

--
aaaaaaa
Is this it! The XP killer? by Anonymous Coward · 2014-10-22 09:06 · Score: 0

Quick yes or no question: Will this Pwn boxes with Windows XP on them?
Windows = Job Security by Anonymous Coward · 2014-10-22 11:30 · Score: 0

Using the SSL Version Control add-on for Firefox, I see that to get to the Microsoft Security Advisory linked to in the summary, I have to downgrade from TLS 1.2 to 1.0. So there's one more thing that needs to be upgraded!
Also for developers by dbIII · 2014-10-22 12:25 · Score: 1

Writing a program that demands admin rights when it does not need them (eg. to put a lock file in the root of the system drive instead of elsewhere for a purely arbitrary reason) is even lazier.

Sometimes it's better to go after the root cause of the problem and get the developers that have been left behind to understand that it's the 21st century and their desktop software is likely to be running in a multi-user, networked, multi-core, 64 bit environment. There are far too many that can't even get ONE of those things in the list right which is a major part of why so many MS Windows systems are drowning in a malware swamp. We need to get away from the "we've always done it this way" culture of being acceptable when the way it's "always been done" only makes sense on single user systems with no network connection.