Slashdot Mirror
How a Bad UI Decision From Microsoft Helped Macro Malware Make a Comeback (softpedia.com)
An anonymous reader writes: Macro malware is a term to describe malware that relies on automatically executed macro scripts inside Office documents. This type of malware was very popular in the '90s, but when Microsoft launched Office 97, it added a popup before opening Office files that warned users about the dangers of enabling macros. Microsoft's decision had a huge impact on macro malware, and by the 2000s, this type of malware went almost extinct. Lo and behold, some smart Microsoft UI designers start thinking that users might get popup fatigue, so in Office 2007, Microsoft makes the monumental mistake of removing the very informative popup, and transforming the warning into a notification bar at the top of the document with only six words warning users about macros. Things get worse in Office 2010, when Microsoft even adds a shiny button that reads "Enable Content," ruining everything it had done in the past 10-15 years, and allowing macro malware to become the dangerous threat it is today. The U.S.-CERT team issued an official threat yesterday warning organizations about the resurging threat of malware that uses macro scripts in Office documents.
Nope you need to be retarded to use *any* m$ software...
allowing a pipe as in:
Format C: | Y
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
This is rooted in Microsoft culture. Security is never a primary concern. Imagine someone with a whiny voice saying "It's too hard, I don't wanna do it, it makes things no fun" etc, etc. From the outside that seems like how they behave.
And there is the little matter of loss of institutional memory, which is the senility part. That is because they consciously exclude people of long experience. They don't hire them, and if anyone is too long on the job they get flushed out. It's cheaper and keeps the workforce docile. But the long term result is making the same mistake over and over again. Not that Microsoft is a whole lot worse then any other big software organization, but they appear to do it even more then other big outfits.
Expect them to resurrect the BSOD any day now...
Why is Snark Required?
MS makes UI decisions? I thought they just delegated UI coding to the new hires, saying "Here's a project for you to learn coding on."
Because the average user doesn't know what "Run Content" means. Meanwhile they're being told to never disable scripts, never enable adblock, always accept all defaults, and Microsoft is never wrong.
Kind of hard to give a shit what you think when you get butthurt over such a minor distinction, shill.
You can only warn but you can't prevent stupid. It's not like the code gets executed right away. You have to PURPOSELY enable it. This is no different when people install whatever off the internet because they don't know better, while running an expired virus scanner that came with their computer when they bought it back in 2011. While I understand that Microsoft is a very user friendly OS compared to something like Linux, you can really only do so much without making it TOO user friendly where you can't do anything.
Kind of hard to take you seriously since you reference microsoft as m$
M$ or Microsoft, or Redmond, it doesn't matter when the fact is that there are a lot of issues with Microsoft products, and that this is one of the more idiotic ones. Since they have a less than intelligent system that seems custom designed to allow anyone access to the computer, and since they make it so easy to happen. He isn't wrong, whether you automatically discount anyone's statement of fact when you see M$, or not.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
And what are the good UI decisions Microsoft ever made? Remember the "Start" button debacle?
I'm nominating the ribbon.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I wondered why I've been hearing about macros malware again! Granted, I haven't used office in a looong time. But I thought, wasn't that solved in like 1993... don't allow macros? Guess history does repeat itself.
Well, in most cases when you call microsoft as M$ instead of MS or such, it's like calling them "Microshaft" or similar, which makes it hard to take a comment seriously because the comment itself isn't written seriously.
I am not arguing that a lot of microsoft's software has issues, but microsoft of course wants to appeal to the masses, this complaint about not having a pop-up and instead having a bar with an easy to find button isn't less safe, it still prevents the macro from instantly running, it's just more intuitive.
I wondered why I've been hearing about macros malware again! Granted, I haven't used office in a looong time. But I thought, wasn't that solved in like 1993... don't allow macros? Guess history does repeat itself.
Defenses to threats that are not exploited become de-prioritized over time, especially when an "almost extinct" vector is the threat and you are asking hundreds of millions of people to click an extra dialog that they don't understand to begin with.
It's like smallpox. It is basically eradicated, but if it comes back we'll have an issue because we're not strict about vaccinating for it, because it's basically extinct.
Real lawyers write in C++
And what are the good UI decisions Microsoft ever made? Remember the "Start" button debacle?
Autorun, default is still enabled.
I have an old version of Heirn's bootdisk that the autorun.ini installs malware, I keep it as an example of autorun's bad side, and as a not so bright attempt at an attack - it's a boot disk (yet if placed in a drive when running Windows...).
You'll probably come across as juvenile, this may be right or wrong and again, this may be your intention.
Fact is, some people are going to switch off when they see you write "M$", or refer to their company by the stock symbol, as if that's a reasonable thing to do outside the context of actually investing in that stock.
When you're making an entirely valid and objective criticism of their company's behaviour / products (and I know you'll agree that's not difficult to do), you've nothing to gain by putting off a portion of readers by making them think you're a nutjob, even if you are.
> and what do you propose as solution?
> Removing macros? Further dumbing down systems ?
The problem is that Microsoft dumbed it too much. They have one button where they should have two. The ONLY option is the new UI is "Run Content". There should be a "No Thanks" button.
As explained in the fine summary, the recommendation is something like the old warning, which actually worked, or least an option labeled "dismiss", "cancel", or "disable macros". Here's one MS UI that worked:
http://i1-news.softpedia-stati...
Microsoft traded that for a single button with the instruction "Enable Content". There is no more "disable macros" option anymore. Anyone who isn't sure what they should do will often click the one and only option Microsoft provides: run the macros. There should be a button to dismiss the message without running macros.
Well, that's one way of looking at it. The other is that Microsoft had to cater to the lowest common denominator with big scary warning dialogs when you did something potentially stupid. And that they did that because it was new and people were ignorant, but that as a computer literate generation grew up they thought they could start taking off the training wheels. I mean, it's not like Linux gives you much warning when you break shit, yeah you might have to invoke sudo but that is the universal "trust me, I know what I'm doing" code word. And of course you'll take the shit in the forums if you don't know what you're doing, but reality is people use computers despite that. Personally I think the current button is fine, I need a choice not a lecture.
Live today, because you never know what tomorrow brings
The trouble is that the inadequate security design of MS Windows gets blamed on the users. The real trouble is that MS Windows doesn't have adequate access control and allows any program to do anything and erase or overwrite anything.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
The stock symbol is a convenient short identifier.
MS deserve the moniker M$ due to patterns of behaviour that indicate they have no integrity. Some people don't understand that organisations have a persistent culture, some are simply stupid, some are going to switch off no matter what you do, and your managers don't bother reading your emails in full.
That's life.
It's also not particularly interesting or informative to keep pointing it out as if you have some kind of special insight, unless you want everyone to "join" them in a collaborative love-in of business bullshit and become part of the problem. You cannot change all people like that, and frankly fuck them if the alternative is to be co-opted into the church of the subpar.
I'm too lazy for MS's shenanigans. I just enable macros by default in outlook to run an auto-bcc vba script without being bothered all the time.
Linux has the same problem.
A limited user (even without sudo rights) launches a buggy application and opens an infected document. The virus can then proceed to encrypt all the files that the user can modify.
The system files will stay intact.
The documents of the user will get encrypted.
The user usually cares about being able to access his documents, so the damage is done even without root access. If this happens on a single user desktop, then the damage is the same as if the virus had root access. In both cases you have to restore the PC from backups (if you have them).
...was when they decided that hiding the extension was a great idea and made it default in XP.
trojan.jpg.zip anyone?
How about just adding back the fucking warning popup that was so fucking effective.
You still get to use macros, just like before.
Sleep your way to a whiter smile...date a dentist!
When you write it as 'M$' it tends to give the impression one of the big issues you have with them is they've made a lot of money
That is a completely legitimate issue to take considering how they made a lot of that money.
Think "antitrust".
Stuxnet doesn't even need autoplay to be enabled.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Kind of hard to take you seriously since you reference microsoft as m$
Well having installed Microsoft Windows 10 from ISO onto a virtual machine and having looked at the definition of Malware I do think people who install it are taking a huge risk. I actually have my virtual machine off and if I turn it on it is only for testing purposes however I actually switch off my virtual network. For those who want Windows 10 you could liken them to a frog put in lukewarm water then slowly turn up the heat and the frog won't notice until it's too late.
Yes, I am aware that it is possible to turn off most of the intrusive parts of Windows 10 providing you know what you are doing with the registry (most user have no idea what this even is) or you trust third party software. Even then you won't be able to fully turn off snooping. Still those that think this does not matter have been pretty well parboiled anyway and it's utterly pointless saying anything to them.
Looking at windows 10 it does have a pretty interface providing you don't mind a combination of Windows 7 and Windows 8.1. Comparing against my machine running Fedora 23 with KDE (Xfce is also great as well) Win10 has limited configuration ability although for most people that's fine. As for applications, I won't deny that Win10 has more but for most applications that run on Win10, I can find an equivalent, maybe not 100% equivalent but it will let me do what I want to do.
Games are probably one of the major issues which faces Linux today however you can get a huge amount of games that are native (please no TuX Racer references it only shows that you are ill-informed) either native, compatibility layer, SteamOS or on a virtual machine that is running Microsoft Windows if you can only get your gaming fix that way. You can even play web based games for those that like this sort of thing. Barring all that there are always consoles.
Before anyone says "specialty applications", I am aware of those as well and all I can say is you are locked in and the water must be getting very hot now, not that you would notice anyway.
There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
When you write it as 'M$' it tends to give the impression one of the big issues you have with them is they've made a lot of money
That is a completely legitimate issue to take considering how they made a lot of that money.
Think "antitrust".
Does you iPad come with a default browser made by Apple, or does your Nexus come with a default browser made by Google? Those are the kind of things that were at the center of the "antitrust" case against Microsoft.
Both Apple and Google have made billions with their proprietary ecosystems but I don't see you calling them Apple$ or Google$.
lucm, indeed.
Yeah Stuxnet sucks. It totally screwed up my nuclear program infrastructure. That's the price I paid for letting the trial McAfee expire on my new cheap Asus laptop.
lucm, indeed.
How is there news about Office 2010, which was presumably released 6 years ago. Who even uses Office these days, Google docs all the way... or a Markdown editor.
Not if SELinux or AppArmor is enabled
Look at the shape of the $ and you'll figure it out.
...which coincidentally was also in Office 2007 as well. I guess I'll be okay then, since I refuse to use ribbonized versions of Microsoft Orifice.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
That is because when they write "M$" they come off as this guy and nobody is gonna take this guy seriously.
ACs don't waste your time replying, your posts are never seen by me.
You have to be retarded to click on "Run Content" if you don't trust the source..,.
People are, and will be idiots, what is new?... ...and what do you propose as solution?
Removing macros? Further dumbing down systems ala Apple?
Fuck. That. Shit.
The dumb part was attempting to "enrich" our documents with this bullshit when 99% need a damn word processor and that's it.
Adobe Reader v5.x was less than 10MB in size. That program has now grown to obscene proportions, and for what justified reason? I still use Adobe Reader for the same fucking reason TODAY that I did 15 years ago, as do 99.999% of users. To read PDFs.
Perhaps you think the stupidity light needs to shine both ways to enlighten us of this problem, but since I tend to favor root cause analysis, I tend to point the finger at who started this bloatware shit.
All I want and need is a fucking hammer, not a pneumatic-powered, pressure-sensitive, electronic-triggered, app-powered driving device.
TL; DR - K.I.S.S. principle is still valid no matter what century we live in.
People *Think* they trust the source too, when they actually have no actual proof of who the source is, for instance a spoofed email, or an email which actually came from the computer of someone they know (but that user had previously been infected with malware)...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
The real issue here is that macros and scripts should always run in a very well designed and hardened sandbox. No matter what your script does, it won't be able to do more than screwing up the spreadsheet it came embedded with. It really is insane that a macro could harm your computer, except in Microsoft's world.
The culprit is simply bad design. Nobody in their right mind would allow arbitrary scripts from unknown sources to be run freely in an environment where they can affect things outside that environment.
Seriously, what kind of head injuries do the people at Microsoft have?? This is an enormously STUPID decision made by enormously STUPID people.
Ask technically-savvy people about this and 99.99999% would say, "Don't do this", but the wizards at MS in their infinite wisdom do it anyway?
WTF, Microsoft?? Do you want your users to be fucked over?
Just cruising through this digital world at 33 1/3 rpm...
Because there's more to Office than just Word, and having the ability to add custom code actually has a large benefit to programs like Excel and Access. And maybe someone wants Excel to generate an email in Outlook or a Word document as a report, or update a PowerPoint presentation? Just because you don't use a feature doesn't mean that someone else doesn't have a very legitimate use for it. There's a reason why macro support is often cited as a weakness of competing suites like LibreOffice.
Of course, we all know that in Windows, clicking the X on the right now means "go ahead and do it". :)
Somebody had to say it.
Often times at work, one co-worker e-mails an Office document to another. The recipient opens the document from their e-mail, clicks the Enable button on that yellow notification bar to switch from read-only mode to editing mode, and then views the document without making any changes. Whenever I see this, I point out to the person that they should not click that button unless they're read what the notification says (click to enable editing), and they should only click it if they need (and know they need) what it enables.
Supposedly things are set up at work where macros can't run from the C: drive, which is where Outlook stores files opened from an e-mail, so many it won't be an issue if a document with a malicious macro comes in from the outside. Nonetheless, I'll continue my quest to try to get everyone to be just a little more careful about what they're enabling.
I think the worst decision was putting security functions in dynamically loaded libraries and allowing them to be dynamically hijacked
When you write it as 'M$' it tends to give the impression one of the big issues you have with them is they've made a lot of money, and that you make a point of expressing that whether or not it is necessary or relevant. It may be that you actually want to give that impression, in which case power to you.
Keeping in mind that it wasn't me that typed M$, I wonder, do you give more veracity to pretty people because you think a pretty person is smarter than an ugly person? Because if you automatically reject a person because of a typed dollar sign you are going to be easily manipulable.
I'll read the person's words, and decide the veracity of their statement, not this sort of find one word, and declare what was written was untrue.
You'll probably come across as juvenile, this may be right or wrong and again, this may be your intention.
When I use words like that, it's usually for shock value. It's all just noise on the internet.
Fact is, some people are going to switch off when they see you write "M$", or refer to their company by the stock symbol, as if that's a reasonable thing to do outside the context of actually investing in that stock.
I believe you - I believe that is a fact. I also believe that a person who does that is impressively shallow, and frankly, I'm not going to convince them of anything. Nor do I care. They have decided the truth based on one simple word. Sounds like your people could determine if something is truth or a lie just by performing a find on it, for M$, and not even read it. That sounds to me like exceptional intelligence, you agree? The way to get to the absolute truth.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
That is because when they write "M$" they come off as this guy and nobody is gonna take this guy seriously.
The neat part is, you can determine that they are lying without reading their post. Just skim it for the lying word, and you have the truth, from God's lips to your ears.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I think you mean 2003, but in all other ways yes. 2003 was the last version before they decided to ditch the menu bar for their precious "ribbon". I think it's because OpenOffice was reaching a point of being a reasonable replacement, almost indistinguishable on the surface, so Microsoft felt like they had to make Office... different.
The sad thing is they took away some really useful advanced features from 2003... like being able to create your own custom buttons with a little pixel editor and assign them to macros you write for automating repetitive tasks. Gone with the coming of the wretched, unbidden ribbon, the solution for a problem that didn't exist. There are some improvements and bug-fixes that come along with 2007 and 2010, but at the cost of having to train employees on a custom ribbon with the collection of buttons they used to rely on on a toolbar (because with the ribbon, you only get one toolbar... just because). If this included a custom button, you're out of luck.
I just can't think of how dumb this is, because all the customization capability of 2003 was effective product lock-in for Microsoft, making OpenOffice a less-than-ideal alternative for shops with a lot of time-saving macros (no, not the kind of macros that travel with documents as malware). Microsoft traded this for a fucking ribbon, because... I don't know, pick one:
1. unless it looks different, nobody will buy it
2. all the pre-ribbon developers were either retired or promoted to management, and new-hire young developers didn't want to read old code
3. some VP wanted to make her mark, droning: out with the old, in with the new, change is good, you see that? I did that! Promote me!
4. some focus group mistook OpenOffice for Microsoft Office, and that's got to stop
5. copyright/trademark the ribbon, thereby put a stop to free software coming up with same-looking turnkey replacements
None of the above have anything to do with creating a better, more useful or productive product for the customer, but with proper focus groups Microsoft can astro-turf their way into promoting the ribbon as an improvement. If there weren't a stack of less-visible but important features in Microsoft Office that Open/LibreOffice still haven't replicated (here's an incomplete list), my organization would have shimmied out of Microsoft's shackles long ago.
Take it easy, Charlie, I've got an Angle...
Geez, I wish I could use one of those magical systems like Linux or Mac OS that don't allow the user to deliberately run software they've deliberately downloaded from the internet, and have it modify user files on the system that they've deliberately given it permission to access.
What on earth are you blathering about? You been drinking the Friends of Microsoft Koolaid again? Can't tell if you are being sarcastic, or baked - in any event, you are wrong.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I'd wondered if I should've clarified that in my post. In any event, it has been now. I'm really just responding to you because you're not an AC (I'll explain soon). Just looking to have conversation about it, not tell anyone off.
Not to the extent I can be aware of my own biases. Again, I chose to respond to you because you're not an AC. It's not because I think logging in lends veracity to your argument, it's just that engaging in conversation with a group of unknown number or reputation has proven to be very unrewarding in my experience. When I do make judgements like this, I like to at least be able to stand by them with reasons
I don't write people off just because they write 'M$'. You have your reasons when you do, and it doesn't really bother me. As another poster said, I have to admit considering the company's abusive behaviour it's to criticise them - and it is. I don't look down on people who think and say MS are shady.
All I'm saying is, coming from someone who used to write M$, and does no longer: as I've matured I've found it a lot easier to make my point heard when I don't decorate it with extra baggage that prompts your listeners to start making judgements about you.
Whether the judgements are sound or not, people will make them. Sometimes people you're genuinely trying to sell yourself too, no randoms on Slashdot. All things being equal, the post without the dollar sign embellishment will be better received, in my opinion.
I don't have a "people" that all think like I do. I'll forgive your snark on the basis I think you've misunderstood me a little.
You're sent a document from someone you interact often with. Maybe it's a business that might use odd security measures (like a lawyer, bank, or doctor's office).When you open the document it says:
------------------^
Click to view document
That's it, no more content.
Now, I wouldn't click on it, you might not either. But there's enough people out there who will follow instructions, or will click on the most obvious button to make an annoying alert go away.
The right to protest the State is more sacred than the State.
That is only because Apple and Google do not have an "S" in the name that can be easily swapped out for a "$" to symbolize our distrust for them. Don't worry, we'll come up with something for them too.