Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Block Flash In Office 365 Starting January 2019 (bleepingcomputer.com)

Posted by msmash on from the up-next dept.

An anonymous reader writes: Microsoft plans to soon block Flash, Shockwave, and Silverlight content from activating in Office 365, it said. The block, however, will only be applicable in Office 365 subscription clients -- and not in Office 2016, Office 2013, or Office 2010 distributions, the company added. The change is set to come into effect starting January 2019. This is a full-on block, and not just Microsoft disabling problematic controls with the option to click on a button and view its content, BleepingComputer reports. The block means that Office 365 will prevent Flash, Shockwave, or Silverlight content from playing inside Office documents altogether.

Microsoft cited various reasons for taking this decision. It said that malware authors have abused this mechanism for exploit campaigns, but also that Office users rarely used these features. In addition, Microsoft said it was also taking this decision after Adobe announced Flash's end-of-life for 2020.

42 comments

  1. Why was it there in the first place by Oswald+McWeany · · Score: 5, Insightful

    Whilst I have to commend MS taking the action to remove these nasties from Office, I have to ask... ... why did it allow them in the first place?

    --
    "That's the way to do it" - Punch
    1. Re:Why was it there in the first place by MachineShedFred · · Score: 3, Interesting

      Likely for HTML emails. And yes, that's still stupid.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    2. Re:Why was it there in the first place by thegarbz · · Score: 2

      why did it allow them in the first place

      I remember once the goal of computers was to be able to do anything anywhere regardless of whether it made sense to do so. Complete seamlessness on both an application and content level. It's a logical extension of OLE allowing native editing of spreadsheets embedded in word documents for instance. Not a crap goal by any means, but one that in its generic case may not make a lot of sense for individual specific use cases.

      It stands to reason that a content element completely ballsed up from a security point of view would as such introduce security problems in the systems which allow it to be embedded.

    3. Re:Why was it there in the first place by jellomizer · · Score: 3, Insightful

      Well lets go back 20 years.
      HTML 3 was the common version of HTML. Which had a lot of necessary features missing, So tools like Java Applets, Active X Controls and Macromedia Flash were made to fill in the Gaps. It wasn't great but it solved the problems that was happening.
      Java Applets were always really slow, Active X was insecure and dangerous, Flash was the fastest at the time, and worked across platforms.
      Microsoft later made Silverlight to try to take over Flash, with minimum success.

      Active X and Silverlight were part of Microsoft Browser War arsenal. Because Microsoft was hoping by winning the browser war, they would have control of the standards. While they won the war by IE 6, their objective to control the standards didn't pan out too well. However its attempt created a large number of legacy programs that used such plugins. That is hard to get rid of.

      Now that HTML 5 Supports most of what These legacy plugins did. They are no longer needed, but removing them needs to be a gradual planned event.

      Why did they start in the first place? Because the standard wasn't fully supporting the features that were needed.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    4. Re:Why was it there in the first place by tepples · · Score: 1

      HTML 3 was the common version of HTML. Which had a lot of necessary features missing, So tools like Java Applets, Active X Controls and Macromedia Flash were made to fill in the Gaps.

      Yes, there were some gaps in HTML's styling model, which CSS eventually resolved. But quite a few vocal Slashdot users, particularly those who have disabled JavaScript, would argue that there were no serious gaps in a document format to begin with.

      • Instead of a Java applet, a software publisher could instead ship a stand-alone Java application that the user could choose to download and install.
      • Instead of an ActiveX control, a software publisher could instead ship a stand-alone Windows application that the user could choose to download and install.
      • Instead of a Flash object, a software publisher could instead ship a stand-alone AIR application that the user could choose to download and install.

      In each case, HTML would remain a document format rather than an application platform, and users would have a choice as to whether or not to run a particular application.

    5. Re:Why was it there in the first place by yodleboy · · Score: 1

      Except that general users were being told that downloading and installing apps was a surefire way to get a virus. Something that just ran in the browser was seen as safe (for a while anyway).

    6. Re:Why was it there in the first place by Anonymous Coward · · Score: 0

      It used to be the only way to get videos into a powerpoint (the other was animated GIFs). Also, a lot of companies used it to do realtime updates of charts, graphs, etc. in presentations or reports.

    7. Re:Why was it there in the first place by Gr8Apes · · Score: 1

      Honestly, as a document format HTML was pretty much fine for everything necessary 20 years ago. Applets/ActiveX/Flash were providing interactive functionality that HTML was never intended to supply.

      --
      The cesspool just got a check and balance.
  2. Will they also block MS Office documents? by Anonymous Coward · · Score: 1

    If they're worried about security, shouldn't they also block virus vectors such as MS Word and Excel?

  3. Microsoft Blocks Microsoft Silverlight by Anonymous Coward · · Score: 1

    Houston, we think we found the problem, and it is us.

    1. Re:Microsoft Blocks Microsoft Silverlight by randomErr · · Score: 2

      At the company I work for we use a sever products that have exclusive interface with Flash or Sliverlight. Our concern is what happens when these products have reached thier End of Life. I know the first thing a lot of people will say is 'switch vendors'. It's not that easy.

      We would love to but we have contracts, working relations, and thousands of hours of setup and training on these products. We are looking for alternatives. But until we find them we have to launch VM's for these applications.

      --
      You say things that offend me and I can deal with it. Can you?
    2. Re:Microsoft Blocks Microsoft Silverlight by Anonymous Coward · · Score: 0

      You won't be the first. At least VMs are an option now - back in the day we had to keep an OS/2 build system alive in order to be able to rebuild a few OS/2 workstations to drive a batch scanner used for accounts payable software that interfaced through Microchannel and talked to an IBM mainframe via SNA.

      We had to keep all of that shit alive until they found a new scanner capable of talking to that mainframe. Whole drive shelves of 9.1GB SSA drives that any time it lost power, you were guaranteed at least one drive being mechanically dead.

    3. Re:Microsoft Blocks Microsoft Silverlight by darkain · · Score: 1

      I still use HP LaserJet 2100 printers in production. They are a little slow and clunky, but are otherwise perfect. No maintenance needed after setup other than paper filling once a week and toner every several months. They have a "web" based configuration interface though, and by web I mean it loads a bunch of Java applets (one per menu, and another for the main body). I keep a WinXP VM around with Java 6 and Internet Explorer 6 just for this particular case. I'd honestly suggest building things like this now while it is still possible. It is getting harder and harder to find installers for older versions of Java.

  4. More proof M$ hates customers by Anonymous Coward · · Score: 0

    They just keep deciding to break things. They shoves these features down our throats and then they take them.

    1. Re:More proof M$ hates customers by OneHundredAndTen · · Score: 1

      Well, Google is also fond of dropping things more or less randomly, screwing its customers in the process. Caveat: this is not meant to be interpreted as an apology of MS, whom I hate with passion and hope to see burn in hell some day.

  5. you remember wrong by Anonymous Coward · · Score: 0

    I remember once the goal of computers was to be able to do anything anywhere regardless of whether it made sense to do so.

    you lived in microsoft's fantasy world and you really did swallow all of the kool-aid

    It's a logical extension of OLE

    this is a smelly fart from the bad kool-aid

    Not a crap goal by any means

    oh man what a stinker, take this nonsense elsewhere

    1. Re:you remember wrong by thegarbz · · Score: 1

      you lived in microsoft's fantasy world

      It wasn't Microsoft's fantasy world. It was everyone's fantasy world. Hell Microsoft and computer companies in general were trying to replicate what science fiction writing had been showing us for many years. Apple was doing it to, they did it on a hardware / product interaction level and it worked a treat.

      Everyone swallowed the coolaid.

      oh man what a stinker, take this nonsense elsewhere

      Oh I did. I closed my browser, turned off my computer, opened my phone and kept going typing this message. I'm sorry your nose is so sensitive. It must be hard living in the reality you so despise.

  6. They were able to play in *office*? by cascadingstylesheet · · Score: 1

    They were able to play in *Office* before? Seriously? Why?

    1. Re:They were able to play in *office*? by orgelspieler · · Score: 1

      I could see using Silverlight in a PowerPoint presentation. Someday. Right before autodefenestration.

  7. Someone will find another way to get in by Streetlight · · Score: 1

    I've never seen any Office documents embedded with Flash, Shockwave or Silverlight inclusions that I know of. Blocking these because they could contain malware means that someone will, or has already, figured out another vector to inject malware into Office files. Others more knowledgeable can comment on the possibility.

    --
    In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
  8. Great! by Opportunist · · Score: 1

    Ok, Javascript next, please.

    Oh. Wait...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Great! by tepples · · Score: 1

      Say you are designing a form into which a user can enter data, and the requirements for this form include quickly validating data on the client side to give feedback that is faster than a round-trip for authoritative server-side validation. Not all users of this form are using the same operating system. Other than JavaScript, what means for real-time client-side validation would you prefer?

    2. Re:Great! by Opportunist · · Score: 1

      Javascript in a web application, using a browser for input that runs in a sandbox.

      Next question.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Great! by tepples · · Score: 1

      Question 2: A vocal minority of users file support tickets to the following effect: "I don't want any JavaScript. I liked HTML better back when it was a document format." What should I tell them?

    4. Re:Great! by Opportunist · · Score: 1

      (noscript)
      Get out of the fucking time machine
      (/noscript)

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. TIL by Anonymous Coward · · Score: 0

    flash could be played in word documents.

  10. Now take Silverlight out of Windows Server. by ErikTheRed · · Score: 3, Interesting

    Yet they still try to cram Silverlight down our throats continuously on Windows Server updates (yes, I know that with enough hassle this can be turned off, but...). There are probably like six people using it for some oddball VDI application; for the rest of us it's a stupid nuisance.

    --

    Help save the critically endangered Blue Iguana
    1. Re:Now take Silverlight out of Windows Server. by Anonymous Coward · · Score: 0

      Wait...you aren't controlling updates at all? Are you stupid? Or just inept?

    2. Re:Now take Silverlight out of Windows Server. by jwhyche · · Score: 2

      Netflix used to use that silver light crap. I remember every few months I would have to pull it out by the roots because it would go off the rails. Giving some drm error.

      Good riddance to bad rubbish.

      --
      I read at +2. If your post doesn't reach that level I will not see or respond to it.
  11. Blatantly Illegal by Anonymous Coward · · Score: 0

    Microsoft cannot prevent a competitor's product from running on its O/S. That would be anti-competitive, monopolistic, and not to mention illegal.

    1. Re:Blatantly Illegal by ripvlan · · Score: 1

      Those technologies still run on Windows. Just not inside of MS-Word.

    2. Re:Blatantly Illegal by MachineShedFred · · Score: 1

      which is why they are only disabling it for new versions of Office?

      I'm not saying you need to read the article, but please at least read the HEADLINE.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  12. It's not the techologies stupid! by Virtucon · · Score: 1

    It's not the technologies, it's the platforms that implement the technologies and the crappy code they represent that create the exposure. But it's
    easier to just block the technologies.

    On a positive note, I guess this shows folks on O365 how easily their TOS can be fucked with.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:It's not the techologies stupid! by MachineShedFred · · Score: 1

      So what you are saying, is that Flash would be completely excellent if it weren't for every flawed and exploitable version of Flash Player, and every web browser it ever plugged into, and every OS that ever ran it.

      But Flash is just fine, guys!

      In case you are sarcasm-impaired: Flash-specific security exploits don't work if Flash isn't there.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  13. Things I did not know... by ripvlan · · Score: 1

    I didn't know you could even do this. So it won't be missed by me.

    Apparently the hackers knew though !

    I wonder if they'll get rid of all DCOM stuff though?!

  14. Microsoft: "The whole world is our beta tester." by Futurepower(R) · · Score: 1

    If that update will be like the updates to Windows 10, expect that the first version will Flock Bash.

  15. They've also blocked EPS images recently by hackertourist · · Score: 1

    In an Office 365 update last month, Microsoft removed EPS image support. The EPS filter had been defaulting to 'off' since last year (could only be enabled via the Registry), but now they've removed support altogether. Without warning, and without indicating to the user what has happened (the user just gets a red cross instead of an image).
    This has bitten us in the ass bigtime, as we have libraries containing thousands of EPS files, which are used for publishing to Word files. Needless to say, we're migrating all accounts that use EPS files away from Word as we speak.
    We also regret migrating from on-premises installations to bloody Office 365 subscriptions.

  16. Too bad, so sad, big tear, right here. by eskayp · · Score: 1

    Adios, you motherflashing software cesspool.

    --
    I didn't desert Windows; Windows deserted me: BSOD
  17. Re:Other virus vectors, too... by Anonymous Coward · · Score: 1

    Then you should probably stick with only fantasizing about their cocks and maybe visit a doctor of the listening kind to deal with your penis envy.

  18. Re:Now take Silverlight out of everything! by antdude · · Score: 1

    Is Silverlight even used today? I haven't seen any web sites using it for years.

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).