Office Assistant: Yet Another Security Hole

A lot of people have been submitting the news from ZD-Net concerning the security hole found in the Microsoft Office Assistant, Satan the Paper-Clip. Er...rather, "Clippy". Dildog, of @Stake, found the hole, which is quite similar to the recent Outlook security that allows for automatic scripting.

Yes!!!!!!

[stokessd]

Thank you slashdot, these stories make my day. Everybody where I work uses office for everything. I get unformatted text attachments created in word e-mailed to me all the time. I run star-office to read them only to find out that it's just plain text that could have been put right in the body of the message. Hurt those people badly.

Sheldon

Who uses them? You have a mom?

[The Queen]

My Mom loves that little paper clip guy. She sent me email about how to turn him on and all the 'cute' things he says. (groan....)
Who has to bail her out with an hour of support over the phone when something f*cks up? You and me, baby. Multiply that by how many middle aged mom secretary-types there are in all the offices across this nation...

The Divine Creatrix in a Mortal Shell that stays Crunchy in Milk

Re:From Microsoft

[knarf]

Microsoft states in their FAQ:

Is this a vulnerability in the Active
technology? No. This vulnerability results
because of a manual error in marking the
particular control at issue.

Manual error? But why then does the "Show Me" function need to be disabled to negate this threat? Or was this entire funcionality the result of a "manual marking error"? Or might it be that ActiveX does not offer fine-grained control over who is allowed to do what to which data? In other words, a "design problem" with ActiveX?

Goobers

[shizat]

I gots a pocketful o' Goobers. And three Mike 'n' Ikes. Plus one piece of Double Bubble.

Re:Even Better

[Anonymous Coward]

ooh, maybe then you could sell your hoarded karma on e-bay!

Re:Darth Paperclip!

[Phallus]

Too many w's on your url - www.microsith.com [microsith.com] is the right one.

tangent - art and creation are a higher purpose

Re:Real physical papr clips are a security threat

[fReNeTiK]

iMac owners need not apply.

Actually, the iMac has a similarly shaped button used for hard resets. When the damn thing locks up again to the point where the soft-power buttons don't work anymore, it's either that or pull the power cable...

Did I mention I hate soft-power buttons? There you go.

It's talking to you

[zaf]

It sends subliminal messages, visually, and if you have a sound card, aurally! Those little bounces and shapes it makes are just a cover for what it's really doing!

Don't blame us, we're just the postoffice...

[redlemon]

This was the line along which Microsoft Europe responded to the ILOVEYOU virus.

I think this is basically a wrong metaphor. A more apt one would be to compare Microsoft to the builder of your house. Not only did he build it on a foundation of quicksand, but he also connected your mailbox directly to your safe. Anybody can get your valuables out, and also anybody can slip anything in.

You open the door of your safe: Suprise!!!
Empty, save for a silly paperclip holding a note: ILOVEYOU

Lyon

A dancing...what?

[Kmon]

...Dildog, of @Stake, found the hole, which is quite similar to the recent Outlook security that allows for automatic scripting.

At first read, I thought Dildog was one of the office assistants!

Re:Even worse than a security hole

[Fishstick]

>If they were so smart, how come they agreed to take stock options?

Because of this? [yahoo.com]

Keep in mind that until January this year, MSFT was always going in the same direction. Notice also the little arrows that indicate stock splits.

Up until a few months ago, MSFT stock options would look pretty sweet.

What about Vigor?

[oinkoink]

Do I have to worry about the Vigor Assistant too?
oink!

Re:Mr Hankey Assistant

[fReNeTiK]

Is this [red-bean.com] what you're looking for?

;)

So what else is new?

[scott@b]

Microsoft has a _long_ history of products with security holes. I think every network supporting OS major release made the drives on your machine public. IE did it, too. And once when I was forced to get the Powerpoint viewer app I noticed that the current release was a fix to a "problem where the user's drives would be published on any connected network". Uh, a viewer app made my drive public - this doesn't sound like a simple programming bug to me.

Then there was the copy protect diskwiping trojan horse someone at MS put into ? Excel ? eons ago. Me thinks they drink a bit too much caffeine in Redmond.

Power

[DonkPunch]

ZDNet uses the word "power" several times in their description of Office Assistant.

#define powerful unemcumbered_by_security_restrictions

p.s. -- Guys, the lameness filter is lame. The above string was too long before. I fixed it, then it told me I had to wait 70 seconds before posting.

Closed Operating Systems

[Tiger Smile]

Closed Operating Systems have many of these, hope the public never finds them, security holes.

What I really wonder about is, is using a closed OS like Windows considered reasonable security under the law. If I were to leave the doors unopened to my car the law would car little for my stole property, unless I went to a reasonable effort to secure my car. People who "lock" away data without all the information, or worse yet, without even asking for all the information, are they somewhat to blame. In the USA, it's a buyer be ware market. The buyer has, in this case, purchased a product wich they were less than informed about.

I don't see as Microsoft has to do anything about this. The only reason to issue any patch is to save the customer base. But are they in any way required to release a patch?

Well in any case, you get what you ask for more often then what you pay for it seems. If Microsoft was well aware of these latest security holes (it would seem they would have to be), who is to blame for the damaged product? Microsoft or the consumer who failed to understand just what they were paying for?

-- James Dornan AKA TigerSmile "Long live the PORK!"

HA HA HA HA HA

[corarc]

Yet another example of the inferior coding by Micro$oft!

I can't believe that such a simple little (HA HA, you should see the RAM hit for this guy) window can pose too much of a security risk, unless it is badly coded by M$ of course!

Q: When will M$ stop producing naff code and write something decent? A: The day it joins the OpenSource revolution!

Come on Microsoft, remove that stick from your anus and join the revolution, it can only do you good.

corarc

Last freakin' straw!!

[alumshubby]

Although I'm keeping my Win98SE installation on my Dell for work-related reasons for the time being, I'm going to run 98Lite to strip out IE from my Windows setup and make a note never to run any Office app while I'm online. These bugs are driving me nuts!!

If BG wants to innovate for the customers' and stockholders' benefit, more power to him. I just wish to h-e-double-toothpicks he and his minions would make all this stuff WORK RIGHT.

Re:A thought.

[Alarmist]

I advise you to go consult a psychologist to have your paranoia treated.

I don't expect you or anyone else to believe what I have to say. I wouldn't have believed it myself a few years ago. Still, it is a bit disheartening to have one's opinions dismissed without even the courtesy of a good rebuttal.

To each his/her own, I suppose. Still, for your sake, I hope you realize that the world is not a pretty place with rosy tints. Behind the flashy, eye-catching facades lurks a dangerous, manipulative world of faceless entities engaged in complex struggles to no easily-discernible end. All we know is that they want power. Maybe this doesn't bother you. I know it bothers me.

Re:A thought.

[astyanax]

I don't have to see a "boogie man" around every corner to know that there are forces in the world that will treat me as a mere resource to be exploited. Some of them want my money. Some of them want my votes. Some of them just want to be able to tell me what to do because they enjoy controlling people.

o/~ Some of them want to use you...
Some of them want to get used by you...
Some of them want to abuse you...
Some of them want to be abused... o/~

Sorry, this popped into my head as I was reading, and it seemed apropriate ;-)

Microsoft got "Free Speech" Award!

[AShuvalov]

http://samovarawards.com/

"Free Speech" award
goes to.. Microsoft. Yes, we all know that story when the monster
published essential piece of Kerberos interoperability specifications
under trade secret notice in hope to compromise Samba developers with
illegal knowledge and to establish a new legal precedent of "nobody can
implement those specs".
But, one of obvious outcome of the antitrust battle is the required openness of all Microsoft
API's. That's what will be too late to protect in the High Court - once the bird is out of the
cage, you can't put it back. Please, help me to write a list of young fellows waiting to kick the
behemoth's butt: Netscape/Mozilla, Samba, RealNeworks, StarOffice, CorelOffice, etc.

What about the other assistants?

[Befonte]

Sometimes I wonder, people always have a go at the paper clip (and he is annoying) but I have a friend who refuses to go near the cat because it 'acts like it owns the place'- shureley M$ only decent attempt at AI?

Cat AI? what next, rabbits?

***Please wait whilst Windows procreates rapidly**

doom is coming, mark my words...

The Paperclip.......

[defj]

[sincerest apologies to Edgar Alan Poe,
who will be turning in his grave and
the unrecognised author of this gem (not me that's for sure)]

Once upon a weeknight dreary,
while I coded, weak and bleary,
Over many a quaint and curious system
of my SeQueL calls,
While I nodded, nearly napping,
suddenly there came a tapping,
As of typing, gentle rapping,
tapping through my cube's grey wall
"Tis some worker still," I muttered
"typing in this office floor --
Only this, and nothing more."

Ah, distinctly I remember
it was in the bright December,
And each product, documented
cast it's shadow on the floor.
Eagerly I wished the morrow;
-- vainly I had sought to borrow
From my work surcease of sorrow
-- sorrow using 'net Explorer --
For the slow and ponderous creature
whom Bill Gates has named Explorer --
In PCs for evermore.

And the dull and muted creaking
of the gentle sounds of typing
Thrilled me -- filled me with fantastic
terrors never felt before;
So that now, to still the ranting
of my mind, I stood still chanting
"'Tis some worker typing emails
on their PC through the wall --
Some late worker coding softly
in their cube just through the wall; --
This it is, and nothing more."

Presently my soul grew stronger;
hesitating then no longer,
"Sir," called I, "or Madam,
truly your forgiveness I implore;
But the fact is I was napping,
and so gently you sat typing,
And so faintly came your tapping,
tapping through my cube's grey wall,
That I scarce was sure I heard you
-- here I stood and looked next door; --
Darkness there and nothing more.

Deep into that darkness peering,
long I stood there wond'ring, fearing,
Doubting, dreaming dreams
no mortal ever dared to dream before;
But the silence was unbroken,
and the darkness gave no token,
And the only word there spoken
was the whispered word, "Explore!"
This I whispered, and an echo
murmured back the word, "Explore!" --
Merely this, and nothing more.

Sinking back in my cube turning,
all my soul within me burning,
Soon I heard again a tapping
somewhat louder than before.
"Surely," said I, "surely that is something
at my neighbour's keyboard;
Let me see, then, what the threat is,
here behind my office wall --
Let my heart be still a moment
and this mystery explore;--
'Tis a person, and nothing more!"

Slowly here I pushed my chair back,
as my hard drive seeked a new track,
Up there popped an MS agent
appearing in an icon form,
Not a cancel button had he;
nor a way to kill or maim he;
But with bubble speech just like a cartoon,
perched above my web explorer;
Perched upon a window showing off a page
of witty speech galore --
Perched, and sat, and nothing more.

Then this paperclip sat beguiling
my sad fancy into smiling,
Fixed it's gaze and stared intently,
through my soul it tried to bore,
"Though thou merely animation,
thou" I said "are a creation,
In PCs across the nation,
upgrade free from Redmond's door --
Tell me what thy process name is,
thou art here, pray tell, wherefore?"
Quoth the speakers "Nevermore."

Much I marvelled this "assistant"
was to closing quite resistant,
Though it's purpose little useful
-- giving hints unask-ed for;
Nothing farther then he uttered
-- not a pixel then he fluttered --
Till I scarcely more than muttered
"Others have yet crashed before --
On the morrow _he_ will leave me,
as the rest have crashed before."
Then the thing said "Nevermore."

Then, methought, the screen grew denser,
blanked out by an unseen censor
Blacking out the non-work emails
sitting in my outbox drawer.
"Gates," I cried, "thy spawn hath lent thee
-- by these programs thou hath sent me
Millions -- upon millions of the dollars
over which we all do fork;
For this vile and odious creature
you have conjured with explorer;
From my speakers "Nevermore."

"Icon!" said I, "thing of evil!
-- process still if code or devil! --
Whether patched remotely
or by other means installed,
Pixelled beast art undaunted
by my clicking -- still you taunt me --
Which foul beast hath built thy sources
-- tell me truly I implore --
Is there -- _is_ there yet a way to kill you?
-- tell me -- TELL ME, I implore!"
Quoth the Icon "Nevermore".

"Icon!" said I, "thing of evil!"
-- process still if code or devil! --
By that network spans between us
-- by the protocols galore --
Tell this soul with caffiened terror
if, without a system error,
there is yet a way to exit
from this process I abhor --
can I kill the evil icon
of this process I abhor?
Quoth the Icon "Nevermore".

"Be that word our sign of parting,
paperclip!" I shrieked, upstarting --
"I shall pull the plug and then
you shall appear no more!
Leave my system yet unbroken
and take thy visage, evil token!
Go with no more words a-spoken
-- thou invoke no evil lore!
Take thy clip from off my screen,
and take thy code from off my core!"
Quoth the Icon "Nevermore".

And the icon, never quitting,
still is sitting, still is sitting
On the glowing screen of phosphor
just above my net Explorer;
And his eyes have all the seeming
of a demon's that is dreaming,
And the cursor o'er him streaming
throws a shadow on Explorer;
And my work into that shadow
that lies over my explorer
Shall be lifted -- nevermore!

Re:A thought.

[WebSerf]

I don't know, if they wanted to spy on you why put the spy code in something as obvious as Satan's favorite paper clip? Something of the James Bond effect here. That is, a spy who acted like James Bond, seducing women, throwing money around and driving fast cars would draw too much attention to himself and get his cover blown. It's the quiet accountant who lives in a modest house who always turns out the be the one. The analogy to that would be a nice quiet little program that nobody ever saw because it didn't even tell you it was running and the process accounting system had been rigged not to show it. That's the problem with closed source OSs they're like Gump's box of chocolates. You never know what yer gonna git.

Was that enough movie references or what...

What?? A patch??

[elfbabe]

I was so hoping they'd finally kill the damn thing...

Marissa
I'm not really an elf, I just play one in AD&D.

Re:What about Vigor?

[mdillon]

no, but you should probably be worried about yourself if you're demented enough to use vigor.

what about

[ArchieBunker]

The recent redhat fiasco where the default password was left at "q" or something like that?

Buggy Easter Eggs.

[jabber]

Is it just me, or is there something terribly funny about the irony of this.

Even a 'feature' that no one wanted has bugs, and worse, security holes.

What's next? Playing the flight-sim Easter Egg in Excel gives you Administrator rights?

Re:I am rather concerned - NOT

[Dictator For Life]

MS generally delivers patches for these security holes before serious exploits happen in great numbers.

Yes, like just two weeks ago when ILOVEYOU was out, right? MS had the patch out "before serious exploits," right?

• Melissa
• Bubbleboy
• Chernobyl (still no MS fix for that)
• Word macro viruses
• Excel macro viruses
• Michelangelo

Let's be real here. Microsoft's concern for security could fit in one thimble along with Dilbert's enthusiasm. If they really cared about it they would have fixed the "every-user-is-root" problem years and years and years ago.

No company that says their latest software release will be bug-free (while having a list of 63,000 bugs they knew about at release time) can be taken seriously when it comes to security. No company that has to be goaded by bad press into fixing Outlook Express can be taken seriously. No company that denies that its customers care about bugs can be taken seriously.

Real physical papr clips are a security threat too

[BlueUnderwear]

Indeed, a miscreant could bend them and use them to pick a lock. It's not a bug, Micro$oft is just attempting to be make their tools very similar to their real world equivalents.

L0pht

[Hard_Code]

""Because its abilities are marked 'safe for scripting,' anything is possible," said the security researcher that found the hole, a
hacker known as "Dildog" who works for the security firm @Stake Inc."

Wow...@Stake buys L0pht, and suddenly they are not some seedy "hackers", but "security researchers" who work at a "security firm". Magic.

""You don't mark something safe for scripting unless you are going to let someone activate it
remotely," he said."

Huh? Shouldn't that be: You don't mark something safe for scripting unless you are !NOT! going to let someone activate it remotely?

Re:A risk to national security

[Spoing]

Damn! That article is a hell of a rant...and on target. I'd give you an extra point if I was a moderator, but I'm not...

Oh great.

[kwsNI]

Just what we need. The stupid 3D paper clip jumps up and tells you it loves you...

Seriously, who really uses them anyways (don't answer that!). Anyone who needs that damned annoyance is already in need of some help. They're the ones that will run trojan horses and other "unknown" files out of ignorance.

kwsNI

Re:A thought.

[Gunther Dull]

what exactly would Microsoft have to gain?

You're ruining the communal paranoia feelings here.

Anybody know the actual url of the demonstration?

[CausticPuppy]

Seems like the "view demo" link on l0pht's site just goes back to the same page, or maybe I missed something obvious.

An excellent fix...

[FreeUser]

...can be found right here [mandrake.com].

repartition the hard driving, giving all your space to linux. The installation will take care of the rest, and all of your Windows woes will be gone for good.

Which is exactly how you will feel, when you're finally rid of the beast. :-)

conspiracies...

[Miriku chan]

now, i dont want to be the one who spouts paranoia, but... SEE! I TOLD YOU SO!

you install the paperclip and he can SEE WHAT YOU DO! he is thinking! those eyes? they can see right out of the screen and at you! this information goes straight to microsoft, but not through the internet. that would be too simple. it goes through the satellite uplink to the paperclip mothership in low earth orbit.

the mothership then sends orders back down to earth and scripts are executed on your computer. be afraid. be very afraid.

Re:Er, it's not just Microsoft.....

[FyreFiend]

It could happen but it's not as likely. You can't run an AppleScript from the web via a browser (unless you use the help viewer as your browser). AppleScript can and has been used (stardust?) by virus writers but not in the way you mentioned.

BTW, Help viewer didn't open. I'm using Netscape so I don't know about IE.

(I love the .sig. I follow it with my computers)

Even Better

[LaNMaN2000]

It would be even funnier to have the Office Assistant explain why he is doing bad things to the system as the malicious code runs--let the user think that the clip is sick of being his secretary and that he will rebel against the glass cieling that prevents him from getting promoted by closing each document the user creates, without saving, after he has it open for 15 minutes.

Re:From Microsoft

[pnevares]

How would a malicious web site operator get me to visit his site?
This would be a question of social engineering. The malicious web site operator could not force you to come to his site against your will; he would need to entice or persuade you to do it through some means.

Obviously, no one at MSFT has ever been to a porn site...

Pablo Nevares, "the freshmaker".

Re:Clippy must die!

[hikari]

I can just see it...

It's alive... Vigor... it's ALIVE!"

--Hikari

Geeez, I killed of clippy, and it's still a threat

[AllynKC]

I followed the Microsoft instructions for disabling Office Assistant [microsoft.com]. But from the looks of the ZDnet article, even after removing the damn thing, I still have the threat because the scripts underlying it are still marked as safe.

Damn it, even when I've completely eradicated the blasted thing from showing on my screen ever again; it's still a problem. Hopefully this patch will let me eliminate the last vestiges of clippy's influence on my Win box. It (clippy) was a bad idea that should be forgotten and buried.

Crackdown on security holes

[quark2universe]

Micro$oft should form a new unit to look into such matters. Call it the Security Hole Investigation Team. BG: "Better turn the Office Assistant into S.H.I.T."

Re:I am rather concerned

[Alarmist]

When Boeing was accused of installing low-quality wiring in their jets in 1974, there was a massive public outrage forcing them to stop using that type of wiring.

The obvious reply is that no one's life depends on whether your letter to grandma gets eaten by the Office Assistant.

Why isn't anyone returning Outlook for a refund, because it's a major security threat on a Network?

Because people in the United States (I do not mean to exclude the rest of the world, but the U.S. is where Microsoft does a lot of its business, legitimate or not) have been carefully trained by fifty years of easy living that whatever doesn't affect them directly is not a problem. System security is seen as a task for system administrators, not users. Nobody realizes that good security begins with the users, in much the same way that U.S. citizens don't or won't believe that good government begins with good citizens.

Nobody is returning Outlook in droves because nobody sees it as a direct threat to them--except those who were bitten by the bug.

clip

[clearcache]

too bad...that cute paper clip was the only thing I actually LIKED about MS products

Perhaps Microsoft needs to change their Assistant

[jayhawk88]

New for 2001: Microsoft Office Assistant, powered by Ask Jeeves!

"Jeeves, how can I create columns in Word?"

"808 The She Creature" Word Find - Mystery Science Theater 3000".

If nothing else, it would make tech support MUCH more interesting ;)

Re:Buggy Easter Eggs.

[session]

Not only does it give you Administrator rights, it also has an ActiveEfficiency (tm) feature that emails your boss saying that you were playing it in the first place. ;)

Re:what about

[Platinum Dragon]

That's if you installed Pirhana, then actually ran it, then were dumb enough not to set your own password for the administration functions. In short, fixable in seconds, and should have been done in the first place. Bad programming, but easily patchable, and not an inherent OS flaw. Certainly something a user could knowingly repair.

Now, we come to the ability to use the Office assistant's programming to affect the system. What's the use of this? Would a user, or even sysadmin know this functionality existed? It's an inherent, inexcusable design flaw. Doubly inexcusable when you consider the lack of security on Windows 9x systems.

Re:Even Better - they're fun

[apathetik]

You can write pretty good amusing toons in VBA using the Microsoft Office assistants like ones that pretend to reformat clueless users' c: drives or ones that present rude messages during presentations using Powerpoint.

Anyway my Office Assistant is the Keiru the dolphin rather than that f***ing Paperclip. All the ladies at work think he's cute but unfortunately this doesn't extend to me.

Re:L0pht

[jesser]

"You don't mark something safe for scripting unless you are going to let someone activate it remotely," he said." Huh? Shouldn't that be: You don't mark something safe for scripting unless you are !NOT! going to let someone activate it remotely? No. If it is "Safe for scripting", then it CAN be scripted by a webpage. If NOT as you say, then it is unable to be scripted, and therefore, safe.

I wonder if this ambiguous terminology has anything to do with the high amount of scripting-related software with incorrect settings...

--

Re:Even worse than a security hole

[FascDot Killed My Pr]

The problem is over-optimistic smart people who are too certain that they've worked all the problems out of a system, without any real testing.

If they've only created one or two programs, they are "functionally stupid": they don't yet know enough to be smart.

And, no offense, if you've been programming any time at all and can't yet give a time estimate within 10% of actual about 80% of the time then you have no business calling yourself a programmer.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?

Re:Clippy must die!

[hikari]

Come on. You know Pitr would *actually* like it.

--Hikari

Thank you...

[cyphergirl]

Ya know... I've really gotta thank Micro$h*t. It seems like everytime there is a release about a new security hole, I get 100 companies calling me and begging for security audits. Thank you, Micro$h*t, for helping my employer stay in business and keeping food on my table.

--cyphergirl (one very busy security engineer these days)

Re:Testing.... When are they going to?

[Twistor]

Does anyone have the current rate for sneaking a peak at Windows source...? i know back in '97 a license could go for $300,000 (and that would only allow a look at a tiny bit of code)... it must be a tremendous revenue stream (thus their determination to keep the source closed in the antitrust case)... of course, since one coder on the Office team (for example) can't see the source either, well its no wonder the line of products is in constant disarray.

Being fair to MS

[eiPi]

To be fair to MS, I believe that Bubbleboy actually had the patch out before the virus hit.
--

Being fair to MS

[eiPi]

To be fair to MS, I believe that Bubbleboy actually had the patch out before the virus hit.
--

Re:Even Better

[jabber]

Poetic justice.

It's been done to death in all James Bond movies... Might as well bring it to the PC.

You know the scene, it's where the villan in about to kill the hero, and absolutely MUST explain his evil plot about taking over the world.

Maybe make the paper clip look like Dr. Eeeviil, just for effect. :)

Re:Microsoft is a Threat to National Security (duu

[HiyaPower]

Many thanks for this ref. An interesting article. Alas, all the feeble minds will ignore it. When it comes to courage, few IS managers have any...

Re:From Microsoft

[Gunther Dull]

What I don't get

incorrectly marked as "safe for scripting"

is how it could have been incorectly marked when it had to be marked that way to allow operation of the "Show Me" function.

This is like a boss I used to have who would spew statements all day long that made no sense to anyone but himself. When asked what he meant by that, he always replied "That's not what I said."

Sheesh.

Re:Er, it's not just Microsoft.....

[frankie]

If you're on a Mac, and you clicked that link, did your Help Viewer open

Mac IE5 gave the matter a few seconds of thought, then astonishingly decided NOT to open the help viewer. Mac IE5 has some interesting twists -- it allows you to run executables by clicking on links, but presents you with a confirm box first. However, it allowed a self-mounting disk image to open without confirmation when I made a link to it.

Mac NN 4 has no idea what the help URL style means, and sent me to /. 404 page. Mac NN 4 will not run executables or unrecognized file types at all -- it tries to open their data forks as text files instead.

About the general security issue: MacOS has many features similar to Clippy, most notably AppleScript (which gained remote connectivity in OS 9). I haven't seen any real exploits yet, but that's probably because H4X0Rs disproportionately use Windows. If Steve Jobs were the evil overlord instead of Bill Gates, we'd probably have AppleSkript Kiddies.

Here's another reason

[ch-chuck]

right here [retroactive.com].

[ps - the above 'toon was pre '29]

Re:Hrrm..

[SirStanley]

Dude. All I can say is.
"YOU THE MAN."
and. Why have a Picture of an ActiveX component.That isn't very discriptive of a Skript Kiddie. But then again.. How would you portray a Pre-Pubescent 15 year old who figured out how to download scripts from rootshell or other various websites and run them. At the same time having the inabiltiy to realize that they have absolutely no life, and need a stronger deodarant.
My next question is... When I speak german... I think german in my head... but like... Do skript kiddes see a w40l3 8uncha 1's and 0's and 3's and 4's and 7's in their h34d'5 w43n t43y R +a1k1n6 ?

Re:What?? A patch??

[AllynKC]

You can prevent it from ever showing its coiled, metalic face ever again by using these instructions from Microsoft [microsoft.com]. But after doing that, you still need the patch (I believe) because the underlying scripts would still be able to run.

Re:conspiracies...

[daviddennis]

When I first saw him, the very first thing I typed in Office 1997 was that he was The Paperclip Spy, sending everything you type to Redmond for analysis.

So you're not alone in your paranoid ravings, but I liked your imaginative new theory. :-)

D

----

ye gads

[Argylengineotis]

I realize these security holes can be a serious problem, but c'mon guys... How many of us actually lose data to a virus or nasty script? I for one take the basic precautions, like a virus scanner and a reluctance to open suspicious attachements. the ILOVEYOU was especially virulent, but if I recall, all of the DDOS attacks come from *nix boxes and affect *nix network hardware. I don't remember a " *nix sucks sh*t " rant session over that, though it caused much more fear and probably more damage. and definately deserved it more than this ms hole.

Have you all forgotten the lesson of the early 80's? what, we had 15 platforms to consider, and whoah to those who bought dog systems like the TI/99 4a. Try getting a port of supercalc for that platform. That was one of the few truly useful apps back then, and many could not get ahold of it. All I know is that I want the best features and apps available. Maybe most of you ranters are too young to remember those crusty old days...

Microsoft has the worst job on the planet. They must please everyone, and can barely please anyone. You are not clever for raging about the occasional screw up. Windows happens to support more hardware than linux can claim knowledgable users. and as for software availability and backwards compatability, forget about it. They definatley have thier act together there.

you guys are in the akward position of being high tech savants that cause the most friction and FUD, thus slowing the pace of technological adoption and intimidating normal users like grandma into going without. You seem to suppose you are helping some cause, but all you are really doing is accelerating the entropy of an already flaky system. reminds me of teenagers who pick apart films and TV shows making noises like they are superior to the writers and directors. They are not, they just don't understand what it takes to organize and execute such a large project. To those of you actually doing something to make the world better, as in say contributing to the usability side of Linux, kudos. But the rest of you slackers are starting to piss me off.

Maybe one of you wise guys can explain why it took me 3 hours just to get my wheel mouse (sort of) working under redhat 6.2? or why my stealth II took even longer to setup with xf86config? No, the answer is not that I am an idiot, nor computer illiterate. I did figure it out, but not with any help from ranting zealots. an $80 Linux reference book and much digging through bugzilla eventually got me on my way. But slap this stuff in a windows machine and Blamo! no sweat. This is a respectable accomplishment on MS's part, why no mention of it from the zealots?
anyway, as a game developer that is OS ambivilant in theory, but actually trying to make a living in practice, why oh why should I spend any effort on the irrational foggy headed likes of you guys? can anyone answer me? I am not an M$ apologist, but I am interested in getting work done and advancing the state of the art. Can the ranterzealots claim the same?

-=b

Re:Oh great.

[tomreagan]

I use the office assistant all the time. Not for help, generally, but as a cute little dude who hangs out on my desktop.

Those Office 97 assistants stunk, but the new ones 2000 are pretty cool. I like how he jumps around on my screen and reacts when i send an e-mail. I use the robot one, but my friends use the earth one, the cat, or the dog.

Of course, I am a trained NT/Unix/Mac admin, who's also a network admin and security consultant. So I don't click on those "unknown" files.

I wish that people would stop making comments like "that's so stupid" or "this is so dumb" I mean, really, leaving the little guy on your desktop is no dumber than using vi or emacs or AmiPro or AbiWord or KWord or anything else. It's just a personal preference, right?

Or don't you use man(1)? Anyone who uses that instead of just reading the source is a retard :0!!

Re:They found a hole and patched it...

[Platinum Dragon]

Most Linux/*NIX holes aren't so glaringly stupid, and are a hell of a lot harder to exploit. Why should arbitrary script code be able to affect the registry (only one of the most important files on a Windows 9x system), overwrite files, and e-mail itself without telling the user? And why in hell is the Office "assistant" usable in resetting security permissions?

"But, but, but, someone could write a script for Linux too! Ha, got ya there!"

No, you don't. If a user sets up sh to run scripts automatically in Netscape, or downloads and sets the executable bit, it would still only affect that user's files unless they were dumb enough to run Netscape or the script as root. The user would lose the files they own, but binaries and pretty much anything outside /home/$USER would remain unaffected. This is assuming the user didn't bother to at least read through the script first, or find out what the heck it actually is.

"But, but, but, there are bugs in Linux! And some can lead to a root compromise!"

No denying that; they still require some level of actual skill, either in programming or ingenuity, to take advantage. Once again; arbitrary code should not be able to affect anything; it should be contained (like the Java sandbox), and never run as an administrator. NT at least takes steps in this direction, though a cursory look through the Attrition page crack archives [attrition.org] should show how much NT is like Swiss cheese.

The point: Windows 9x, and to a lesser extent NT, is inherently insecure, allowing arbitrary code and even scripts to affect important system files and take actions without the user's knowledge. The Morris Worm forced *NIX to shape up; perhaps dragging Windows into the light will force Microsoft to do the right thing for once.

If Clippy is so powerful....

[Alan Shutko]

Could we get him to install Linux? Visit slashdot, and clippy automatically starts an FTP install? This could be fun!

Re: A thought.

[Chester K]

I can't believe that got moderated up. (Score: 5, Baseless FUD)

If Microsoft really wanted to "create extensive profiles on users", do you really think they'd have to stick a cartoon character on the desktop to do it?

On a similar vein, why do you suppose Perl uses the $ to mark off variables.... OF COURSE!! There's special hidden code attached to the $ key that emails your bank account numbers, your credit card numbers, your favorite food, what kind of porn you like, and the brand of soap you use to a SeKReT email address on Hotmail.

Oh yeah, Janet Reno's in on it.

Random Office Assistant Quickies

[drivers]

1)
Someone has taken a cue from a certain User Friendly strip [userfriendly.org] and created VIGOR [red-bean.com] the vi[m] editor with an added paperclip assistant!
It features helpful advice, requiring you to click on a dialog box, such as:

"You have not entered insert mode before. While you're in insert mode, remember that you need to return to command mode before entering Vigor commands!"

and:

"Are you sure you want to move left?"

Screenshots [red-bean.com]

2)
I was once shopping on a Waldensoft store and found a boxed piece of software from Microsoft which would let you create your own Office Assistants. But the EULA specifically forbade creating any kind of office assistant that appealed to the prurient interests.

Re:Testing.... When are they going to?

[eries]

Hey, they just heard about "Realease early, release often" and thought it was a good idea.

Want to work at Transmeta? MicronPC? Hedgefund.net? AT&T?

A risk to national security

[phil reed]

Found an article here [infowarrior.org], that ought to be good to print out and put on your CIO's desk. It's titled Microsoft: A Proven Danger to National Security. (Warning - it's a PDF file.) Microsoft ought to find it interesting reading, anyway.


...phil

Re:Is this really news?

[Devil Ducky]

I've never met a single IS/IT manager that wants Windows let alone any other Microsoft products. Most of them however have to spend most of their time working on their ----, patching releases, fighting viruses, alerting users not to use Clippy, etc. The reason any good Is/IT manager are using Microsoft products is because the users are too dumb to believe that there are choices.

Before you go on your rant yelling at the IT managers who
>force Micro$oft products down our throats
You'd better take a look around, and remember it's you who's doing the forcing of MS products.

Devil Ducky

The Paperclip Spy

[daviddennis]

But hold on a minute.

Binky and the mechanism used to send all your data to Redmond are totally separate pieces of programming. Just because we have Binky doesn't mean your data goes to Redmond; just because we didn't have Binky in Office 95 doesn't mean it didn't send data to Redmond.

The interesting psychology of this is that Binky makes it seem more real that there is something from MS analyzing your data and sending it to Redmond. I thought that myself the first time I saw Binky (see some of my other messages on this topic).

The good news is that if data was actually being sent, some Slashdot reader would have long since seen it - note how quickly the Windows 95 Registration fiasco got out. So we're safe. At least for now.

D

----

It's not a bug.

[Dictator For Life]

This was done by design.

They thought this was a good idea.

It shows the depths of the contempt in which they hold their customers' security.

Re:what the hell are you talking about

[Dictator For Life]

Uhh...no.

IF Microsoft had an otherwise good (I'm not saying perfect) record about security, and IF they didn't ALREADY have a reputation for lying to their customers ("no bugs" in Windows 2000??? "no significant bugs" in any Microsoft products???), I might be willing to give them the benefit of the doubt.

They're lying so as to minimize the PR damage they are going to suffer for this, coming as it does on the heels of ANOTHER Microsoft design choice that was grossly stupid (I'm speaking, of course, of ILOVEYOU).

Do you believe everything Bill tells you? How much do they pay for that Astroturf campaign?

Millitary Intelligence (laugh dammit)

[xianzombie]

I know i feel safer seeing as how the millitary computer systems are (approx.) 95% NT systems. The other 5% are 95/98 systems. Mind you i'm not counting the DNS servers or anything of the like, nor special terminals. I'm only counting the standard office computer anyone/everyone uses.

Yet another strike against that great oxymoron

Re:From Microsoft

[Ben Hutchings]

It's not an error in labelling; it's an error in design. The design called for "Show Me" to be implemented by scripting in so-called HTML-help pages. This required the Office Assistant to be marked as safe for scripting.

Re:Is this really news?

[G27 Radio]

It seems like every day I read about another Microsoft security hole. When will it become obvious to the managers who force Micro$oft products down our throats that they are compromising their companies security? If I forced everyone at my office to use software that is full of security holes and we got hit bad by it, I would be fired. When are IT managers going to be forced to face the consequences of their decisions?


I'm currently working for a Fortune 100 (maybe 500) financial company that is about as pro-Microsoft as you can get. They're planning on dumping their Novell servers for Win2k. It's not as if anyone actually believes that Win2k servers will be better, it's just that they already agreed to purchase "NT 5.0" quite a while back. I think there might be a financial interest in continuing to prop Microsoft up. At any rate, the decision to use Microsoft is not being made by IT. As far as I can tell it's some kind of partnership agreement made by non-IT management that dictates the use of Windows. Using Linux on-site (whether connected to the network or not) is a firing offense. Two other Fortune 100/500 financial companies that I've worked for are doing the same thing.

These companies have all bought Microsoft licenses, continually say that they're switching all their non-MS servers to W2k, but still don't because they actually know that it would be a bad idea. My guess these companies are propping up Microsoft for some other reason. They're buying licenses, not using them, and talking about Linux like it's the greatest evil around.

Anyway, all the articles about holes in M$ products get printed out by me and hung up on the board. People stop, look, laugh and shake their heads, and then it's back to business as usual. Oh well.

numb

Er, it's not just Microsoft.....

[imac.usr]

Macs in theory would be vulnerable to a similar exploit. Apple's HTML Help system in Mac OS 8.5 and newer uses AppleScripts linked from mini-web pages to do things like open the memory control panel for me [help] and stuff.

If you're on a Mac, and you clicked that link, did your Help Viewer open (or move to the front if it already was)? It shouldn't have, but I'm curious.

Anyway, by replacing some of those scripts or web pages, you could conceivably do much damage to a Mac, too. That said, I do use one of the assistants in the Mac version of Office, the Hoverbot, just because I like the sound effects it makes (and it never gets in the way, unlike the stupid Windows paperclip.

Re:Real physical papr clips are a security threat

[Darchmare]

Oddly enough, I'm taking an Astronomy class as we speak from the former Apple employee who designed the 'hole' that you use the paper clip on (Thom Ahl - a pretty nice guy).


- Jeff A. Campbell
- VelociNews (http://www.velocinews.com [velocinews.com])

Clippy must die!

[decaf_dude]

Long live Vigor!

A thought.

[Alarmist]

In my day-to-day work, I see a lot of people who either use the Office Assistant seriously, or let it run and just ignore it. Very few of those people go to great lengths to make sure they never see it.

What Microsoft has done is truly interesting, and maybe a bit frightening: they have made a cute, vaguely helpful (but mostly interfering) figure a commonplace on the desktop. With Office 2000, you don't even have to be using an Office product to have the assistant sit on your desktop.

The Assistant uses up a lot of valuable system resources, and you can bet your bottom dollar that it doesn't just use them to render itself in stunning 3-d realtime graphics. We already know that Microsoft has a policy of blatantly, casually violating its users' privacy. What else is this Assistant doing? Perhaps it's logging keystrokes and sending them to Redmond. Perhaps it's analyzing user traffic and building a profile.

I suspect that MS is using the Assistant and other Office "features" to create extensive profiles on users around the world, for who knows what use in its own nefarious schemes. Perhaps that is why they seem openly contemptuous of the DoJ--they have the goods on Reno and her crowd and will use them when the time seems right.

Will MS do the right things?

[tjwhaynes]

Given the extremely well considered approach to fixing the MS Outlook attachment problem (i.e. don't fix the problem, just make sure there is a patch which makes it impossible to get to the problem) will MS now do the right thing? Will they kill, scrag, frag, smash, disembowl and eviscerate Clippy the ultra-annoying? Totally, utterly expunge the cruel, procrastinating, patronising, difficult-to-put-up-with and even-harder-to-disable office assistant from our hard drives :-)

While they are at it, they could solve a few other of the problems in the same way? MS IE 5.5 not standards compliant - fix it so it doesn't run. BSOD - delete that c:\winnt directory. I think we'd all be happier for it. :-)

Cheers,

Toby Haynes

Hrrm..

[Signal 11]

HI! I see that you are trying to surf the net. Would you like me to help give away all your private information and data?

[Yes, please help me] or [No thanks] (greyed out)

What next, a picture of a ActiveX scripting component painted on a cat to pop up and go "Script kiddie detected." followed by another message saying "Your security settings have changed, please reboot for these settings to take effect" ?

Re:Hrrm..

[GoRK]

y35.

Testing.... When are they going to?

[wrenling]

When you are going to release a product that allows so much interoperability, one would assume that those very functions that allow that interoperability would be slammed, nuked, beaten and in every way imaginable explored, repaired, and THEN the software released.

But it appears that MS is relying on the general public to act as its beta testers, to search out and discover these holes. They are complacent, non-proactive, and basically riding on the assumption that people will continue to use their products no matter how low the quality level goes.

This is one area.. where the communities like Open Source can really shine. Because opening your code to peer review keeps you on your toes. It allows different minds to work together cooperatively to create a better software package. And in the end, everyone benefits.

I know this is a bit of a rehash of stuff I have said before, but since we all know that MS is paying very close attention to everything written here on /., maybe repeating some basic concepts will beat the idea into their brains...

One can always hope...

Re:Mr Hankey Assistant

[Frac]

Mr Hankey would be a great assistant for MS Office, because the MS Office assistant really is a piece of shit.

Go get your free Palm V (25 referrals needed only!)

Re:Hrrm..

[Mr. Slippery]

When I speak german... I think german in my head... but like... Do skript kiddes see a w40l3 8uncha 1's and 0's and 3's and 4's and 7's in their h34d'5 w43n t43y R +a1k1n6 ?

Priceless! This one's going in my fortunes file right now. Somebody mod that up.

Unix manpage security hole found!

[Kerbtier]

After decades of development and use, a major security flaw has been discovered in the Unix operating system. "All variants of Unix are affected", according to a mailing list of software security bugs for system administrators. Because this security hole was not discovered until today, it is possible that hackers have been exploiting it for years.

Details of the bug are still limited but early reports hint that a Unix feature called an "Unamed pipe" has a flaw that, when used, opens access to the computer system to any other computers on the network. According to a Microsoft spokesperson, the "[Unamed] pipe is a tool used exclusively by malicious computer hackers." As a leader in network security, Microsoft ensures its customers that it is not affected by the bug. The spokesperson continues, "At Microsoft we recognize the fact that the command prompt is the true reason why such hideous exploits flurish. For that reason, we have taken the innovative step of integrating the graphical user interface directly into the operating system, bypassing any need for a useful command prompt interface."

All users of Unix and Unix-variant operatings sytems are urged to refrain from using unamed pipes until a security patch is made available. Utilities such as "man" should not be used under any circumstances for any purpose. System administrators should take necessary precautions and install security patches as soon as possible. Users should also take precautions and never open unamed pipes, especially unamed pipes you weren't expecting.

EULA

[bfree]

I understand that as long as the user has clicked through the EULA on install, they can't sue M$ for losses incurred by the negligence of their programming....but what if I run an ISP with no M$ software and their bug costs me, can I sue? Surely I can!
Simplest scenario, bfreeSP provides email services to 1000 companies via POP/IMAP, a security oversight in a M$ product results in bfreeSP receiving a DDOS from all it's own customers and the people who want to mail to the customer. bfreeSP's customers lose their email system for 1 day (thanks to the speed of sendmail fixing the problem) and hence all claim a refund for the lost day (lets forget the compensation side for now). bfreeSP should be able to sue M$ because it has never agreed to the EULA, and the problem has been caused by the software written by M$.
In the above simple case, am I right in assuming the only factor a case would consider is whether the fault lies with M$, the author of the worm/virus/whatever which exploited the hole or each and every individual user who installed and used the M$ software? Anyone who is a lawyer care to suggest how this case might fare?

Talk about a virus...

[Eponymous, Showered]

You know, just yesterday, Clippy got up real close to my monitor, looked around serendipitously, and tapped on the glass. He mumbled something about "Snow Crash" and asked me to click on this vial of crack. I clicked, the monitor turned to static, but I looked away just as the phone rang...

Re:A thought.

[Darchmare]

Here's your rebuttal:

Given that Windows is on a vast majority of the desktops out there, and that packet-watching isn't exactly uncommon, you'd think someone would notice by now.

Plus, what exactly would Microsoft have to gain? Certainly not enough to make up for the potential lawsuits...

- Jeff A. Campbell
- VelociNews (http://www.velocinews.com [velocinews.com])

Is this really news?

[alteridem]

#define RANT

It seems like every day I read about another Microsoft security hole. When will it become obvious to the managers who force Micro$oft products down our throats that they are compromising their companies security? If I forced everyone at my office to use software that is full of security holes and we got hit bad by it, I would be fired. When are IT managers going to be forced to face the consequences of their decisions?

#undef RANT

Seriously though, I guess we can't expect the masses of ignorant users to give up their beloved paperclips and fancy email attachments. They want everything and Micro$oft tries to give it to them without regard to the security risks.

From Microsoft

[Silver A]

From:http://www.microsof t.com/technet/security/bulletin/ms00-034.asp [microsoft.com]

Frequently asked questions regarding this vulnerability and the patch can be found at

http://www.microsof t.com/technet/security/bulletin/fq00-034.asp [microsoft.com]
Issue
An ActiveX control that ships as part of Office 2000 is incorrectly marked as "safe for scripting". This control, the Office 2000 UA Control, is used by the "Show Me" function in Office Help, and allows Office functions to be scripted. A malicious web site operator could use the control to carry out Office functions on the machine of a user who visited his site.
The control ships only as part of Office 2000 (and Office 2000 family members, as listed below). The patch removes all unsafe functionality, with the result that the "Show Me" function will be disabled in Office 2000.

The patch is available at http://download.microsoft.com/download/office2000p ro/Uactlsec/2000/WIN98/EN-US/Ua ctlsec.exe [microsoft.com], with instructions avaiable at http://officeup date.microsoft.com/2000/downloadDetails/Uactlsec.h tm [microsoft.com]

Microsoft states in their FAQ:

Is this a vulnerability in the ActiveX technology?
No. This vulnerability results because of a manual error in marking the particular control at issue.

Sure. This time it's a simple error in labelling. What will it be next time? How many more simple marking errors lurk in Office or IE?

Re:Oh great.

[Pfhreakaz0id]

... and of course, a big reason why Office dominates it's sector and AOL is the world's largest internet provider. It's tough to go wrong playing to the stupidest, lowest common denominator.
---

Re:Testing.... When are they going to?

[Bad Mojo]

No one forces anyone to accept a beta version of Linux in order to be supported properly. I'm not even running the 2.2 kernel on my server and I feel no pressure to update from Linus. But I do know, that if I wanted to, I could download the latest developement kernel and help beta test Linux. Sure, the stable releases of Linux aren't always perfect, but they are very stable and have few problems. Something I rather enjoy rather than having no choice via MS.

Bad Mojo [rps.net]

I am rather concerned

[toofast]

Isn't anyone else concerned about the number of recent security holes in M$ software? I have nothing to say, because I just don't use M$ crap, but why aren't there any public outrages against M$? I find it funny that the public just accepts these bugs as normal.

When Boeing was accused of installing low-quality wiring in their jets in 1974, there was a massive public outrage forcing them to stop using that type of wiring. To the software industry, I consider this a simple bug. But a dangerous bug that cost many lives. Obviously, there is a major difference: using Outlook has not cost any lives. But still, why is the public gracefully accepting the fact that M$ software is full of bugs?

Yet a couple of stories ago, everyone and their dog was complaining that Corel's WP Office 2000 was full of bugs and that they returned it to get a refund. Why isn't anyone returning Outlook for a refund, because it's a major security threat on a Network?

Mr Hankey Assistant

[morbid]

Why doesn;t one of the OSS word processors include a Mr Hankey office assistant?

Every so often you'd get that slide guitar followed by,"Hidy ho! Hidy Ho guys!"
and a big brown jobbie wearing a hat would appear to guide you through the process.

"Seems to me that you're tryin' to type a letter!"

Re:What?? A patch??

[daviddennis]

Never!

Binky the Talking Paper Clip is Immortal!

I realized why when I analyzed my own behaviour.

In the good old days, when I asked for assistance on any Microsoft(tm) product, the help system was startlingly inept at providing same. So what would I do? Why, curse Microsoft and try and figure it out on my own, of course.

Now we have a modern, sleek, polished system, complete with a glorious cartoon character who's going to offer friendly assistance and tell us what to do.

A big improvement, of course! So, when I ask for help and get answers that are even worse than under the old system, what do I do?

Why, curse that (bleep) paper clip, of course! Microsoft is an Innocent Creator of Brilliant Software, it's Binky the talking paper clip I blame.

It's a neat emotional transformation, but I'm willing to bet it's worth millions to Microsoft.

Oh, by the way, I'd like to endorse the following link on Binky:

Binky on the Witness Stand [ubersoft.net]

D
----