Holes in PowerPoint and Excel

jeffy124 writes: "Looks like it's time for IIS and Outlook to make room on the pedestal of security holes. Just about every recent version of PowerPoint and Excel are vulnerable to being taken over to control the system remotely. The hole is a macro-related, as it's possible to bypass asking the user if they'd like a macro to run. Microsoft's advisory can be found here." Funny. I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?

OpenOffice.org

[Troed]

This does fit in very nicely with stable betas of OpenOffice.org [openoffice.org] and of course Sun's version StarOffice. Talk to your manager, show them that you can do everything you need to do at work with free software, that as a side-benefit don't allow people to take over your computers.

It does work.

Star Office + linux

[linux_warp]

Now I can try to finally convince people that, although it may not be quite as userfriendly or have as good of features, star office in most cases wont compromise their systems.

Mindwarp

Macros and scripting

[Alsee]

Hasn't anyone at Microsoft noticed yet that macros and scripting are a very dangerous features? They are executable code! They should be avoided if possible. When implemented they should have restricted functionality (why the hell does a macro need to be able to delete files?!?), and they need to be scrutinized for bugs and holes more closely than almost any other piece of code.

Educate the users

[Red Aardvark House]

At my job, the IT tech gave instructions to all users to disable macros on all incoming attachments in Excel and Word, or not to even open them at all if they're not sure.

It's not foolproof but it does make the people at my job aware of one of the many ways that viruses are spread.

This hole could be in more versions that listed!

[Troed]

Taken from Microsofts website:

Tested Versions:
Microsoft tested the following products to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Office 98 for Macintosh

Office 2001 for Macintosh

Office 2000 for Windows

Office 2002 for Windows

Do note - just because older versions aren't supported Microsoft won't check if the whole is there!

next worm

[Harbinjer]

anyone wanna wager how long it will take for some worm to exploit this? I know it can' t spread as easily as an outlook worm, because excel doen't do communication like outlook, but still, this could be nasty. If paired with the next outlook/IIS security hole, if could be just as bad.

Is the hole exploitable in Mac OS X? Does the unix architecture and security prevent this from being a problem?

Scripting and office suites

[gimmie_prozac]

The article does not address this question, so I'll ask it here.

This does not seem to be a problem unique to Miscrosoft Office. Wouldn't this type of security hole be possible in any office suite with scripting/macro capabilities? Do KOffice or StarOffice not support macros (I've never used them, so I don't know)?

Kudos to MSFT for making a patch immediately available, but I must say that MSFT's constantly having to play catch-up with secuirty holes does not make me real confident in .NET's data safeguard capabilities.

People abused by powerpoint

[victim]

I was attending a presentation by some state officials last week. The presenter's Powerpoint presentation was set to autoadvance every 30 seconds or so and apparently they couldn't make it stop, so she had an assistant sit at the computer and backup the slide everytime it jumped ahead prematurely.

So who else has watched someone by victimized by powerpoint? Add your anectdote as a reply.

Openoffice scripting ?

[hack0rama]

Does OpenOffice support a scripting similar to the macros in MSOffice ? If so would it be possible to see similar issues with OpenOffice as well ?

It may not be as bad on Linux/Unix because of the user processes not getting access privilages to do anything nsty, but OpenOffice has a windows version as well.

If there is a sizable installed base of OpenOffice , then maybe you can imagine OpenOffice script worms doing annoying stuff with user files/mails.
And if your friendly Mozilla/Kmail/Evolution/PINE mail tool has the MIME type set to open with OpenOffice then it can spread the worm around.

Emacs security flaws.

[Ungrounded Lightning]

Emacs does include some features that are equivalent to these sort of macros. They are disabled by default

And they used to be enabled by default - which was a big vulnerability if you used them as a mail reader or netnews reader. A simple string embedded in the letter or posting could do anything YOU could do in emacs - which means anything you could do from a shell, too.

Fortunately the first well-known public exploit was a netnews posting demoing the bug by popping up a window and telling you how to turn it off. The default was changed in the next release.

The days of the MIT AI lab were a more innocent time. To keep the students from crashing the machine they made it trivial - with a well-documented command to do it. The idea being that if there were no reputation points to be earned by "finding a way to crash the machine" but lots of negative ones to be had by annoying the other students, everybody would get bored with it quickly. Stallman continued the tradition later by having no root password on his personal machine for quite a while.

Unfortunately, about one person in a hundred (one in 50 to one in 200) is a psychopath - a person with a brain problem analogous to color blindness that amounts to "no concience". Some fraction of these don't compensate by learning that hurting others is bad for number one and becoming "good" by deliberate effort.

So when you have hundreds of millions of people on the internet, you end up with a few "black hat" hackers and a host of script kiddies. So the days of innocence (and Stallman's open root account) are long over.

Now internet-connected computers hold information of value that can be stolen and run mission-critical functions for businesses with cutthroat competitors. So a management order to install mass-market stoftware with a history of well-known major security holes has graduated from administrative cluelessness to a severe breach of fiduciary duty.

This is what I found most interesting...

[nullnvoid]

From the story:

"The vulnerablity was first brought to Microsoft's notice about two months ago by Symantec."

Microsoft has known about this vulnerability and has taken two full months to warn users? Disturbing, if not surprising.

Re:What I really want to know is...

[MarkLR]

This is what's happening. Documents with macros have a flag set when they are saved. If the user has Load Documents with Macros turned off Excel etc. will not load the documents. But if the documents has macros and the flag is reset using a hex editor the macros will load because only the flag is checked. You cannot assume that the only way to change the contents of a document is via an application, a hex editor works just as well.