Forgot your password?
typodupeerror
Microsoft

Holes in PowerPoint and Excel 277

Posted by CmdrTaco
from the everybody-point-and-laugh dept.
jeffy124 writes: "Looks like it's time for IIS and Outlook to make room on the pedestal of security holes. Just about every recent version of PowerPoint and Excel are vulnerable to being taken over to control the system remotely. The hole is a macro-related, as it's possible to bypass asking the user if they'd like a macro to run. Microsoft's advisory can be found here." Funny. I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?
This discussion has been archived. No new comments can be posted.

Holes in PowerPoint and Excel

Comments Filter:
  • Macs too (Score:2, Informative)

    by liquide (96613)
    This vuln. works on Mac Office 2001 (and 98) too.
  • OpenOffice.org (Score:2, Interesting)

    by Troed (102527)
    This does fit in very nicely with stable betas of OpenOffice.org [openoffice.org] and of course Sun's version StarOffice. Talk to your manager, show them that you can do everything you need to do at work with free software, that as a side-benefit don't allow people to take over your computers.


    It does work.

    • Re:OpenOffice.org (Score:3, Insightful)

      by Tom7 (102298)

      What makes us think that Open Office and Star Office are immune from similar attacks, or things like buffer overflows?

      I like free software, but I think it's just urban legend that software not written by microsoft is somehow magically secure. (Witness: BIND, wu_ftpd, sendmail, rpc.*, etc...)

      • Re:OpenOffice.org (Score:2, Insightful)

        by Troed (102527)
        Microsoft sat on this fix for two months - does the opensource community do the same?


        I haven't evaluated scripting in OpenOffice though, can someone comment on the possibility for malicious code being run there at all?

        • Re:OpenOffice.org (Score:2, Insightful)

          by Tom7 (102298)

          OK, that's fair -- I suppose the corporate machine is typically slower at responding to a bug than the free software community. (Though, if you read bugtraq, you'll know that there have frequently been cases of much longer delays in commercial and free software alike!)

          However, I think a better metric than how quickly things are patched is the number of holes in the default install. Most users don't install patches, anyway, so this is what really matters for them.
      • Buffer overflows are one thing... I can't really blame Microsoft for Code Red, for example.

        But Microsoft's scripting bugs are a different story. As a general rule, computers should not execute foreign code without asking. That's just common sense to anyone except Microsoft. :(

        Ah well... At least no one has written a really harmful virus so far.

      • Re:OpenOffice.org (Score:3, Insightful)

        by Stephan Schulz (948)
        What makes us think that Open Office and Star Office are immune from similar attacks, or things like buffer overflows?

        I like free software, but I think it's just urban legend that software not written by microsoft is somehow magically secure. (Witness: BIND, wu_ftpd, sendmail, rpc.*, etc...)

        There are two aspects here. First, while you are right that other groups also have written buggy and insecure software, Microsoft's record is particularly abysmal. Most of the big holes in free software were found early on, at the time the internet just started booming and noone had experience with security. We may not yet be perfect, but we have been learning a lot.

        The second aspect is even more important. A monoculture is always more suspectible to attack than a diverse ecosystem. If we use more different tools, we will survive viruses and worms a lot better. Consider Code Red: If it hit a host with Apache, it did not use this host for further propagation. Not only did the server stay up, the spread of the virus also slowed down.

        So having many different (but preferable interoperable) software systems is inherently beneficial. And yes, this applies to BIND just as well as to Microsoft.

  • by dafoomie (521507) <.moc.liamtoh. .ta. .eimoofad.> on Sunday October 07, 2001 @03:22PM (#2398927) Homepage
    Customers using Microsoft® Excel or PowerPoint for Windows® or Macintosh® I guess Mac uses can stop complaining that they don't get all the features of the Windows version.
  • One more hole (Score:4, Insightful)

    by entrox (266621) <slashdot@ e n t r o x.org> on Sunday October 07, 2001 @03:22PM (#2398935) Homepage
    Is this really a surprise? I was under the impression, that all macro-enabled applications under windows (office suite) shared such vulnerabilities, because they most probably use the same scripting engine.

    One exploit serves all ;)
  • Macros and scripting (Score:3, Interesting)

    by Alsee (515537) on Sunday October 07, 2001 @03:26PM (#2398964) Homepage
    Hasn't anyone at Microsoft noticed yet that macros and scripting are a very dangerous features? They are executable code! They should be avoided if possible. When implemented they should have restricted functionality (why the hell does a macro need to be able to delete files?!?), and they need to be scrutinized for bugs and holes more closely than almost any other piece of code.
    • by entrox (266621)
      Macros and scripting are a very useful thing. I wouldn't want to miss them. The only thing, which Microsoft should avoid is letting simple documents contain (pot. dangerous) macros. They should be cleanly separated. This would eliminate most of the recent macro attacks.
    • by reynaert (264437) on Sunday October 07, 2001 @03:42PM (#2399069)

      It isn't the scripting per se. It's the fact that the scripts are actually stored in the document files. In other words, they mix data and code.

      On Unix, lots of applications have extremely powerfull scripting languages. Just think about the stuff you can do with Emacs (elisp) and the Gimp (which uses guile, a full Scheme interpreter). But the user has to explicitly install them. They aren't hidden away in some document.

      • Emacs does include some features that are equivalent to these sort of macros. They are disabled by default, but I don't believe there is any other security -- i.e., you can't turn them on and have them run in a sandbox or anything.

        I can't remember the exact syntax, but you can put elisp statements in a comment section of the file and have Emacs execute them when opening the document. Since it's not that easy to turn the feature on (I can't remember how), it's unlikely to ever be used widely enough to become a vector. For Emacs' problem space, there are a number of non-scripting solutions that mostly fill the need.

        • by Ungrounded Lightning (62228) on Sunday October 07, 2001 @04:46PM (#2399440) Journal
          Emacs does include some features that are equivalent to these sort of macros. They are disabled by default

          And they used to be enabled by default - which was a big vulnerability if you used them as a mail reader or netnews reader. A simple string embedded in the letter or posting could do anything YOU could do in emacs - which means anything you could do from a shell, too.

          Fortunately the first well-known public exploit was a netnews posting demoing the bug by popping up a window and telling you how to turn it off. The default was changed in the next release.

          The days of the MIT AI lab were a more innocent time. To keep the students from crashing the machine they made it trivial - with a well-documented command to do it. The idea being that if there were no reputation points to be earned by "finding a way to crash the machine" but lots of negative ones to be had by annoying the other students, everybody would get bored with it quickly. Stallman continued the tradition later by having no root password on his personal machine for quite a while.

          Unfortunately, about one person in a hundred (one in 50 to one in 200) is a psychopath - a person with a brain problem analogous to color blindness that amounts to "no concience". Some fraction of these don't compensate by learning that hurting others is bad for number one and becoming "good" by deliberate effort.

          So when you have hundreds of millions of people on the internet, you end up with a few "black hat" hackers and a host of script kiddies. So the days of innocence (and Stallman's open root account) are long over.

          Now internet-connected computers hold information of value that can be stolen and run mission-critical functions for businesses with cutthroat competitors. So a management order to install mass-market stoftware with a history of well-known major security holes has graduated from administrative cluelessness to a severe breach of fiduciary duty.
      • by cybaea (79975) <allane AT cybaea DOT com> on Sunday October 07, 2001 @03:58PM (#2399174) Homepage Journal
        It isn't the scripting per se. It's the fact that the scripts are actually stored in the document files. In other words, they mix data and code.

        On Unix, lots of applications have extremely powerfull scripting languages. Just think about the stuff you can do with Emacs (elisp)...

        Actually, Emacs mixes data and code in the same way. Check the File Variables section in the info system, and in particular the enable-local-eval variable. Basically, you can set buffer local variables by embedding the commands for this at the end of the file. One of these variables is 'eval' :-). Thus spake RMS:

        The `eval' "variable," and certain actual variables, create a special risk; when you visit someone else's file, local variable specifications for these could affect your Emacs in arbitrary ways. Therefore, the option `enable-local-eval' controls whether Emacs processes `eval' variables, as well variables with names that end in `-hook', `-hooks', `-function' or `-functions', and certain other variables. The three possibilities for the option's value are `t', `nil', and anything else, just as for `enable-local-variables'. The default is `maybe', which is neither `t' nor `nil', so normally Emacs does ask for confirmation about file settings for these variables.

        In this sense Emacs is just as guilty as Microsoft Office. Just because it's Free doesn't mean it is without security free. (But the fact that the average person using Emacs is more clued in than you Power Point suit, does help...)

        • Emacs also has the advantage that you can scroll down to the bottom of the page and see the virus in plain text. Even the most computer ignorant people will know something's wrong when the bottom of the document is filled with computer code.
        • so normally Emacs does ask for confirmation about file settings for these variables

          Conceptually, it is similar, but there is a difference worth noting: the elisp code in an eval file variable has obviously to be in cleartext within the document, and with the `maybe' default option, the code is expressely shown before asking confirmation for execution. To confirm you have to type ``yes <enter>'' in order to execute it, while the default answer is ``no'', and everything else just make the confirmation request appear again.

          Basically, what I am saying is that Emacs at least do a good job in attracting the user attention and make people think twice before confirming, or al least discourages the casual user (which is ironic, I believe, since there are probably vastly more Office casual users out there than Emacs casual users).

          BTW, once I heard a story about a sysadmin tired of having to ``fix'' a departmental network printer because it has just run out of paper.

          Eventually, he managed to make appear on the users' screen a dialog window when things went wrong. The message explained that one should check the paper before calling the tech support.

          Calls to tech support for this printer greately decreased after that, but still there were calls for the empty paper tray.

          So he changed the message (and the code displaying it), and it would read like ``The printer has not printed your documnent, please check if it just run out of paper before calling tech support. In this message there is a typo: press the letter of the typo to close this window.'', and finally calls to tech support just to fill the paper tray finally went to zero.

          If there is a moral to this story (probably fictional, but who knows), it is that things that are not important should look as non important and things that are important (security, wink, wink) should look as important, and not as something you can dismiss just with a click on one of the buttons (to make the problem ``go away'').

  • Educate the users (Score:3, Interesting)

    by Red Aardvark House (523181) on Sunday October 07, 2001 @03:27PM (#2398972)
    At my job, the IT tech gave instructions to all users to disable macros on all incoming attachments in Excel and Word, or not to even open them at all if they're not sure.

    It's not foolproof but it does make the people at my job aware of one of the many ways that viruses are spread.
  • by Troed (102527) on Sunday October 07, 2001 @03:30PM (#2398993) Homepage Journal
    Taken from Microsofts website:


    Tested Versions:
    Microsoft tested the following products to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.


    Office 98 for Macintosh

    Office 2001 for Macintosh

    Office 2000 for Windows

    Office 2002 for Windows


    Do note - just because older versions aren't supported Microsoft won't check if the whole is there!

    • If you have Office 97 or 95, their should be no Powerpoint hole because powerpoint does not have macros until Office 2000 and then Office XP. Just checked the help file cuz I happen to have Office 95 (it does what I want and is not as bloated as the new stuff....it's still bloated, just not as bloated as the latest stuff....).

      Gork
    • Obviously... (Score:5, Insightful)

      by Balinares (316703) on Sunday October 07, 2001 @04:03PM (#2399200)
      You know, I think that if the former versions aren't vulnerable, they're not gonna tell you. They just can't take the risk to have people want to revert to older versions on the basis that they "work better", not when their business relies so much on people upgrading over and over...
      • These macros were written for Visual Basic for Applications (VBA), which I think was introduced in the 1997 versions of the products. If you could dig up an earlier version, they used a macro language that was almost entirely incompatible with current scripts. (I know because this caused me enormous pain in trying to make a macro package compatible with both versions - it was all but impossible).

        So if you have that ancient version lying around, you may want to use it. Or use programs with Word or Excel import filters instead of the real thing.

        Anyone know if StarOffice is affected? When I checked it a few years back, it looked like it had a pretty complete emulation of VBA.

        D
        • Excel supported VBA going back to version 5.0 (Office 4.2). It was later expanded to the other products in the suite.

          There's also other vendors like Corel WordPerfect that have licenced VBA from Microsoft. It's unclear if this is a problem in the VBA runtime or the Excel/PowerPoint fileformats though.
  • next worm (Score:2, Interesting)

    by Harbinjer (260165)
    anyone wanna wager how long it will take for some worm to exploit this? I know it can' t spread as easily as an outlook worm, because excel doen't do communication like outlook, but still, this could be nasty. If paired with the next outlook/IIS security hole, if could be just as bad.

    Is the hole exploitable in Mac OS X? Does the unix architecture and security prevent this from being a problem?

    • I don't understand how if as you say, Excel can't do communication like Outlook, that it can be so nasty? There have been viruses with payloads around forever.. Word macro viruses for what, about 6 years?


      Outlook/IIS have many holes; it is very rare that someone has bothered to write a worm that uses them. I personally won't be holding my breath for these exploits to be used in one. You aren't a reporter or AV person are you? :)


      That Microsoft advisory states that Macintosh versions are affected, yes. I doubt the OS matters much with viruses that rely on a macro language within an application rather than using the OS itself or its services to propagate.

  • by Microsift (223381) on Sunday October 07, 2001 @03:32PM (#2399008)
    If a story about a vulnerability in Microsoft created software is considered news.:)
  • So what? (Score:5, Insightful)

    by reynaert (264437) on Sunday October 07, 2001 @03:32PM (#2399011)

    These things first appeared in 1996 or so. Word.Concept or what was it called. Microsoft responded by disabling the AutoLoad macro (or whatever it's called). Now somebody found a new way to make Excel/etc. execute stuff when loading a file. Big deal.

    I wonder why virus writes bother at all. They can just put a button labeled "Click here" on the page, and 95% of the lusers will click it. The only defense against that is just disabling all macro support. And everybody knows that isn't going to happen.

    • Sorry, but corperate last week send down an order ro disable all scripting and macros in all office apps.

      The response from the 2.2 million users on our network was 20 people whined. Corperates response was protecting 2.2 users from viruses while disabling useless features was worth it. Those 20 will have to live with it or find employment elsewhere. This is the same group that set up the firewall and email servers to strip all attchments and to begin a no-attachment polocy for email. Internal users are required to use FTP and Server shares for file transfers external users are required to use password protected FTP downloads.

      It's about time too.. I was getting sick of people sending everyone 50Meg presentations and images that are "cute". by forcing people to put efort behind sending a file it reduces the amount of crap clogging the corperate bandwidth.

      Now If I could convince them that outlook and exchange need to be changed to at least CC:Mail or some stable and secure groupware suite.
      • Corperates response was protecting 2.2 users from viruses...

        Sounds like windows update. [microsoft.com]

        ~z
    • Microsoft design choice not to include restrictive mode execution enviroments ( also known as "sandboxing" ) simliar to Javascript or Java's applets for Microsoft's embedded scripting puts users at risk when veiwing almost any disributed Microsoft document format.

      I posted the following in various usenet groups last year. Given the recent events it is well worth the read...

      Subject: Microsoft Applications Security
      Date: 2000/05/28

      http://groups.google.com/groups?selm=slrn8j2cen. pn s.heretic@localhost.localdomain

      "This continued virus threat is not ONLY an email or Outlook problem it extends to all Microsoft Office products, Microsofts internet explorer as well as a lot of third party software for the Microsoft OS platforms."

      Even with all the patches, anti-virus scanners and proxy firewall, it will not stop the average user clicking on an embedded https:// URL link in an email and downloading and opening a Microsoft format document with an embedded script containing a new "unknown" virus/malware.

      Office users share documents over the net all the time, the inclusion of executable blocking, "run script" dialogs and digital script "signing" is a big improvement, but it all can be circumvented by a little social engineering.

  • " Funny. I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?"

    Funny ... I always thought it was the 'Ones.' I have always found that 'suits' have less difficulty managing streams with an inordinate number of 'Zeroes' in them. Too many ones and it gives the poster of this article a marked advantage in his/her efforts to over-generalize.
  • The article does not address this question, so I'll ask it here.

    This does not seem to be a problem unique to Miscrosoft Office. Wouldn't this type of security hole be possible in any office suite with scripting/macro capabilities? Do KOffice or StarOffice not support macros (I've never used them, so I don't know)?

    Kudos to MSFT for making a patch immediately available, but I must say that MSFT's constantly having to play catch-up with secuirty holes does not make me real confident in .NET's data safeguard capabilities.

    • i dont know about K or Star Office, I've never used them either.

      My guess (just a guess, dont flame if I'm wrong) is they do use macros, but those macros dont have the same priviliges as MS's macros do. For example, does a macro really need complete access to the filesystem of the machine? That's one of the things a macro virus exploiting this hole can do and start deleting files.

      I think KOffice's and SO's developers learned from MS and would decide to not allow such possibilities.
      • KOffice uses external scripting rather than internal scripting - that is to say, the document contains no scripting information, but is a valid XML document, and the application has hooks for external programs to script internally. The concept is that any language, perl, python, ruby, C, C++, etc, can then access the document inside the KPart (and any embedded document inside that, or embed the document into itself). As far as this conversation goes, this flips the security problem back into the "open" - you're responsible for the applications you run, and they just all talk back and forth, there is no document based scripting as of now.

        --
        Evan

    • Actually, .NET has a better chance of being secure for two reasons:

      1) Microsoft has said (real developers not marketing drones) that security was a huge focus of .NET.

      2) .NET is a brand new platform that is built from the ground-up. Running a .NET EXE is not like running a VB or C++/MFC EXE. It stands on it's own, and is closer to a Java-like model when it comes to application execution (ala "Sandbox Security", etc.).

      Now, this doesn't mean that it's "airtight", but I believe that it will prove to be more resiliant from a security standpoint.
      • It stands on it's own, and is closer to a Java-like model

        Wow! That is particularly innovative of Mircrosoft to innovate Java's security model like that. After innovative years of claiming that Java's model was too complicated for innovative programmers, Microsoft has finally innovated upon their word and embraced the model. Now that's what I call real innovation!! Thank you Justics Department!

    • Autoload macros are the real issue - I have never understood why Microsoft didn't simply disable these completely. I can't see a valid use for autoload macros that couldn't be substituted by a button within the document that says 'click here to start'. Since 99% of Word, Excel and PPT docs would never have such buttons, it would be much more obvious to the user that something odd was going on. This wouldn't remove the problem but it would make it much harder for such viruses to propagate.
      • And putting "Click here to see Pamela Anderson nekkid!" on the button wouldn't act the same as an autoload macro?
        • Yes, a button would be similar to autoload (as I mentioned), but at least a certain proportion of people would realise 'clicking a button means something will happen, maybe something bad' - most people don't expect viewing a document to cause something other than the doc appearing on screen.
  • I was attending a presentation by some state officials last week. The presenter's Powerpoint presentation was set to autoadvance every 30 seconds or so and apparently they couldn't make it stop, so she had an assistant sit at the computer and backup the slide everytime it jumped ahead prematurely.

    So who else has watched someone by victimized by powerpoint? Add your anectdote as a reply.
  • powerpoint (Score:2, Insightful)

    by LazyDawg (519783)
    Powerpoint is about the only part of Microsoft Office worth keeping around. It used to be a mac app made by a third party, and for making up posters on Windows with a shoestring budget, you can't top it.

    More than Word or Excel, Powerpoint is the killer app for office. Once Linux makes up something as tidy, fast and easy to use, corporate acceptance will go through the roof, just BECAUSE suits like to spend time playing with their slides.
  • by mgkimsal2 (200677) on Sunday October 07, 2001 @03:45PM (#2399086) Homepage
    Others have said it in the past, and I'm starting to believe it more myself. I really think that many at large companies use default installs of Office as job security. No one can blame them entirely if there's a problem - after all, the IT guys themselves didn't write the viruses. Failing to keep up with patches released months earlier can be cause for problems, but if a virus just came out recently, or there's just no patch for it, then "It's not my fault!" is a very valid point.

    The 'job security' aspect comes in because *someone* has to go around and patch every machine. *Someone* has to go round and install/test new virus software. I think it's past being 'common knowledge' that *by default* most MS products install themselves pretty insecurely. So someone has to learn about how to lock down those products - then actually do it. It's job security, choosing products which you KNOW will require you to always be updating them.

    Yeah, I'm a bit overly cynical about this. I've met some people who really just think this is how computers are supposed to be - you're always playing 'catch up' to virus writers. The concept of prevention to them is installing the latest 'Norton' utility. Proactively analyzing the systems they have for potential vulnerabilities (turn off scripting on machines that don't need it, etc) just doesn't occur to them.

    I'll be the first to admit that StarOffice/OpenOffice have not been up to snuff in the past, and even the current versions may not be up to snuff for everyone, but they're getting better. SO6 and the next OO may in fact be solid enough to let *many* in an organization use those as their primary or only Office applications, and let the few people that need the MS-specific features keep using MS Office. Yes, there'd be some relearning costs - figure that gets covered by the savings in upgrade licensing for those people.


    • I really think that many at large companies use default installs of Office as job security.


      I have done infosec in both a large funding-limited US government agency, and a well-funded network-savvy corporation. I'd like to suggest different reason lax security exists: funding.


      In both cases, I saw that the IT support infrastructure (sysadmins, architects, desktop support, etc) were underfunded compared to the amount of new tasks and upkeep they were presented. These folks worked tirelessly just to keep their heads above the workflow. Security often added additional effort / steps / work to their already overwhelming load.


      In the Gov't environment, this meant security practices were often ignored. Security was considered an additional effort, and the IT groups were not funded for it. Furthermore, there were few security experts (again - they were not funded for and rarely sought out). Often IT workers were oblivious to security practices to begin with.


      In the well-funded corporate environment, implementing security practices involves a great deal of fighting and compromise. There was a well-funded infosec group who championed good security practices. However, the actual admin groups (who were otherwise excellent admins) were rarely knowledgable (or focused) on security issues. Their focus was simply to get things working. Thus, sometimes good security practices went in to place... sometimes security practices were compromised away... sometimes security practices were completely ignored.


      It might be worth making another observation. I used to believe good security practices are just a part of being a good admin. I've changed my mind. It is a sign of an exceptional admin. A good unserstanding of infosec issues requires additional training and understanding that goes beyond the usual realm of administration. Infosec is a specialized skill. As such, those with knowledgeable admins should count themselves lucky. Most organizations will need to hire (or contract) infosec specialists who's focus is on secure (and workable - that's sometimes a tough tradeoff) implementations.

    • One of the sources of insecurity is the fact that many of these programs run at the same security level. The security model in Windows NT is a pretty good one, but how useful is the system if you run as a normal user? How many of us run with Administrative priviledges on the system? How much work is it to set up a new application to work as its own user and then communicate with other applications running as services, authenticated as other users? It's not simple, because many applications seem to assume that they have the right to run as Administrator.

      It's a good idea to run things as Least Priviledge, where a process only has enough rights on the system to do what it needs to, and nothing more. The downside to this is that you have to understand everything the application does. That takes a lot of time and effort, and how often in your average-sized business is there a computer geek on staff who has the time to devote to figuring out how to install the app with just enough priviledges so it will run, but not so many that it is a security risk? Seriously, how much time does something like this take?

      I know it took me years of thinking about it to understand the guts of Windows 9x, and understand and appreciate how it worked so I could get it to do what I wanted it to. Not because I'm not smart enough to figure it out, but just because there was so much other stuff going on that was urgently needed that I didn't have the time to sit down and figure it out. Gradually, bit by bit, I did figure it out. Not just what the software does, but how it works, why it does what it does, what the implications are for configuring it in a certain way and then deciding how to implement it. A similar scenario was encountered with Windows NT and 2000. Just in time for the Windows XP system to come along, with a new set of rules.

      There is a hideous amount of complexity involved with these operating systems, each with their own quirks and behaviors, and understanding everything well enough to be able to dig around in the guts and know what's going on and know how to lock it down is way more than one person can comfortably do if they are doing anything else on the job.

      I don't believe there is any magic bullet solution to this, either. There are common practices and techniques that help with securing your network, but there is no lock-n-load solution. We have found tools that help us along the way, but they only help to implement the strategy - they are not the strategy themselves.

      It's easy to blame Microsoft, because everyone is running their software. That's their own fault - they've monopolized the marketplace such that everyone uses the same platform. Consequently pretty much everyone is vulnerable to the exact same set of vulnerabilities. Any other common platform will likely have vulnerabilities that can be exploited. I'm not convinced that there isn't a code-red like vulnerability out there for Apache, but Microsoft has been targetted. (On the other hand, it's clear that there are significant problems inside IIS, and as a manager I wonder if they shouldn't dump the source code and start from scratch with better coding practices.) I can recall that Apache *did* have a number of exploits a number of years ago, but many of these have been dealt with in the intervening years.

      In any case, I don't think it's either carelessness or incompetence, but marketing. Software under Windows tends to be devastatingly easy to install (compared to Linux, Unix, NetWare and other environments). Mac may be easier. But, just because the software installs easily, does not mean it installs securely. Currently, ease-of-use, ease-to-install and security are at odds with each other.

      The argument has been made to get applications to install with least priviledge by default. It's a good design goal, but I wonder if application developers will ever have that as a fundamental design goal for their software. Usually it's a major accomplishment when the silly thing compiles!
  • Sun needs to get StarOffice 6.0 out the door NOW. Do it while Microsoft keeps getting bad press. I'm a Network Admin at a company with 200 employees and the guys before me never kept licensing info. So, I'm doing a license audit right now. We're either going to be buying a lot of Microsoft Office licenses, or looking for an alternative. I sure wouldn't mind bringing up StarOffice, if a real usable and supported version was out there.

    With the recent change in MS licensing policy NOW is the time for Sun to act and get their product in the door..
    • Re:StarOffice NOW. (Score:2, Insightful)

      by snoozerdss (303165)
      I'd much rather have Sun wait untill StarOffice is a finished product rather then releasing it now while it is unfinished just to grab some M$ Office users.
    • if this keeps up staroffice is going to start selling for $600... but the good news is the upgrade will be only half that... put a little sticker on the side saying, "no talking paperclips/ no hidden remote access booby traps"... isn't it amazing how much people pay for shelfware with huge honking vulnerablities built right in? how much has office made from people that never even bothered to install Access...
    • by wirefarm (18470)
      Sun should be shipping this puppy AOL-style - Glue it in the back of every computer magazine out there. Load up the Windows version and the Linux version on the CD and pump them out into the hands of the public. For now, even the latest betas - they seem rock solid - plus, I'm sure people wouldn't mind updating in a few months, if they need.
      Why exactly isn't this on the CDs of every distro, too? This should be there, as well as Mozilla.
      Those two programs probably make Linux more desktop-worthy than any others, at least for people coming from a Windows environment.
      If you're not really familiar with them, I wrote some pages on the subject - click my sig.
      Cheers,
      Jim in Tokyo

  • I know it's popular to bash Powerpoint, but I have to say that's one product without any acceptable replacements on the linux side. ("Impress" does not. ;)) Have you just never given any presentations that you needed to develop rapidly, or do you have some secret?
    • star office has ...I think it's called presenter... and it's got templates and walks you right through the whole thing. Koffice has something similar but I haven't tried it. IMHO both are acceptable alternatives to powerpoint.

    • magic markers.

      Three colors: red, black, and green.

      With these and a stack of blank transparencies, I can go anywhere, and present a topic to any size audience, on any topic which I am knowledgeable about.

      The only thing this approach lacks is the VERY OCCASIONALLY useful photograph or map.
      • The only thing this approach lacks is the VERY OCCASIONALLY useful photograph or map.

        Althoug h I agree about the occasional use of images/graphics/tables/charts, I think that markers and transparencies take longer to make presentations with.

        I can sit down and fire out a PowerPoint presentation in about 20 minutes. After that, I only need to make content related revisions until I give the presentation. Writing transparencies by hand would take much longer.

  • by Phroggy (441) <slashdot3NO@SPAMphroggy.com> on Sunday October 07, 2001 @04:05PM (#2399212) Homepage
    I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?

    How does that hurt productivity? You seem to be implying that the suit would be doing something productive if he weren't using PowerPoint.
  • All of us DO know that Micro$oft's programs are full of bugs and security holes, but I don't think we should post every security hole on slashdot. Everyone know that M$ sucks, but please: don't post more stuff like this and concentrate on improving whatever is your open source operating system (Linux, FreeBSD, NetBSD, OpenBSD, etc.) because they have security holes too.
    • many /. readers are in tech support, maintaining M$ machines at work. these articles are useful: they serve a practical purpose.

      however, maybe a new category for tech-support issues would be good.

  • This is so f*cking stupid (excuse me lame language, but that's just how I feel about it). If I understand it correctly, the code that is responsible for executing the macros can find them, but the code that it is responsible for finding them (in order to be able to ignore them), cannot find them.

    I could rant on and on, but I'm not going to because, in fact, there just are no words to say how braindead this is.

    • you are quite right. how could this happen?

      Execute-Macro-Code is written by Committee A (well probably Committee J through M, but you know :)

      Detect-Nasty-Macro-Code is written by Committee B.

      Closed source doesn't just apply to not letting outsiders see the source. With large projects like this, the philosophy is competitive: Manager A wants to look Better than Manager B. Thus, Manager A's techies are not allowed to talk to Manager B's techies. Result? Nobody gets to share code.

      One of the great benefits of open source is that it wipes out this kind of stupid, anti-productive competitiveness.

  • It's amazing! (Score:2, Informative)

    by famazza (398147)

    The most amazing thing of all these virii it that they all exist only due to one (and no more than one) function in the whole VBA language:

    • CopyMacro
    Maybe it has another name today, but it means exactly the same, copy a macro from a document to another. THAT'S AMAZING!!! Erradicating all these dam virii is much more easy to erradicate malaria from a non-tropical country, kill all the vectors.

    That's wright we don't even need to kill the vector, all we need is to avoid the vectors to infect the host. This dam macro must not exist anymore!!!

    Simple as that, and M$ doesn't seems to want to solve the problem.

  • what makes a macro hidden? is it a malformed tag?
    • This is what's happening. Documents with macros have a flag set when they are saved. If the user has Load Documents with Macros turned off Excel etc. will not load the documents. But if the documents has macros and the flag is reset using a hex editor the macros will load because only the flag is checked. You cannot assume that the only way to change the contents of a document is via an application, a hex editor works just as well.
  • For versions of Office 2000+: Office Update Wizard [microsoft.com].

    Be forwarned, though, that even WindowsUpdate [microsoft.com] doesn't list ALL of the patches that are out.

  • by hack0rama (253610)
    Does OpenOffice support a scripting similar to the macros in MSOffice ? If so would it be possible to see similar issues with OpenOffice as well ?

    It may not be as bad on Linux/Unix because of the user processes not getting access privilages to do anything nsty, but OpenOffice has a windows version as well.

    If there is a sizable installed base of OpenOffice , then maybe you can imagine OpenOffice script worms doing annoying stuff with user files/mails.
    And if your friendly Mozilla/Kmail/Evolution/PINE mail tool has the MIME type set to open with OpenOffice then it can spread the worm around.

  • by BroadbandBradley (237267) on Sunday October 07, 2001 @04:44PM (#2399429) Homepage
    I work for a BIG company, (fortune 500) that runs MS Exchange server for mail. We recently upgraded from 95 to 2000 just a few months ago. (support for our working Win95 system having been discontinued by MS) The overhead created by all the security stuff running on the network has created lots of problems. Email is no longer 'realtimeish' meaning it may take 1/2 hour to recieve a message sent across our network. When right clicking in my browser window, it takes about 5 seconds for a menu to open (pentium III 500 128meg ram). My home pc runs Linux, and outperfoms my work computer at about half the hardware (PII 266)
    IT has been trying to figure out how to fix the mail delays for a few months now with no progress, and I don't think they even care that it takes me so long to perform functions in the browser, but most of my work is done in web-based tools. MS has the world by the nuts, and they're milking us all!!! at least in my home I still have a choice.

  • For the moment, I'm choosing to believe this is some freaky coincidence, but here's what happened.

    I shut down extraneous programs, installed the new patches and several others from office.microsoft.com [microsoft.com]. After installing the patches it tells me I need to reboot, so I click on the happy little button. In the process of rebooting stuff starts to misbehave and hang. After killing several "not responding" processes, the computer does manage to shut itself down.

    When it comes back on, I find that my keyboard is dead! Not only will the computer not accept keyboard input, but it appears like it has no power at all. The little Caps Lock, Num Lock, etc indicator lights are off and won't respond. Mouse and everything else appears to work fine. So now I shut down my computer entirely, unplug and replug the keyboard, and power it all back up. This time everything works with no problems.

    Little freaky I must say. Never had anything quite like this happen before.

  • My favorite quote in the article is:

    It would require an attacker with a good understanding of the software and how Microsoft file formats are structured to exploit the hole

    Somehow I suspect that line came from a Microsoft PR guy and not Symantec. After all, they know that any script kiddie will be able to easily exploit the hole once a single expert writes the script/program to generate or modify a XLS or PPT file that skirts the security checks. Even Microsoft should know this, but a PR guy's job is to gloss over how serious the problem really is.

    My second favorite quote, immediately after it, reads:

    The vulnerablity was first brought to Microsoft's notice about two months ago by Symantec.

    TWO MONTHS!. I suppose Microsoft had their hands full with all these other worms/virii. Two months to respond to a major hole and write the patch is a great indication of how seriously (not!) Microsoft takes the security of their customers.

  • From the story:

    "The vulnerablity was first brought to Microsoft's notice about two months ago by Symantec."

    Microsoft has known about this vulnerability and has taken two full months to warn users? Disturbing, if not surprising.

  • From the link:
    To deal with this threat, Microsoft has for sometime included a functionality in both applications that scans for the presence of macros in all PowerPoint and Excel documents. The feature alerts users if a macro is detected, allowing the user to decide whether to permit the macro to be executed.

    Last time i checked, most worms were also executed manually by dimwit users...

Unix is the worst operating system; except for all others. -- Berry Kercheval

Working...