PowerPoint ZeroDay Vulnerability Exploited 140
whitehatlurker writes to mention a WashingtonPost.com article about another unpatched flaw with Microsoft Office. The bug, part of the PowerPoint software, has already been used in the wild, and may be connected to an industrial espionage case. From the article: "This undocumented flaw does not appear to have been addressed in any of the 13 security updates Microsoft shipped this week to mend a variety of problems in Office software. As Security Fix and others have noted, some of the work Microsoft has done in hardening the security of the Windows operating system has forced the bad guys to look for lower-hanging fruit in applications that run on top of Windows, so we may see more Office flaws under attack."
Re:Office Vulnerabilities (Score:3, Informative)
Do you really need powerpoint or similar? (Score:3, Informative)
There are web content tools designed to work well even for your average aging office typist who is scared of computers.
Re:Do you really need MS Office? (Score:3, Informative)
What? Office ain't light on ram either boy.
you're not going to need support,
I've never known Microsoft to allow any arbitrary Office user to phone them up...
You're not going to need the pre-written macro code which is everywhere for Office,
If I wanted to script my documents, I'd use LaTeX and do it properly.
you don't need the excellent VBA IDE,
??? What is that?
you don't need the excellent documentation,
I've found that most of their documentation doesn't cover odd corner cases, that "clippy" is useless and trial and error is usually the best way to go with either suite.
As to the rest
And again for the Macros. Dude, go teach yourself LaTeX. That's how you script a proper document.
Tom
Re:Do you really need MS Office? (Score:5, Informative)
If you have enough RAM for access you have enough ram for office.
"you're not going to need support,"
If you need support you can buy it from Sun. You may have heard about Sun. I think they are a pretty large company.
"you're not going to need the pre-written macro code which is everywhere for Office,"
Office by default will not let you execute macros. Most organizations turn off the macro execution as a group policy in AD. Having said that if you have willingly chosen to open up your desktop to macro exploits and have willingly chosen to lock yourself to a vendor then you can't switch. Vendor lock sucks for an organization though. From now on you are no longer allowed to use any non MS office software ever. Good for them, sucks for you.
"you don't need the excellent VBA IDE,"
See above. You can script OO in python though, much better then VBA as far as I am concerned. There are several python IDEs around too last I checked.
"you don't need the excellent documentation,"
Wait let me check my office manual to see if it's better then the OO manual. Ooops looks like I didn't get an office manual. Seriously... There is excellent OO documentation. There are also several books which are cheaper then office.
"you're not going to use the entire systems implemented in Office (Excel and Access systems are commonplace where I work, they're commercial and not in-house software)"
If you are buying commercial apps they can (and should) use the office developer toolkit to deliver you a runtime. If they are forcing you to buy office just to run their apps then you are getting screwed. Also see the above remark about vendor lock.
"you don't mind not being able to properly use the documents everyone outside your organisation will be using, and the documents your employees will be bringing from home,"
Keep a copy of office around for those rare documents that don't translate properly. Tell your employees to use OO at home if they want to work from home. All companies have document standards.
"you don't mind the GUI not matching the rest of your system,"
When office 2007 comes out the GUI of OO will more closely match your XP box then office will.
"you don't mind using a piece of software which no-one will have audited,"
What makes you think office was audited? Who audited that commercial software package you got from that commercial vendor (you know the one that requires office to run). Who audited that messenger program half of your staff is using? I have news for you. 100% of the corporations in the world are running at least one piece of un-audited software.
"you can't wait for Office 2007 for ODF,"
The ODF support in 2007 will be read only. It will also be crippled from the looks of it.
"and you don't need a rich macro API."
You have no idea what you are talking about. None at all. Every part of OO is scriptable.
"Disclaimer: I'm not an MS fanboy, "
Yes you are. If you weren't you would not have lied so much.
Link about the actual virus (Score:3, Informative)
http://www.symantec.com/enterprise/security_respo
Apparently the victim launches the PowerPoint slide show (probably spread via email like every other virus) and it uses PowerPoint to drop the virus and infect the machine. Although the link doesn't say, my guess is that it does this without prompting the user if it's okay to run a macro.
The virus also displays a slide full of Chinese (?) characters. Anyone know what that translates to? "All your slide are belong to us"?