PowerPoint ZeroDay Vulnerability Exploited

whitehatlurker writes to mention a WashingtonPost.com article about another unpatched flaw with Microsoft Office. The bug, part of the PowerPoint software, has already been used in the wild, and may be connected to an industrial espionage case. From the article: "This undocumented flaw does not appear to have been addressed in any of the 13 security updates Microsoft shipped this week to mend a variety of problems in Office software. As Security Fix and others have noted, some of the work Microsoft has done in hardening the security of the Windows operating system has forced the bad guys to look for lower-hanging fruit in applications that run on top of Windows, so we may see more Office flaws under attack."

Features are meaningless.

[Anonymous Coward]

Interface is everything.

MS Office is hardly the best example of a good interface. However, it blows OpenOffice out of the water.

Why do you think the popular glorified windowmanagers of Linux try to emulate Windows as much as possible? (Though in that case, it's really a moot point. At that level, familiarity of the interface is a far second to applications that are already and must continue to be in use.)

Word resume

[lastberserker]

email it in Word format to an recruitment agency (why they wouldn't accept PDF is beyond me)

Why? Because before the first living soul casts a glance on your resume it will be sifted for keywords, dragged through filters and rendered in some uniform way. And guess what, PDF is a presentation format, not a data storage format - there is no guarantee that you get the original textual data back from an arbitrary PDF document. So they don't accept any PDFs.

Re:The more vulnerabilities the better?

[jonbryce]

If OpenOffice is about 95% compatible with Office 2003, then Office 2007 must be about 50% compatible with it. Does that suggest that people will switch to OpenOffice rather tha Office 2007?

Re:The more vulnerabilities the better?

[Darundal]

Then again, even if it was wholly compatable and faster, the majority of users out there don't even know that alternatives exist. They can't switch if they don't know an alternative exists. The majority of users see their computer as a mystical box that "just works" and see constant attack by spyware, adware, viruses and other malware as a price of using the computer. They think that Microsoft is required for their computer to run. They make a minimal differentiation, if any at all, between Windows, Office, IE, Outlook Express, etc. They make the differentiation only in the name of the icon they click and what types of things they can do once the window pops up. Even though they may whine, moan, bitch, and complain about something on their computer, most, even if presented with an alternative, would say no because they would honestly be scared at the prospect of their box suddenly working differently, and would see differences in such trivial things as menu placement as design flaws.

Re:The more vulnerabilities the better?

[Bert64]

Plus with an open documented format, you can weed out a lot of things by parsing the document...

Embedded binaries, recogniseable shellcode, macros, and many other nasties embedded in an open document can be detected, and the xml data itself can be validated against the schema to further cut out a percentage of nasties...
MS on the other hand uses a binary blob, which is much harder to sort through.

Re:Do you really need MS Office?

[miro f]

Audits don't have to be done by the people who wrote the code..

no but they're generally done by people who can at least look at the code. Not to mention they usually don't use the knowledge gained from their audit to maliciously attack other systems.

you're calling the many hackers willing to "audit" MS Office for vulnerabilities a benifit now? I find it difficult to comprehend your argument here...