PowerPoint ZeroDay Vulnerability Exploited

whitehatlurker writes to mention a WashingtonPost.com article about another unpatched flaw with Microsoft Office. The bug, part of the PowerPoint software, has already been used in the wild, and may be connected to an industrial espionage case. From the article: "This undocumented flaw does not appear to have been addressed in any of the 13 security updates Microsoft shipped this week to mend a variety of problems in Office software. As Security Fix and others have noted, some of the work Microsoft has done in hardening the security of the Windows operating system has forced the bad guys to look for lower-hanging fruit in applications that run on top of Windows, so we may see more Office flaws under attack."

The more vulnerabilities the better?

[kcbrown]

...because more vulnerabilities will cause more people to consider switching to something like OpenOffice, right?

Yeah right. The vast majority of the people who stick with Office these days are people who won't switch unless the alternative is 100% in every way, shape, and form "compatible" with (which to them means exactly the same as) Office.

Must be nice to be Microsoft, where you don't have to give a shit about your customers...

Do you really need MS Office?

[pieterh]

The question people need to ask is not, "why should I switch to OpenOffice", but "what is the killer feature in MS Office that I absolutely need?" Do you really need to be able to run Word on a PDA? Do you need a smooth integration between Office and Exchange? Perhaps, but it's worth reevaluating.

If the cost-benefit ratio is not strong enough to make the cost and insecurity worthwhile, abandon MS Office and use OOo. For most people it's a lot less painful than it sounds. I've even seen OOo spread like a fashion in some teams that were 100% Microsoft, as they discovered that OOo does actually work very nicely, and as they started using ODF as a standard in place of Microsoft's own formats. We did this a long time ago... we get a consistent set of tools on Windows and Linux, and documents that now conform to a global standard and which I know will still be readable in 20 years' time, whatever software or platform I'm using.

There are many alternative office suites and OOo has its flaws, mainly it's a bit slow, but it has a feature set that hits 100% of what we've used - for documents, spreadsheets, simple graphics, and presentations - for years. And I don't get the feeling, when I run it, that I'm running a code base that has hundreds of undocumented backdoors, caused deliberately, or accidentally.

Re:Do you really need MS Office?

[pieterh]

Yes, the problem of "send this document to random people" is a real issue.

However, since OpenOffice has had a "create PDF" feature for ages, and since it produces really elegant PDFs, this is a solved problem.

I much prefer sending PDFs to editable documents because it prevents random modifications. When people do have to collaborate on writing a document, they can install OOo without much effort, and it is easy to learn, despite not being MS Office.

I've seen many people learn to use OpenOffice and the suggestion that its interface is hard to use is untrue. I've literally given non-technical people (office admins, sales and marketing people) a Linux box with OpenOffice and said, "go for it", and they've produced documents and spreadsheets and presentations without asking anything after, "what printer do I use".

PDFs are the answer to distributing prepared documents. PDF or HTML works fine for presentations. And if you *really* need to send someone an MS-Office format document, you use the "Save as" function to create it.

And this model has let us use OO for 4-5 years in a world where almost all of our clients use MS-Office. It works.

Spend the time making better software

[Knutsi]

It appears to me that it is hard to find software that cannot be exploted somehow, given enough time to dig into every possible way of doing so. Isn't this an indication that there is simply something wrong in the way software is put togeather and executed? Maybe the people who design API's, compilers and whatever is used to make software needs to rethink the way the stuff works... or maybe software is quite simply such a complex task of engineering that to keep it possible, it must also be possible to exploit.

I have of course no idea how to change the world, or I'm sure I'd be either very rich, very famouse or both ;)

Take it away now,
. Knut

Re:The more vulnerabilities the better?

[ozmanjusri]

Does that suggest that people will switch to OpenOffice rather tha Office 2007?

I'm running the beta of Office 2007 now, and there's no doubt that it's the biggest change to the Office interface since the switch from DOS. The new "ribbon" interface is a little easier of novices to do normal tasks with, but is a real hindrance to power users familiar with the '95-03 style Offices.

Anyone who's already productive with the older apps will find it easier to shift to OOo than to Office 2007. There's a few new tricks under the hood of the suite, but nothing compelling enough to pay the cost of the new version. In fact, Access coders are definitely going to want to look for alternatives. The new version is pitched much more at desktop experimenters, to the serious detriment of professional developers.

Re:The more vulnerabilities the better?

[ozmanjusri]

I used to think that but you will pick up the ribbon fairly quickly

I've been using it for a fair while now, and it still annoys me. Thing is, at the need of the beta period I'm going to have to decide whether to stick with my existing Office version (XP), switch to Open Office, or upgrade to Office 2007.

Right now, I just can't see any reason to upgrade. I've been a Office developer for more than a decade (switched from Paradox/Lotus to Office/Access 95), so this is a big decision for me. I've been a fairly vocal critic of MS since they started their customer harassment phase - I keep the install disks of my first Office XP Developer edition install nailed to the wall in front of me. It's there to remind me that I paid AU$1500 for a tool that won't activate on any computer in existence today.

I've never had an alternative until now though, and even if OOo isn't a perfect replacement, at least it's a way out of the trap. If I and others start developing for it and using it, we'll be well on the way to creating the platform OOo is going to need to hit critical mass.

Re:Word resume

[newt0311]

you have mentioned a very good point here and that is the difference between a data storage format and a presentation format. the problem with your argument is that word format is still NOT really a data storage format either. SGML, TeX (LaTeX), XML, etc are actual data storage format. these formats store conceptual info (like this text is supposed to be emphasized or this is a chapter heading) and then something like an interpretter along with style sheets are used to interpretthe data present and render the data into a presentation format like PDF. That is not the case with word format. Word just contains data like this text is bolded, there are newlines here, this text box goes here. That is exactly what PDF is like, just not as good. so in effect, both word and PDF could have been accepted and the PDF would have been easier to parse through since the PDF standard is openly publisized by Adobe and IMHO very easy to use (PDFs are inherently text files with the occasional binary blob and are neately divided into descrete objects, word format is who knows what). The ideal solution for the rearrangement you have indicated would be something that was designed for it like the aforementioned SGML, TeX, XML etc. In these languages, it is possible to explicitely mark data by what it actually IS and then leave the job of interprettation to outside libraries and programs.

Both PDF and Word are the same thing in a different form: WYSIWYG PRESENTATION formats.