Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Flaw Finders Lay Seige to Microsoft Office 149

Posted by ScuttleMonkey
from the flaw-finders-tarred-and-feathered dept.
An anonymous reader writes "The Register is reporting that bug reports on the latest iteration of Microsoft Office are certainly keeping the Redmond firm's programmers busy. So far this year 24 flaws have been found by outside researchers, more than six times the number found in all of 2005. From the article: 'The deluge of vulnerabilities for the Office programs - Word, Excel, PowerPoint, Outlook, and, for professional users, Access -signals a shift in the focus of vulnerability research and underscores the impact of flaw-finding tools known as fuzzers. The vulnerabilities in Office also highlight the threat that such files, if remained unchecked, can pose to a corporate network. Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.'"
This discussion has been archived. No new comments can be posted.

Flaw Finders Lay Seige to Microsoft Office

Comments Filter:
  • by also-rr (980579) on Sunday July 23, 2006 @02:45AM (#15765243) Homepage
    I wish someone would do this much work for OpenOffice - I mean, think of how many $ of pen testing Microsoft is getting out of this deal, and all for free! Now they just need to put some deecnt programmers on it to clean up bugs and they will end up with a nice solid, secure codebase.
  • Seriously? (Score:3, Funny)

    by Anonymous Coward on Sunday July 23, 2006 @02:48AM (#15765249)
    Guys, guys. There's nothing wrong with Microsoft Office.
    • Re:Seriously? (Score:5, Insightful)

      by Enderandrew (866215) <.enderandrew. .at. .gmail.com.> on Sunday July 23, 2006 @06:41AM (#15765524) Homepage Journal
      I'm guessing this comment was made in a facetious tone.

      I love FOSS. I'll use it every chance I can get. I will sing the praise of FOSS all day long.

      However, Office is one of the best products Microsoft has ever put out. It is feature rich, the new UI in Office 12/2007 is damned clever, and despite all the bells and whistles, it loads extremely fast.

      KOffice isn't nearly as powerful. OpenOffice.org is slow and bloated. I'm also not crazy about how 20% of the program is in Java.

      The big knock on MS Office is the security flaws that come from macros. Just turn them off. And people have done proof-of-concept macro exploits with OpenOffice as well. The reason that we see so many in MS Office is because people specifically target it. It hackers targetted OpenOffice as often, you'd likely see the same number, if not more exploits.

      But honestly, MS Office is a pretty solid product.
      • It hackers targetted OpenOffice as often, you'd likely see the same number, if not more exploits (than MS Office).

        You can't honestly say that. All you can really say is that there may be more exploits found. More people looking for exploits doesn't mean that they will either find them or that they are there to be found. Even then, with more unknown flaws existing in OpenOffice, you can't make a quantitative comparison between the two totally unrelated code bases.

        • Re:Seriously? (Score:4, Insightful)

          by Enderandrew (866215) <.enderandrew. .at. .gmail.com.> on Sunday July 23, 2006 @07:00AM (#15765552) Homepage Journal
          OpenOffice's code isn't exactly free of bugs. Given that it is open-source, it would be very easy to discover (if not plant) exploits. I advocate open-source software. And I'm glad that projects like OOo are around. Don't get me wrong. But office suites in general form some of the largest applications we have. There is just a butt-load of code there. So flaws are bound to pop-up. And people do specifically really target Microsoft.

          I still believe Office to be one of the best products they put out. And I do believe (though I can't quantify with real evidence) that you could easily see the same type (and number) of exploits in other office suites if they were targeted as often.
          • Given that it is open-source, it would be very easy to discover exploits

            The exploits that are easy to find are very likely to already have been found
            by the developers. The exploits that are difficult to find are the ones that
            we're worried about (although the developers have the advantage there too since
            they tend to know the code more intimately).
            • If you find a crash with an automated fuzzler, you can then track it back to the source and come up with an exploit easier, even if the bug itself is highly non-obvious. Just an observation. You obviously need to do some reverse engineering on the MS Office binaries to do the same thing today.

              Of course, for OOo, just about anyone is theoretically free to track the complete bug down and provide the fix, while we can just report it in the MS case. It goes both ways, but having access to the source doesn't me

              • Actually, if it's a stack-smasher kind of bug, you can often exploit it from a fuzzer without ever looking at the code, because very often what the code ends up doing is jumping to an address contained in the fuzz sequence.

                So your program crashes with a PC=0xdeadbeef (as an example), you search the fuzz data for the sequence 0xdeadbeef, and try changing the fuzz data to 0xbeefdead, and if that's the new PC in the crash, you simply put a really short break-me sequence in front of it, and change the PC to t

        • Re:Seriously? (Score:4, Informative)

          by YU Nicks NE Way (129084) on Sunday July 23, 2006 @09:40AM (#15765846)
          Actually, if Ars Technica [arstechnica.com] is to be believed, the French Office of Defense has done a comparitive security analysis, and Open Office lost badly. The kinds of bugs the OO.o had were design bugs; these are file handling bugs. If equivalent design bugs existed in Office, they'd be the ones exploited, not the harder to find and exploit data validation bugs.
      • and despite all the bells and whistles, it loads extremely fast

        Um, you do realize that it adds a pre-loader to the machine startup so that it's running whether you're using it or not, and that's why it fires up so fast, don't you?

        • I always remove that from my startup group actually. And even without the preloader, on these crappy dells at work with 512 megs of memory and celerons, Excel opens in 2 seconds. I really wish I could say the same thing about OpenOffice. I use preload on my Gentoo box with OpenOffice, but it is just slow.
          • Yup. Agree with you. On my 512MB AMD AThlon system, MS Office 2000 loads up MUCH faster than any other program (other than Notepad).

            Whatever flaws MSFT may have, their Office is a SOLID product.

        • It does not, and has not done so in Office 95, which was released eleven years ago. Check your task manager display.
  • Siege (Score:4, Informative)

    by Anonymous Coward on Sunday July 23, 2006 @02:53AM (#15765255)
    Siege, not seige.
  • by kripkenstein (913150) on Sunday July 23, 2006 @02:54AM (#15765259) Homepage
    The count also surpasses the 20 flaws that Microsoft has fixed so far this year in Internet Explorer, a perennial favorite among vulnerability researchers.

    This is in tune with the general movement of virus and trojan writers to make money for their work, that we have been seeing in recent years. Internet Explorer was a good way to reach as many people as possible, but such attacks are also quickly detected, since they affect many people. So you make some money (for porn ads, most likely), then stop. With Office, you can attack fewer targets, but get paid well for your efforts, and no-one ever hears about it.

    This sort of corporate espionage can go on for years without any antivirus vendor even getting the chance to encounter the malware. In addition, virtually 100% of corporations use Office; it's easier to leave IE in favor of Firefox than Office for OpenOffice. So targetting Office makes a lot of sense.
    • Also, with many IE flaws (and the OS itself) being fixed, it probably becomes much easier picking up the "dormant" office app's and find the more flagrant flaws.

      After a period of intense fixing on a component, one expects the remaining flaws to be harder to find - not that there aren't any, of course.

    • This sort of corporate espionage can go on for years without any antivirus vendor even getting the chance to encounter the malware.

      Are you saying that it could happen or you know it does happen? It sounds like the latter.

  • The worst form of "more than" abuse is, of course, when people use it with flagrantly non-round numbers. "More than 274 parts", "More than 6831 batteries", etc.

    The second worst form -- which this OP engages in -- is nonsensical math. If 24 faults is "more than six times" the number of faults in the previous year, then the number of faults in the previous year was 1, 2, or 3 (if there were 4 in the previous year, 24 would be exactly six times as many). Yeah, the previous year could have been zero, but 1) I know office better than that, and 2) let's give the OP at least a tiny bit of credit.

    So, ok, we're up from between 1 and 3 to 24. "More than six times"? Well, if the previous year was 3, "more than seven times" would be more accurate. If the previous year were 2, "twelve times" would suffice. And, god help us, if there were only one in the previous year, "compared to only one last year" is probably better than "24 faults, which is 24 times more than last year."

    Please, join me in the crusade against "more than" abuse. It does give extra punch to a sentence, but only if used properly.
    -b
    • While I applaud your Campaign for Realistic Analysis in the Press, and wince at "more than", "over" and "almost" abuse, one must appreciate that the "extra punch" is all they really care about. Consider the target audience — they're hardly the type to be subscribing to PhysicsWorld, much less check the figures, are they?
    • Obviously they had 3.5 faults last year.
    • by lav-chan (815252) on Sunday July 23, 2006 @04:15AM (#15765377)

      The article actually says that it was exactly six times more (the software giant has detailed at least 24 Office flaws found by outside researchers in its monthly bulletins, six times the number of Office flaws found in all of 2005), so this isn't really a simple case of wanting 'extra punch'. Either the person who wrote the summary read the article wrong or it's some insidious (yet extremely subtle) attempt at making Microsoft look worse than it really does. Um, probably the former.

    • We want to help you. I'm recommending you immediately pry the ">" key from your keyboard and put it into quarantine until this abuse can be isolated and dealt with properly. The Math Police have been informed of your IP address, and will be pinging you shortly with additional instructions. Do not panic. Help is on the way.
    • There were up to 10x or more flaws in Office discovered this year than the previous year.
  • Apples and Oranges (Score:5, Informative)

    by Umbral Blot (737704) on Sunday July 23, 2006 @03:54AM (#15765347) Homepage
    Just for clarification the article says that the flaws are being found in the latest production version of office, not the latest iteration (which would imply pre-betas of office 2007 (2008?, whatever)). Obviously it would be stupid to compare the flaws in a production product with those in a pre-beta, which is what the summary on /. seems to imply.
  • by infolib (618234)
    KDE and GNOME could really use this as well. Security through minority is only so feasible. Is anyone working on something similar?
  • More than 6 times? (Score:2, Insightful)

    by Kijori (897770)
    Why would they write this? 4x6 is 24, and every integer under 4 is a factor of 24. So they could have sadi "8 times as many", or "12 times as many". But why "More than 6 times"?
  • All of these flaws deal with documents and the answer is obvious: you need to have anti-virus anyway, and it's easier for AV to cover these flaws quickly than for Microsoft to patch them quickly. So for any responsible organization it's not a problem for very long.
    • The problem with most of these exploits is that they are highly targeted. This means that AV vendors often never get the infected sample until much later - after the damage is done - if ever. Companies are loathe to disclose the fact that they've had a security breach to anyone - even upper-management - let alone outside AV vendors. This means the exploit can be abused for long periods of time with many different targeted victims before it even gets on the AV radar. This whole time, my company might be

  • who thought that "Flaw finders" where people who found flaws in Finder? Thats even easier than finding flaws in Microsoft software....
  • by hahn (101816) on Sunday July 23, 2006 @05:04AM (#15765417) Homepage
    Okay, 24 flaws were found. And yeah sure, it could be that it was actually "six times more than" (see the great post about "more than" abuse) found in all of 2005. It could just mean that they've been looking harder this year, not because flaws didn't exist before. The longer the program has been in development, the longer they have had to expose flaws. Plus, we really don't know anything about these "flaws". The article is very vague. We don't know the nature of the flaws, how difficult they will be to fix, or even how likely any hacker would be able to even use the flaw to do any serious damage.

    And on the topic of flawed interpretation, I really must protest the comparison of an entire suite of at least 4 applications to ONE (internet explorer). That's worse than meaningless - that's just plain stupid.

    You know how the saying goes about statistics - "The average human being has one breast and one testicle."

  • by scdeimos (632778) on Sunday July 23, 2006 @05:17AM (#15765436)
    Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.'Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.

    Bollocks! They've always posed a danger, it's just that now they're getting some attention. I wonder if they'll look at TrueType/OpenType fonts any time soon - anyone remember the BSOD .ttf file?

  • The bugs where found with automated tools to make "broken" files. Seems to work well. Means there will be a much higher detection-rate and it is much harder to keep up patching.

    Also Office is the new vector of attack, no longer IE or email. Office is now the format for the web, and people can't avoid opening files coming from the outside. A good reason to examine it closely.
  • by Anonymous Coward
    Office System is not just an Business Application, it is an entire Business PLATFORM hance why its called Office SYSTEM.

    Anything built on top of Office System will also be targetted. Office is not just about Outlook or word or Excel anymore. It is an entire ECO SYSTEM for business.

    My company business unit is building upon O12 System. This is a great reason to be concerned. It offers ALOT for free (including the vulnerabilities due to its inherent complexity and visiblity)
  • It seems amazing to me that there are so many very critical flaws in Microsoft products. If someone else can find the flaws, why didn't Microsoft?

    I've heard that Microsoft is managed in such a way that programmers don't have time to finish their work. I know that Microsoft makes more money if there are more flaws, because users can be expected to upgrade.

    However, it seems that there are too many bugs for that to be the whole explanation.

    So, why, year after year, has Microsoft been at the top of the vulnerabilities list? I don't accept the argument that "software is complex, and always has bugs. There are people [openbsd.org] who know how to write complex software that is secure. Microsoft could certainly hire such people. If the company wanted to have software that was relatively free of vulnerabilities, it could.

    The argument that Microsoft vulnerabilities get more attention doesn't seem adequate to me to explain the huge number of very severe bugs.

    But, what is the explanation?
  • Automated tools (Score:4, Insightful)

    by fermion (181285) * on Sunday July 23, 2006 @08:39AM (#15765729) Homepage Journal
    The article seems to decry the use of automated tools to find these flaws. The question to be asked then is, if the automated tools are so easy to use, why do software developers not use them to find flaws?

    It is somehow considered "unfair" to use to these tools? Does MS already know of the flaws found by these tools and just chosen not to fix them? Do the OO.org people run these tools agsinst the OO.org suite.

    From a practicle point of view, these tools just seem like regression test. Test that we all know we should run, but few take the time to so do. And as solftware developers not running regression tests really puts the responsibility of the falws in the developers lap, not QA or the user.

    • Re:Automated tools (Score:3, Insightful)

      by ZorbaTHut (126196)
      Because software developers don't think of it. Because you need computers to run these on, and that means you have to justify, to your superiors, why you need a computer just to run an automated fault-finding program on. Why not just, you know, stop making mistakes?

      Automated tests are fantastic, and I use them extensively, but not many developers do the same.
      • Re:Automated tools (Score:3, Informative)

        by Anonymous Coward
        Office runs a ton of automated tests against the product (running well over 1 million scenarios a week). Hell, there is a lab with 1400 computers in it dedicated to doing nothing but running tests against a developer's changes (before they check in).

        The fact of the matter is that fuzzing tools weren't very common while Office 2003 was being developed; while I'm sure the concept has existed for quite awhile, I the first I'd heard of it was around 2004, and it wasn't until 2005 until I saw much in the way of

Old programmers never die, they just branch to a new address.

Working...