Flaw Finders Lay Seige to Microsoft Office

An anonymous reader writes "The Register is reporting that bug reports on the latest iteration of Microsoft Office are certainly keeping the Redmond firm's programmers busy. So far this year 24 flaws have been found by outside researchers, more than six times the number found in all of 2005. From the article: 'The deluge of vulnerabilities for the Office programs - Word, Excel, PowerPoint, Outlook, and, for professional users, Access -signals a shift in the focus of vulnerability research and underscores the impact of flaw-finding tools known as fuzzers. The vulnerabilities in Office also highlight the threat that such files, if remained unchecked, can pose to a corporate network. Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.'"

Siege

[Anonymous Coward]

Siege, not seige.

Re:Access ?

[Frogbert]

Access is a very powerful program, if nothing else it allows you to easily create a frontend to a much more powerful database with very little fuss.

Access is huge in business because it is trivial to modify the user interface, and to add functionality later on. A massive database solution might do the job faster but if the IT staff can't go in and change the interface every now and then it is pointless. A prime example is upgrading the user interface from the one designed in 1998 for an 800x600 screen to a more recient 1024x768 interface.

Apples and Oranges

[Umbral Blot]

Just for clarification the article says that the flaws are being found in the latest production version of office, not the latest iteration (which would imply pre-betas of office 2007 (2008?, whatever)). Obviously it would be stupid to compare the flaws in a production product with those in a pre-beta, which is what the summary on /. seems to imply.

Re:Is OpenOffice ready?

[Marcus Green]

A few years ago I was working on a book where the other editors were using Word and change tracking. I used OpenOffice and was pleased and surprised to find the change tracking worked fine for us. It might be worth urging those folks to register a bug and conditions to cover their experience.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Access ?

[miro f]

ok, just to clear a few things up:

1) they're talking about security vulnerabilities, not bugs. I'm sure the number of Office bugs are in the thousands... It's pretty difficult to write a large piece of software without them
2) The article was stating that 24 Vulnerabilities were found in the current crop of Office, not in the up and coming Office 2007, so your bit about "not available to public" is not applicable

It's a danger *now*??

[scdeimos]

Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.'Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.

Bollocks! They've always posed a danger, it's just that now they're getting some attention. I wonder if they'll look at TrueType/OpenType fonts any time soon - anyone remember the BSOD .ttf file?

Re:OpenOffice

[davros-too]

Our (very small) business recently migrated *away* from Open Office. New staff were confused, couldn't do things the way they were used to. They arrive already knowing how to use word, excel, powerpoint (ugh! but its sometimes necessary) but give them OpenOffice and there is a substantial learning curve. Remember, what slashdot uber-geeks can learn in 5 seconds takes the average person 10 weeks. Since changing to office our productivity on certain tasks such as collaboratively authoring documents has increased substantially. We just send the latest version and they send it back with the edits marked in track changes. Yes, all can be done using openoffice - but not when the customer or client doesn't have open office. Openoffice has to be really, really easy for someone to use who is familiar with office (its getting closer, but a long way to go). And its ability to save to and read from office formats needs to be a lot better than it currently is.

Re:OpenOffice

[lukas84]

ActiveSync doesn't require Outlook.

You can sync your device directly to the Exchange server, effectively skipping the need for the installation of any software on the desktop machine.

You can also use ActiveSync across an GPRS link, and get BlackBerry like functionality (including E-Mail Push).

Re:Seriously?

[YU Nicks NE Way]

Actually, if Ars Technica [arstechnica.com] is to be believed, the French Office of Defense has done a comparitive security analysis, and Open Office lost badly. The kinds of bugs the OO.o had were design bugs; these are file handling bugs. If equivalent design bugs existed in Office, they'd be the ones exploited, not the harder to find and exploit data validation bugs.

Re:If someone else can find the flaws, why didn't

[jacksonj04]

>Number: 137
>Severity: critical

As quoted from the tracker.

Re:Automated tools

[Anonymous Coward]

Office runs a ton of automated tests against the product (running well over 1 million scenarios a week). Hell, there is a lab with 1400 computers in it dedicated to doing nothing but running tests against a developer's changes (before they check in).

The fact of the matter is that fuzzing tools weren't very common while Office 2003 was being developed; while I'm sure the concept has existed for quite awhile, I the first I'd heard of it was around 2004, and it wasn't until 2005 until I saw much in the way of 3rd party tools.

Fuzzers ARE being used in tests for Office 12, for whatever that's worth...