Flaw Finders Lay Seige to Microsoft Office

An anonymous reader writes "The Register is reporting that bug reports on the latest iteration of Microsoft Office are certainly keeping the Redmond firm's programmers busy. So far this year 24 flaws have been found by outside researchers, more than six times the number found in all of 2005. From the article: 'The deluge of vulnerabilities for the Office programs - Word, Excel, PowerPoint, Outlook, and, for professional users, Access -signals a shift in the focus of vulnerability research and underscores the impact of flaw-finding tools known as fuzzers. The vulnerabilities in Office also highlight the threat that such files, if remained unchecked, can pose to a corporate network. Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.'"

Is OpenOffice ready?

[kripkenstein]

I guess it sucks if your business requires some esoteric feature in Microsoft's expensive and proprietary office software, but it is outright incompetence for any CTO to not have migrated, in the process of migrating, or planning on migrating their workers to OpenOffice at this point.

Personally, I use OpenOffice, but from what I hear it's not that easy to use OpenOffice for many corporations. Some people I know are in the process of building a tech company, and they wanted to use OpenOffice, both because of the cost and because of the security. But some testing revealed that a single feature made that impossible for them: 'track changes' worked fine in OO, but opening a document from Office with change tracking never succeeded 100%. Apparently they plan to collaborate on documents with people outside their organization, so that's a problem. Sadly it looks like they will be buying Office licenses soon.

OpenOffice is great for a home user, but 'enterprise-oriented' features like tracking changes with people using Office are a must for some corporations. Until OpenOffice gets this sort of stuff to work, I can't completely agree with the quote above.

Although, given the security risk for Office users - which we can't even evaluate, as I'm assuming most corporate espionage is never discovered - it might be rational to find a way to live without some of the features in Office. Or, alternatively, to run Office on Crossover Office on Linux (assuming some of the trojan functionality, e.g. calling home, depends on ties with the underlying OS, which makes sense to me).

Re:Attacking Office vs. attacking IE

[LoonyMike]

Also, with many IE flaws (and the OS itself) being fixed, it probably becomes much easier picking up the "dormant" office app's and find the more flagrant flaws.

After a period of intense fixing on a component, one expects the remaining flaws to be harder to find - not that there aren't any, of course.

Re:Access ?

[vux984]

Access actually has a number of uses in the business world, and even the enterprise.

Even in larger businesses, where a major enterprise database/system would NEVER be written in "access" its not uncommon for a little access app to be written as a custom front end to some aspect of an mssql server database. In fact that's one of access' strenths, its actually a pretty good RAD (rapid application development) tool for building simple UI front ends for larger databases. And since Access is bundled with Office Pro its basically "free" in this environment.

Re:OpenOffice

[vux984]

If the business case for switching to OO were that clearcut, you think MS Office would still be around?

Yes. Absolutely. "Nobody ever got fired for recommending Microsoft Office."

I know several business where 90% of the users don't need much more than WordPad who are running MS Office Pro. They only use spreadsheets at all because the "table" layout makes doing certain types of form easier -- they have timesheets, expense sheets, etc that don't even use calculations. They don't use powerpoint or access or even outlook. (they on a corporate webmail)

They DO NOT need a several hundred licenses of MS Office.

But the IT director authorizes Office Pro on every new desktop. There is no business case for it. When I suggested they cut costs and standardise on OO on at least the machines that are being used by low level staff to fill out their time sheet and read office memos I just get a blank stare.

They've never heard of it, don't beleive that it could possibly meet their needs (which they've clearly never actually assessed), and they have ZERO intention of even looking into it. Worse they've been gradually growing, and new machines come with new office the old machines have "old office".. so they are supporting users with every version office since 95.

Its sad.

FWIW I *have* converted a couple companies to OO, and the most recent was done as part of a general upgrade. We pulled out boxes with Win98 and Office 98 and dropped in new XP Pro boxes with OO. We set the defaults to use office formats so there would be minimal transition issues. Most staff aren't even really aware they aren't using Microsoft Office anymore -- which is unfortunate really, because its not doing OO much good if people don't even know they are using it.

I've also recommended OO to a many Home users. For the most part they are happy with it, and it works well enough that they actually prefer the "legality" of it even if its not 100% what they are used to.

Re:OpenOffice needs this too

[umkhhh]

I would not worry - if OpenOffice gets more popular it will get its share of abuse and fixes too.

Having said that - part of MS problem is systematic: its closed (as oposed to open) design nature is slowing down debugging and more importantly its close relationship with OS is proving fatal to security. OO does not have that.

Quite right

[kahei]

Absolutely. As soon as OO implements a large enough subset of Office features, I'll be all over that.

Until then, as long as there's a need to embed documents, to use a powerful macro language that communicates with the OS and other software, to have data update in real time, to interop with business logic that depends on DDE or XLLs, or to do any of the million other essential things that Excel (in particular) does and OO does not, it's "Hello, Clippy!"

Actually, though, I do have some questions for those who might take a more optimistic view than me:

1 -- maths formulae created in OO don't seem to work in Word. Is that OO's fault or Word's?
2 -- Bloomberg's DDE system seems not to work with OO (not that it's particularly efficient in Excel either). Is that OO's fault or Bloomberg's?

Re:OpenOffice

[Tomfrh]

I don't want to switch because OO messes up the formatting of many of my existing Word documents. That's my only reason for not wanting to switch.

I'm sure this problem will go away sooner or later but until then it's just so much easier to use Word instead of Writer.

If someone else can find the flaws, why didn't MS?

[Futurepower(R)]

It seems amazing to me that there are so many very critical flaws in Microsoft products. If someone else can find the flaws, why didn't Microsoft?

I've heard that Microsoft is managed in such a way that programmers don't have time to finish their work. I know that Microsoft makes more money if there are more flaws, because users can be expected to upgrade.

However, it seems that there are too many bugs for that to be the whole explanation.

So, why, year after year, has Microsoft been at the top of the vulnerabilities list? I don't accept the argument that "software is complex, and always has bugs. There are people [openbsd.org] who know how to write complex software that is secure. Microsoft could certainly hire such people. If the company wanted to have software that was relatively free of vulnerabilities, it could.

The argument that Microsoft vulnerabilities get more attention doesn't seem adequate to me to explain the huge number of very severe bugs.

But, what is the explanation?

Re:Academic Problems

[KwKSilver]

Word Perfect has been doing footnotes, endnotes, citations etc. very well since version 6 for DOS. Very well. As far as citations go, I created a file with alphabetized, formatted references cited 15 years ago & just add new stuff to it. It is currently in the vicinity of 100 pages long.

As far as PowerPoint goes, I put together my last presentation in the OO clone & exported it as a .ppt file. No real problems other than my owm unfamiliarity with such routines. I really prefer a slide projector... and careful preparation over glitz.

Re:OpenOffice

[bigman2003]

I've had tech support calls that consisted of somebody dragging the menu around in IE so that the "back" button had moved! (which underscores perhaps the most worthless feature MS has ever put out - the movable menu. Who ever wants to change that?)

Well, you're getting Office help calls, so I'll assume you are not a developer.

You would be amazed at the 'requirements' that a lot of users have, and the features that they MUST use. I write software for a primarily academic crowd. Each person (PhD) just needs to have the system work they way they want it to work. Because as you said, to them it is just a black box. If things don't look right, they can't figure it out.

After sitting in meetings where 4 people have 4 opinions on where a menu should be, eventually the only answer is to make the location an option, make it moveable.

This shit happens all the time.

as a pessimist, you're part of the problem

[r00t]

Suggesting Office is pretty bad, but you do have some semi-legitimate reasons.
A bit of optimism is called for.

Suggesting IE is pure evil. You're needlessly putting critical data at risk.

Re:OpenOffice

[vux984]

And do you think issuing edicts ex cathedra on what your user base really needs, without careful evaluation, is the best way to serve their long term interests?

What makes you think there wasn't careful evaluation?

Congrats on having run across so many low-tech businesses where WordPad suffices for 90 % of users. However, I'd suggest you avoid hitching your wagon to them: the ratio and level of knowledge workers in most Western industries can only increase, and for them WordPad and its ilk quickly becomes a straitjacket.

I'm not talking "knowledge workers in cubicles collaborating on documents". Maybe they -do- need office. Maybe there is a business case for them having office. In MANY cases there is, I work with companies on MS-Office that I wouldn't recommend switch.

The 90% of workers I referred to worked for a company that was chain of retail stores. Those workers were retail sales people. They had into the hundreds of computers, 3+ per store, each with office so staff who spent 90% of their time in the POS application could do their timesheets once a week. Along with a handful of word templates for misc correspondance -- fax cover letter, PO for office supplies, etc.

I think you underestimate the number of people using Office like this. These aren't "knowledge workers" creating and colloborating on documents. These are people like travel agents, insurance salesmen, car salesmen, fast food restaurant managers, retail stores, mechanics, plumbers, etc, etc. They use office to write the odd letter, fill out forms/templates sent down from a head office, and so on. That's it.

As for being "wary of hitching my wagon to them", what's there to be wary of? You think the girl selling you pants is going to be outsourced to india? Or perhaps you think she'll be collaborating on a team document after she rings up your sale?