Holes in PowerPoint and Excel 277
jeffy124 writes: "Looks like it's time for IIS and Outlook to make room on the pedestal of security holes. Just about every recent version of PowerPoint and Excel are vulnerable to being taken over to control the system remotely. The hole is a macro-related, as it's possible to bypass asking the user if they'd like a macro to run. Microsoft's advisory can be found here."
Funny. I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?
it was inevitable (Score:1, Insightful)
One more hole (Score:4, Insightful)
One exploit serves all
Opening Microsoft File Formats (Score:1, Insightful)
So what? (Score:5, Insightful)
These things first appeared in 1996 or so. Word.Concept or what was it called. Microsoft responded by disabling the AutoLoad macro (or whatever it's called). Now somebody found a new way to make Excel/etc. execute stuff when loading a file. Big deal.
I wonder why virus writes bother at all. They can just put a button labeled "Click here" on the page, and 95% of the lusers will click it. The only defense against that is just disabling all macro support. And everybody knows that isn't going to happen.
Re:Macros and scripting (Score:2, Insightful)
powerpoint (Score:2, Insightful)
More than Word or Excel, Powerpoint is the killer app for office. Once Linux makes up something as tidy, fast and easy to use, corporate acceptance will go through the roof, just BECAUSE suits like to spend time playing with their slides.
Re:Macros and scripting (Score:4, Insightful)
It isn't the scripting per se. It's the fact that the scripts are actually stored in the document files. In other words, they mix data and code.
On Unix, lots of applications have extremely powerfull scripting languages. Just think about the stuff you can do with Emacs (elisp) and the Gimp (which uses guile, a full Scheme interpreter). But the user has to explicitly install them. They aren't hidden away in some document.
Gerenal security bug rant (Score:3, Insightful)
The 'job security' aspect comes in because *someone* has to go around and patch every machine. *Someone* has to go round and install/test new virus software. I think it's past being 'common knowledge' that *by default* most MS products install themselves pretty insecurely. So someone has to learn about how to lock down those products - then actually do it. It's job security, choosing products which you KNOW will require you to always be updating them.
Yeah, I'm a bit overly cynical about this. I've met some people who really just think this is how computers are supposed to be - you're always playing 'catch up' to virus writers. The concept of prevention to them is installing the latest 'Norton' utility. Proactively analyzing the systems they have for potential vulnerabilities (turn off scripting on machines that don't need it, etc) just doesn't occur to them.
I'll be the first to admit that StarOffice/OpenOffice have not been up to snuff in the past, and even the current versions may not be up to snuff for everyone, but they're getting better. SO6 and the next OO may in fact be solid enough to let *many* in an organization use those as their primary or only Office applications, and let the few people that need the MS-specific features keep using MS Office. Yes, there'd be some relearning costs - figure that gets covered by the savings in upgrade licensing for those people.
Re:Suits? No. Teachers? Yes. (Score:3, Insightful)
rules was not to use slides at all
unless you really need them.
You simply don't need a slide that says we sold
100 000 units if you can just tell them.
Powerpoint - like a lot of modern software -
reverses this rule by making th euser subordinate to
the software.
Re:OpenOffice.org (Score:3, Insightful)
What makes us think that Open Office and Star Office are immune from similar attacks, or things like buffer overflows?
I like free software, but I think it's just urban legend that software not written by microsoft is somehow magically secure. (Witness: BIND, wu_ftpd, sendmail, rpc.*, etc...)
Re:StarOffice NOW. (Score:2, Insightful)
Re:OpenOffice.org (Score:2, Insightful)
I haven't evaluated scripting in OpenOffice though, can someone comment on the possibility for malicious code being run there at all?
Re:Macros and scripting (Score:5, Insightful)
Actually, Emacs mixes data and code in the same way. Check the File Variables section in the info system, and in particular the enable-local-eval variable. Basically, you can set buffer local variables by embedding the commands for this at the end of the file. One of these variables is 'eval' :-). Thus spake RMS:
In this sense Emacs is just as guilty as Microsoft Office. Just because it's Free doesn't mean it is without security free. (But the fact that the average person using Emacs is more clued in than you Power Point suit, does help...)
Sun Problem (Score:1, Insightful)
Obviously... (Score:5, Insightful)
Is this piece of news interesting? (Score:2, Insightful)
Re:OpenOffice.org (Score:2, Insightful)
OK, that's fair -- I suppose the corporate machine is typically slower at responding to a bug than the free software community. (Though, if you read bugtraq, you'll know that there have frequently been cases of much longer delays in commercial and free software alike!)
However, I think a better metric than how quickly things are patched is the number of holes in the default install. Most users don't install patches, anyway, so this is what really matters for them.
Re:So, what do you use for presentations? (Score:5, Insightful)
Come on, Powerpoint is the de facto standard.. Don't expect millions of business users to jump through hoops just because 'M$ sux0rs'
Unfortunatly, you ahave a point. Apparently, the billions of dollars wasted on cleanup after the MS exploit of the day haven't convinced enough people.
Perhaps macro viruses need to touch on corperate hotbutton issues in order for the suits to start thinking.
Perhaps the sexual harassment virus. You get it and it starts sending sexually harrasing email to your coworkers. If done well, the courts could be tied up for decades.
The IP virus, looks for documents containing trade secrets, and quietly posts them to random usenet groups.
Porn virus: Quietly downloads porn into your browser cache. Bonus points if the porn is illegal where you live.
Carnivore virus. Sends suspicious emails to the targets of FBI investigations.
Rootkit virus: Deploys a rootkit from your machine against a bank or government website. Instant felony.
Please note! I don't condone any of these, I just recognise that so far the holes in MS products have been used primarily for childish pranks rather than for real damage.
The least MS could do is at least TRY to limit the damage by putting macros in some sort of sandbox.
Re:Star Office + linux (Score:1, Insightful)
This was true like over a year ago. Now Redhat installs with a firewall (denying all incomming connections by default), and many of the servers that are installed need to be activated manually. The result is that redhat is now has one of the most secure default installs of Linux out there.
Source of Lax Security (Score:3, Insightful)
I have done infosec in both a large funding-limited US government agency, and a well-funded network-savvy corporation. I'd like to suggest different reason lax security exists: funding.
In both cases, I saw that the IT support infrastructure (sysadmins, architects, desktop support, etc) were underfunded compared to the amount of new tasks and upkeep they were presented. These folks worked tirelessly just to keep their heads above the workflow. Security often added additional effort / steps / work to their already overwhelming load.
In the Gov't environment, this meant security practices were often ignored. Security was considered an additional effort, and the IT groups were not funded for it. Furthermore, there were few security experts (again - they were not funded for and rarely sought out). Often IT workers were oblivious to security practices to begin with.
In the well-funded corporate environment, implementing security practices involves a great deal of fighting and compromise. There was a well-funded infosec group who championed good security practices. However, the actual admin groups (who were otherwise excellent admins) were rarely knowledgable (or focused) on security issues. Their focus was simply to get things working. Thus, sometimes good security practices went in to place... sometimes security practices were compromised away... sometimes security practices were completely ignored.
It might be worth making another observation. I used to believe good security practices are just a part of being a good admin. I've changed my mind. It is a sign of an exceptional admin. A good unserstanding of infosec issues requires additional training and understanding that goes beyond the usual realm of administration. Infosec is a specialized skill. As such, those with knowledgeable admins should count themselves lucky. Most organizations will need to hire (or contract) infosec specialists who's focus is on secure (and workable - that's sometimes a tough tradeoff) implementations.
Re:Scripting and office suites (Score:3, Insightful)
--
Evan
Re:Suits? No. Teachers? Yes. (Score:2, Insightful)
> I did a presentation skills course. One of the rules was not to use slides at all unless you really need them. You simply don't need a slide that says we sold 100 000 units if you can just tell them.
I disagree. Some people absorb what they hear better than they absorb what they see, but for others it is just the opposite.
> Powerpoint - like a lot of modern software - reverses this rule by making the user subordinate to the software.
Yes. In particular, PP tempts presenters to add piles of useless and distracting bells and whistles to their presentations, with the result that the audience's comprehension goes down.
Comes to mind the story from last(?) year, where the Pentagon cracked down on presentations because all the audio files for machinegun fire in the background of PP presentations was eating up all their disk space. I have difficulty imagining any presentation that would be helped by the sound of machinegun fire.
However, the problem is not so much PowerPoint, but rather the stupidity of the average PP user.
Ummm... yeah (Score:2, Insightful)
As for the lack of linux articles, i think i disagree [slashdot.org].
Re:Must be a slow news day... (Score:2, Insightful)
Microsoft attempting to do something about it: news.
Microsoft fixing vulnerability in old versions: would really be news.
Yes. StarOffice NOW. (Score:3, Insightful)
Why exactly isn't this on the CDs of every distro, too? This should be there, as well as Mozilla.
Those two programs probably make Linux more desktop-worthy than any others, at least for people coming from a Windows environment.
If you're not really familiar with them, I wrote some pages on the subject - click my sig.
Cheers,
Jim in Tokyo
Job security, overload, and the scope of the prob. (Score:2, Insightful)
It's a good idea to run things as Least Priviledge, where a process only has enough rights on the system to do what it needs to, and nothing more. The downside to this is that you have to understand everything the application does. That takes a lot of time and effort, and how often in your average-sized business is there a computer geek on staff who has the time to devote to figuring out how to install the app with just enough priviledges so it will run, but not so many that it is a security risk? Seriously, how much time does something like this take?
I know it took me years of thinking about it to understand the guts of Windows 9x, and understand and appreciate how it worked so I could get it to do what I wanted it to. Not because I'm not smart enough to figure it out, but just because there was so much other stuff going on that was urgently needed that I didn't have the time to sit down and figure it out. Gradually, bit by bit, I did figure it out. Not just what the software does, but how it works, why it does what it does, what the implications are for configuring it in a certain way and then deciding how to implement it. A similar scenario was encountered with Windows NT and 2000. Just in time for the Windows XP system to come along, with a new set of rules.
There is a hideous amount of complexity involved with these operating systems, each with their own quirks and behaviors, and understanding everything well enough to be able to dig around in the guts and know what's going on and know how to lock it down is way more than one person can comfortably do if they are doing anything else on the job.
I don't believe there is any magic bullet solution to this, either. There are common practices and techniques that help with securing your network, but there is no lock-n-load solution. We have found tools that help us along the way, but they only help to implement the strategy - they are not the strategy themselves.
It's easy to blame Microsoft, because everyone is running their software. That's their own fault - they've monopolized the marketplace such that everyone uses the same platform. Consequently pretty much everyone is vulnerable to the exact same set of vulnerabilities. Any other common platform will likely have vulnerabilities that can be exploited. I'm not convinced that there isn't a code-red like vulnerability out there for Apache, but Microsoft has been targetted. (On the other hand, it's clear that there are significant problems inside IIS, and as a manager I wonder if they shouldn't dump the source code and start from scratch with better coding practices.) I can recall that Apache *did* have a number of exploits a number of years ago, but many of these have been dealt with in the intervening years.
In any case, I don't think it's either carelessness or incompetence, but marketing. Software under Windows tends to be devastatingly easy to install (compared to Linux, Unix, NetWare and other environments). Mac may be easier. But, just because the software installs easily, does not mean it installs securely. Currently, ease-of-use, ease-to-install and security are at odds with each other.
The argument has been made to get applications to install with least priviledge by default. It's a good design goal, but I wonder if application developers will ever have that as a fundamental design goal for their software. Usually it's a major accomplishment when the silly thing compiles!
Service Pack (Score:3, Insightful)
I don't think it was planned.   I think they rush to market on every release.   I believe it to be the company's modus operandi - get it out the door, fix the problems in a Service Pack.
Service Pack.   There's an awesome piece of marketing.   Microsoft calls 'patches' 'Service Packs' and averts contaminating the perception of The Product.   A patch is something you apply to something that's broken.   A 'Service Pack' is like getting something extra.   Genius.
It all seems so obvious.   Microsoft wanted to offer complete connectivity between products.   And they did.   And they rushed it to market without realizing how all this inter-process functionality could be exploited.   I'm sure it was the furthest thing from their minds - "Why would anyone want to use The Product to do anything bad?   We're just trying to provide solutions.  Why the hell are people using our 'Solutions' to cause problems?"
Spoing!
MjM
Re:OpenOffice.org (Score:3, Insightful)
There are two aspects here. First, while you are right that other groups also have written buggy and insecure software, Microsoft's record is particularly abysmal. Most of the big holes in free software were found early on, at the time the internet just started booming and noone had experience with security. We may not yet be perfect, but we have been learning a lot.
The second aspect is even more important. A monoculture is always more suspectible to attack than a diverse ecosystem. If we use more different tools, we will survive viruses and worms a lot better. Consider Code Red: If it hit a host with Apache, it did not use this host for further propagation. Not only did the server stay up, the spread of the virus also slowed down.
So having many different (but preferable interoperable) software systems is inherently beneficial. And yes, this applies to BIND just as well as to Microsoft.