Holes in PowerPoint and Excel

jeffy124 writes: "Looks like it's time for IIS and Outlook to make room on the pedestal of security holes. Just about every recent version of PowerPoint and Excel are vulnerable to being taken over to control the system remotely. The hole is a macro-related, as it's possible to bypass asking the user if they'd like a macro to run. Microsoft's advisory can be found here." Funny. I always thought that PowerPoint was already at least as destructive as macro viruses to corporate productivity. You ever watch a suit fiddle with his presentation?

it was inevitable

[Anonymous Coward]

I would expect nothing less from Microsoft. A secure program never gets released because you might never need to upgrade, and you won't need patches. In fact, I wonder if they maybe don't actually make sure that stuff isn't totally secure and bug free.

One more hole

[entrox]

Is this really a surprise? I was under the impression, that all macro-enabled applications under windows (office suite) shared such vulnerabilities, because they most probably use the same scripting engine.

One exploit serves all ;)

Opening Microsoft File Formats

[Anonymous Coward]

How can the free software community ask Microsoft to open up their file formats, when they don't even know them well enough themselves to properly scan for macros?

So what?

[reynaert]

These things first appeared in 1996 or so. Word.Concept or what was it called. Microsoft responded by disabling the AutoLoad macro (or whatever it's called). Now somebody found a new way to make Excel/etc. execute stuff when loading a file. Big deal.

I wonder why virus writes bother at all. They can just put a button labeled "Click here" on the page, and 95% of the lusers will click it. The only defense against that is just disabling all macro support. And everybody knows that isn't going to happen.

Re:Macros and scripting

[entrox]

Macros and scripting are a very useful thing. I wouldn't want to miss them. The only thing, which Microsoft should avoid is letting simple documents contain (pot. dangerous) macros. They should be cleanly separated. This would eliminate most of the recent macro attacks.

powerpoint

[LazyDawg]

Powerpoint is about the only part of Microsoft Office worth keeping around. It used to be a mac app made by a third party, and for making up posters on Windows with a shoestring budget, you can't top it.

More than Word or Excel, Powerpoint is the killer app for office. Once Linux makes up something as tidy, fast and easy to use, corporate acceptance will go through the roof, just BECAUSE suits like to spend time playing with their slides.

Re:Macros and scripting

[reynaert]

It isn't the scripting per se. It's the fact that the scripts are actually stored in the document files. In other words, they mix data and code.

On Unix, lots of applications have extremely powerfull scripting languages. Just think about the stuff you can do with Emacs (elisp) and the Gimp (which uses guile, a full Scheme interpreter). But the user has to explicitly install them. They aren't hidden away in some document.

Gerenal security bug rant

[mgkimsal2]

Others have said it in the past, and I'm starting to believe it more myself. I really think that many at large companies use default installs of Office as job security. No one can blame them entirely if there's a problem - after all, the IT guys themselves didn't write the viruses. Failing to keep up with patches released months earlier can be cause for problems, but if a virus just came out recently, or there's just no patch for it, then "It's not my fault!" is a very valid point.

The 'job security' aspect comes in because *someone* has to go around and patch every machine. *Someone* has to go round and install/test new virus software. I think it's past being 'common knowledge' that *by default* most MS products install themselves pretty insecurely. So someone has to learn about how to lock down those products - then actually do it. It's job security, choosing products which you KNOW will require you to always be updating them.

Yeah, I'm a bit overly cynical about this. I've met some people who really just think this is how computers are supposed to be - you're always playing 'catch up' to virus writers. The concept of prevention to them is installing the latest 'Norton' utility. Proactively analyzing the systems they have for potential vulnerabilities (turn off scripting on machines that don't need it, etc) just doesn't occur to them.

I'll be the first to admit that StarOffice/OpenOffice have not been up to snuff in the past, and even the current versions may not be up to snuff for everyone, but they're getting better. SO6 and the next OO may in fact be solid enough to let *many* in an organization use those as their primary or only Office applications, and let the few people that need the MS-specific features keep using MS Office. Yes, there'd be some relearning costs - figure that gets covered by the savings in upgrade licensing for those people.

Re:Suits? No. Teachers? Yes.

[luckykaa]

I did a presentation skills course. One of the
rules was not to use slides at all
unless you really need them.
You simply don't need a slide that says we sold
100 000 units if you can just tell them.

Powerpoint - like a lot of modern software -
reverses this rule by making th euser subordinate to
the software.

Re:OpenOffice.org

[Tom7]

What makes us think that Open Office and Star Office are immune from similar attacks, or things like buffer overflows?

I like free software, but I think it's just urban legend that software not written by microsoft is somehow magically secure. (Witness: BIND, wu_ftpd, sendmail, rpc.*, etc...)

Re:StarOffice NOW.

[snoozerdss]

I'd much rather have Sun wait untill StarOffice is a finished product rather then releasing it now while it is unfinished just to grab some M$ Office users.

Re:OpenOffice.org

[Troed]

Microsoft sat on this fix for two months - does the opensource community do the same?

I haven't evaluated scripting in OpenOffice though, can someone comment on the possibility for malicious code being run there at all?

Re:Macros and scripting

[cybaea]

It isn't the scripting per se. It's the fact that the scripts are actually stored in the document files. In other words, they mix data and code.

On Unix, lots of applications have extremely powerfull scripting languages. Just think about the stuff you can do with Emacs (elisp)...

Actually, Emacs mixes data and code in the same way. Check the File Variables section in the info system, and in particular the enable-local-eval variable. Basically, you can set buffer local variables by embedding the commands for this at the end of the file. One of these variables is 'eval' :-). Thus spake RMS:

The `eval' "variable," and certain actual variables, create a special risk; when you visit someone else's file, local variable specifications for these could affect your Emacs in arbitrary ways. Therefore, the option `enable-local-eval' controls whether Emacs processes `eval' variables, as well variables with names that end in `-hook', `-hooks', `-function' or `-functions', and certain other variables. The three possibilities for the option's value are `t', `nil', and anything else, just as for `enable-local-variables'. The default is `maybe', which is neither `t' nor `nil', so normally Emacs does ask for confirmation about file settings for these variables.

In this sense Emacs is just as guilty as Microsoft Office. Just because it's Free doesn't mean it is without security free. (But the fact that the average person using Emacs is more clued in than you Power Point suit, does help...)

Sun Problem

[Anonymous Coward]

There's a fairly serious new exploit against Solaris machines. Read about it at SecurityFocus.Com (been there since Oct 4). Why do these never get reported here?

Obviously...

[Balinares]

You know, I think that if the former versions aren't vulnerable, they're not gonna tell you. They just can't take the risk to have people want to revert to older versions on the basis that they "work better", not when their business relies so much on people upgrading over and over...

Is this piece of news interesting?

[Ipsilon]

All of us DO know that Micro$oft's programs are full of bugs and security holes, but I don't think we should post every security hole on slashdot. Everyone know that M$ sucks, but please: don't post more stuff like this and concentrate on improving whatever is your open source operating system (Linux, FreeBSD, NetBSD, OpenBSD, etc.) because they have security holes too.

Re:OpenOffice.org

[Tom7]

OK, that's fair -- I suppose the corporate machine is typically slower at responding to a bug than the free software community. (Though, if you read bugtraq, you'll know that there have frequently been cases of much longer delays in commercial and free software alike!)

However, I think a better metric than how quickly things are patched is the number of holes in the default install. Most users don't install patches, anyway, so this is what really matters for them.

Re:So, what do you use for presentations?

[sjames]

Come on, Powerpoint is the de facto standard.. Don't expect millions of business users to jump through hoops just because 'M$ sux0rs'

Unfortunatly, you ahave a point. Apparently, the billions of dollars wasted on cleanup after the MS exploit of the day haven't convinced enough people.

Perhaps macro viruses need to touch on corperate hotbutton issues in order for the suits to start thinking.

Perhaps the sexual harassment virus. You get it and it starts sending sexually harrasing email to your coworkers. If done well, the courts could be tied up for decades.

The IP virus, looks for documents containing trade secrets, and quietly posts them to random usenet groups.

Porn virus: Quietly downloads porn into your browser cache. Bonus points if the porn is illegal where you live.

Carnivore virus. Sends suspicious emails to the targets of FBI investigations.

Rootkit virus: Deploys a rootkit from your machine against a bank or government website. Instant felony.

Please note! I don't condone any of these, I just recognise that so far the holes in MS products have been used primarily for childish pranks rather than for real damage.

The least MS could do is at least TRY to limit the damage by putting macros in some sort of sandbox.

Re:Star Office + linux

[Anonymous Coward]

I'll have to burst your bubble..

This was true like over a year ago. Now Redhat installs with a firewall (denying all incomming connections by default), and many of the servers that are installed need to be activated manually. The result is that redhat is now has one of the most secure default installs of Linux out there.

Source of Lax Security

[_Sprocket_]

I really think that many at large companies use default installs of Office as job security.

I have done infosec in both a large funding-limited US government agency, and a well-funded network-savvy corporation. I'd like to suggest different reason lax security exists: funding.

In both cases, I saw that the IT support infrastructure (sysadmins, architects, desktop support, etc) were underfunded compared to the amount of new tasks and upkeep they were presented. These folks worked tirelessly just to keep their heads above the workflow. Security often added additional effort / steps / work to their already overwhelming load.

In the Gov't environment, this meant security practices were often ignored. Security was considered an additional effort, and the IT groups were not funded for it. Furthermore, there were few security experts (again - they were not funded for and rarely sought out). Often IT workers were oblivious to security practices to begin with.

In the well-funded corporate environment, implementing security practices involves a great deal of fighting and compromise. There was a well-funded infosec group who championed good security practices. However, the actual admin groups (who were otherwise excellent admins) were rarely knowledgable (or focused) on security issues. Their focus was simply to get things working. Thus, sometimes good security practices went in to place... sometimes security practices were compromised away... sometimes security practices were completely ignored.

It might be worth making another observation. I used to believe good security practices are just a part of being a good admin. I've changed my mind. It is a sign of an exceptional admin. A good unserstanding of infosec issues requires additional training and understanding that goes beyond the usual realm of administration. Infosec is a specialized skill. As such, those with knowledgeable admins should count themselves lucky. Most organizations will need to hire (or contract) infosec specialists who's focus is on secure (and workable - that's sometimes a tough tradeoff) implementations.

Re:Scripting and office suites

[JabberWokky]

KOffice uses external scripting rather than internal scripting - that is to say, the document contains no scripting information, but is a valid XML document, and the application has hooks for external programs to script internally. The concept is that any language, perl, python, ruby, C, C++, etc, can then access the document inside the KPart (and any embedded document inside that, or embed the document into itself). As far as this conversation goes, this flips the security problem back into the "open" - you're responsible for the applications you run, and they just all talk back and forth, there is no document based scripting as of now.

--
Evan

Re:Suits? No. Teachers? Yes.

[Black Parrot]

> I did a presentation skills course. One of the rules was not to use slides at all unless you really need them. You simply don't need a slide that says we sold 100 000 units if you can just tell them.

I disagree. Some people absorb what they hear better than they absorb what they see, but for others it is just the opposite.

> Powerpoint - like a lot of modern software - reverses this rule by making the user subordinate to the software.

Yes. In particular, PP tempts presenters to add piles of useless and distracting bells and whistles to their presentations, with the result that the audience's comprehension goes down.

Comes to mind the story from last(?) year, where the Pentagon cracked down on presentations because all the audio files for machinegun fire in the background of PP presentations was eating up all their disk space. I have difficulty imagining any presentation that would be helped by the sound of machinegun fire.

However, the problem is not so much PowerPoint, but rather the stupidity of the average PP user.

Ummm... yeah

[mickeyreznor]

Ever think that this article might be useful for those readers on /. who use windows that don't have the time to sift through microsoft press releases, or other news sites. Sure, lots of MS bashing results from articles like this, but some people will actually get informed and will download the necessary patches because of it.

As for the lack of linux articles, i think i disagree [slashdot.org].

Re:Must be a slow news day...

[Tony-A]

Vulnerability: not news.
Microsoft attempting to do something about it: news.
Microsoft fixing vulnerability in old versions: would really be news.

Yes. StarOffice NOW.

[wirefarm]

Sun should be shipping this puppy AOL-style - Glue it in the back of every computer magazine out there. Load up the Windows version and the Linux version on the CD and pump them out into the hands of the public. For now, even the latest betas - they seem rock solid - plus, I'm sure people wouldn't mind updating in a few months, if they need.
Why exactly isn't this on the CDs of every distro, too? This should be there, as well as Mozilla.
Those two programs probably make Linux more desktop-worthy than any others, at least for people coming from a Windows environment.
If you're not really familiar with them, I wrote some pages on the subject - click my sig.
Cheers,
Jim in Tokyo

Job security, overload, and the scope of the prob.

[sharlskdy]

One of the sources of insecurity is the fact that many of these programs run at the same security level. The security model in Windows NT is a pretty good one, but how useful is the system if you run as a normal user? How many of us run with Administrative priviledges on the system? How much work is it to set up a new application to work as its own user and then communicate with other applications running as services, authenticated as other users? It's not simple, because many applications seem to assume that they have the right to run as Administrator.

It's a good idea to run things as Least Priviledge, where a process only has enough rights on the system to do what it needs to, and nothing more. The downside to this is that you have to understand everything the application does. That takes a lot of time and effort, and how often in your average-sized business is there a computer geek on staff who has the time to devote to figuring out how to install the app with just enough priviledges so it will run, but not so many that it is a security risk? Seriously, how much time does something like this take?

I know it took me years of thinking about it to understand the guts of Windows 9x, and understand and appreciate how it worked so I could get it to do what I wanted it to. Not because I'm not smart enough to figure it out, but just because there was so much other stuff going on that was urgently needed that I didn't have the time to sit down and figure it out. Gradually, bit by bit, I did figure it out. Not just what the software does, but how it works, why it does what it does, what the implications are for configuring it in a certain way and then deciding how to implement it. A similar scenario was encountered with Windows NT and 2000. Just in time for the Windows XP system to come along, with a new set of rules.

There is a hideous amount of complexity involved with these operating systems, each with their own quirks and behaviors, and understanding everything well enough to be able to dig around in the guts and know what's going on and know how to lock it down is way more than one person can comfortably do if they are doing anything else on the job.

I don't believe there is any magic bullet solution to this, either. There are common practices and techniques that help with securing your network, but there is no lock-n-load solution. We have found tools that help us along the way, but they only help to implement the strategy - they are not the strategy themselves.

It's easy to blame Microsoft, because everyone is running their software. That's their own fault - they've monopolized the marketplace such that everyone uses the same platform. Consequently pretty much everyone is vulnerable to the exact same set of vulnerabilities. Any other common platform will likely have vulnerabilities that can be exploited. I'm not convinced that there isn't a code-red like vulnerability out there for Apache, but Microsoft has been targetted. (On the other hand, it's clear that there are significant problems inside IIS, and as a manager I wonder if they shouldn't dump the source code and start from scratch with better coding practices.) I can recall that Apache *did* have a number of exploits a number of years ago, but many of these have been dealt with in the intervening years.

In any case, I don't think it's either carelessness or incompetence, but marketing. Software under Windows tends to be devastatingly easy to install (compared to Linux, Unix, NetWare and other environments). Mac may be easier. But, just because the software installs easily, does not mean it installs securely. Currently, ease-of-use, ease-to-install and security are at odds with each other.

The argument has been made to get applications to install with least priviledge by default. It's a good design goal, but I wonder if application developers will ever have that as a fundamental design goal for their software. Usually it's a major accomplishment when the silly thing compiles!

Service Pack

[carrier lost]

How is it advantageous to Microsoft to get people to download free patches?

I don't think it was planned. &nbsp I think they rush to market on every release. &nbsp I believe it to be the company's modus operandi - get it out the door, fix the problems in a Service Pack.

Service Pack. &nbsp There's an awesome piece of marketing. &nbsp Microsoft calls 'patches' 'Service Packs' and averts contaminating the perception of The Product. &nbsp A patch is something you apply to something that's broken. &nbsp A 'Service Pack' is like getting something extra. &nbsp Genius.

It all seems so obvious. &nbsp Microsoft wanted to offer complete connectivity between products. &nbsp And they did. &nbsp And they rushed it to market without realizing how all this inter-process functionality could be exploited. &nbsp I'm sure it was the furthest thing from their minds - "Why would anyone want to use The Product to do anything bad? &nbsp We're just trying to provide solutions.&nbsp Why the hell are people using our 'Solutions' to cause problems?"

Spoing!

MjM

Re:OpenOffice.org

[Stephan Schulz]

What makes us think that Open Office and Star Office are immune from similar attacks, or things like buffer overflows?

I like free software, but I think it's just urban legend that software not written by microsoft is somehow magically secure. (Witness: BIND, wu_ftpd, sendmail, rpc.*, etc...)

There are two aspects here. First, while you are right that other groups also have written buggy and insecure software, Microsoft's record is particularly abysmal. Most of the big holes in free software were found early on, at the time the internet just started booming and noone had experience with security. We may not yet be perfect, but we have been learning a lot.

The second aspect is even more important. A monoculture is always more suspectible to attack than a diverse ecosystem. If we use more different tools, we will survive viruses and worms a lot better. Consider Code Red: If it hit a host with Apache, it did not use this host for further propagation. Not only did the server stay up, the spread of the virus also slowed down.

So having many different (but preferable interoperable) software systems is inherently beneficial. And yes, this applies to BIND just as well as to Microsoft.