No Fix for Word Next 'Patch Tuesday'

Sktea writes "A spokesman for Microsoft has said that they will issue no patches on the next 'Patch Tuesday' for versions of Word vulnerable to the recent zero-day threat. There is no mention whatsoever of the omission in the latest advance notification at the company's security site." From the article: "The software maker is working on a security update, but apparently needs more time. The company did not specify how many flaws Tuesday's updates will address or in which components of Windows the holes lie. The Visual Studio update could offer a patch for a zero-day vulnerability in the developer tools that was made public last month. "

Does this mean a new catch phrase?

Are we going to start calling them zero-week or zero-month vulnerabilities?

Re:Does this mean a new catch phrase?

If this was a WMA DRM crack, we'd see a patch within three days. Don't you just love Microsoft?

Re:Does this mean a new catch phrase?

How about zero-fix vulnerabilities?

They don't have time to patch

This isn't anything critical like fixing a problem with their DRM. This only hurts the end users, not anybody they are beholden to RIGHT NOW in order to attempt to become the supreme overlords of the livingroom, like they so desperately want to be.

Re:They don't have time to patch

This isn't anything critical like fixing a problem with their DRM. This only hurts the end users, not anybody they are beholden to RIGHT NOW in order to attempt to become the supreme overlords of the livingroom, like they so desperately want to be.

Exactly. Who cares about existing users in markets they already control, who are addicted to you and will stay with you forever? After all, when you have to spend all of this time throwing chairs about, f**king killing Google, figuring out ways to steal Apple's successful online music business out from under them, and scheming to keep those Linux guys from getting anywhere, you can't be focused on such silly things as customer support. No siree! Win, win, win! That's what I always say!

But...

Their solution certainly said that we aren't to open any MS Word documents. Does this mean Microsoft will pay unemployment to the people that deal with Word documents all day, but can't open them due to security issues?

Re:But...

"received unexpected from trusted sources"

"Expected" is the tricky word there. Most people who receive Word docs in the course of work expect their normal, trusted sources to send them documents that are themselves somewhat new, newsworthy, you know, containing information that's worth sending. A doc that's totally expected probably didn't need to be sent.

Let's say you're the editor of a newsletter or magazine. You expect docs from a few score people who occassionally submit stuff. You expect them to show up with e-mails that say, "Hi George, Here it is!" The bad guys can easily fake that stuff - and often do - but you're a normal editor, not a security expert, so you give the normal English reading to "receive unexpected," and this stuff all looks like stuff you expected, so you open it....

What Microsoft should say is, "Don't open any attached docs without phoning the source first and specifically confirming the file." As it is, they're saying just enough to cover their ass ("We warned you!"), without saying enough to enable the typical user to really practice safe Word use.

Popeye

Wimpey: "I will gladly fix it on Tuesday."

Ok, bad guys, you heard 'em: they need more time!!

"The software maker is working on a security update, but apparently needs more time..."

 
So be nice and give 'em a few extra days to come up with some patches (it's the sporting thing to do!!) After all, all that innovation makes it tough to respond quickly to threats to their legacy apps!!

Open Office...Star Office

I wonder what the vulnerability situation would be like if Open Office...Star Office were more common.
I personally am glad that I don't use Microsoft for my Office needs.

Word 2007

That I could tell, nobody answered my question the last time this issue was reported on slashdot- is Word 2007 immune to this issue?

Heh heh heh. Did I just imply a conspiracy? No really. That would be totally stupid, unethical, immoral...

Re:Word 2007

Conspiracy? Nah. For once, MS doesn't really need strongarm tactics to sell a product. Office 2007, with the first UI overhaul since the days of Windows 3.1, is genuinely worth the upgrade. And it's not even publicly for sale yet. So while you're free to rightly accuse them of incompetence for failing to patch their older (and current) products in a timely fashion, they're probably not being evil.

Shucks

A spokesman for Microsoft has said that they will issue no patches on the next 'Patch Tuesday' for versions of Word vulnerable to the recent zero-day threat.

And why should they? The devs are still trying to finish Twilight Princess on the Wii, goshdarnit. Leave them be! The users can last without opening any attachments from anybody for a little while longer, right?

I'm not at all surprised or unhappy

I'd rather they take a little more time and "fix" it the first time, rather than having to issue multiple patches to fix it, each one opening up more glaring holes. Of course, I'd prefer it wasn't there to begin with, but hey, the world isn't perfect.

Why would they?

"There is no mention whatsoever of the omission in the latest advance notification at the company's security site."

My first thought leads me to ask, why would there be any mention of bug fixes that are not included in a patch cluster's content notification? Why would any company specifically call out features that are not being provided in a particular software distribution, in circumstances other than the discovery of a clear and consistent workaround (aside from the standard "temporarily avoid use of [software x]")?

The situation of miscellaneous zero-day exploits must be embarrassing enough already; I couldn't imagine them calling even more attention to it. "Hey, guess what we're not fixing next week. Check it out!"

Here's how we get it fixed.

Here's how we get microsoft to act. Let's just tweak the headlines a bit, from:

New Zero-day Attack Affects Word Users

To:

New Zero-day Attack Circumvents Zune DRM

There, much better. I guarantee Microsoft will release a patch *immediately*.

So Is Everybody Using NotePad or What?

WTF do corporations do when viruses and worms are whizzing past on their internal networks and there's no fix available? Do they blindly continue working with Word?

I talked to a friend whose corporate computer was infested by spyware that planted porno on his system. He paid the blackmail for the antispyware to remove it. A month later he de-installed the antispyware and guess what - the porno returned.

How are other IT departments dealing with this?

Where I work, we use Mailscanner (http://www.mailscanner.info/) to filter our internet-facing email before it hits our MS Exchange server. As of yesterday, we started blocking the .DOC extenstion as well as the Microsoft Office filetype as determined by /bin/filetype. Anyone who gets a blocked attachment has the attachment replaced with a small text file that basically says 'Contact IT for your document'. We, IT, then retrieve the blocked documents on demand, open them in OpenOffice and either save them as an RTF and pass them on to the user or just print the document if the user only needs a hardcopy.

Obviously, this is a pretty work-intensive process and I'd really like to refine it. To that end, I'm wondering how other IT departments are responding to this threat.

Thanks!

A swift kick in the pants

History has shown [eweek.com] that the way to get a patch out of Microsoft is to have some third party come out with a patch. Even though it works they will say that the patch is risky (FUD) and the official patch will appear in a few days.

meanwhile, firefox...

meanwhile the firefox team still hasn't fixed the password manager vulnerability [arstechnica.com]...

mein gott in himmel

From the previous article summary:
"There are no pre-patch workarounds or anti-virus signatures available. Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
I can't contain language on this one: When the fuck wil MS take their prodcuts off the market and just go away?

Re:uninsightful

Somebody forgot to turn on his sarcasm detector this morning...

Re:uninsightful

Have you had your sarcasm detector serviced lately? It seems to be acting up.

The point implied was that since everyone in fact does use Word, the it is not cool. You see the play on words there? You see what he did? He said the opposite of what he meant. That is called sarcasm. But I'm sure you don't need me to tell you that.