Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

No Fix for Word Next 'Patch Tuesday'

Posted by Zonk on Fri Dec 08, 2006 11:32 AM
from the that's-cool-nobody-uses-word-anyway dept.
Security Software IT
Sktea writes "A spokesman for Microsoft has said that they will issue no patches on the next 'Patch Tuesday' for versions of Word vulnerable to the recent zero-day threat. There is no mention whatsoever of the omission in the latest advance notification at the company's security site." From the article: "The software maker is working on a security update, but apparently needs more time. The company did not specify how many flaws Tuesday's updates will address or in which components of Windows the holes lie. The Visual Studio update could offer a patch for a zero-day vulnerability in the developer tools that was made public last month. "
+ -
story

Related Stories

[+] Microsoft Issues Zero-Day Attack Alert For Word 483 comments
0xbl00d writes "Eweek.com is reporting a new Microsoft Word zero-day attack underway. Microsoft issued a security advisory to acknowledge the unpatched flaw, which affects Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac and Microsoft Word 2004 v. X for Mac. The Microsoft Works 2004, 2005 and 2006 suites are also affected because they include Microsoft Word. Simply opening a word document will launch the exploit. There are no pre-patch workarounds or anti-virus signatures available. Microsoft suggests that users 'not open or save Word files,' even from trusted sources."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

No Fix for Word Next 'Patch Tuesday' 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Does this mean a new catch phrase? (Score:5, Funny)

    by zappepcs (820751) on Friday December 08 2006, @11:34AM (#17162548) Journal
    Are we going to start calling them zero-week or zero-month vulnerabilities?

    • Re:Does this mean a new catch phrase? (Score:5, Insightful)

      by Overly Critical Guy (663429) on Friday December 08 2006, @12:26PM (#17163176)
      If this was a WMA DRM crack, we'd see a patch within three days. Don't you just love Microsoft?

    • Re:Does this mean a new catch phrase? (Score:4, Funny)

      by meclamar (668862) on Friday December 08 2006, @12:57PM (#17163636)
      How about zero-fix vulnerabilities?

        • Re: (Score:3, Insightful)

          by Osiris Ani (230116)

          I have never ever encountered someone in my direct environment who has upgraded any kind of non-free software (I mean going to a shop to buy a new version).

          Believe it or not, there exists a non-trivial percentage of end users who seek out and pay for software upgrades that provide new features. I, for one, eagerly await Adobe Photoshop CS3. Some of us are not so cheap and actually have specific needs and desires for improved productivity and functionality.

          Then, of course, there's also corporate IT. That'

  • They don't have time to patch (Score:5, Insightful)

    by Anarke_Incarnate (733529) on Friday December 08 2006, @11:35AM (#17162550)
    This isn't anything critical like fixing a problem with their DRM. This only hurts the end users, not anybody they are beholden to RIGHT NOW in order to attempt to become the supreme overlords of the livingroom, like they so desperately want to be.
    • They are to busy copying google books and the apple look and feel to actually write secure code. /me wants to set fire to Redmond...

      Tom
    • This isn't anything critical like fixing a problem with their DRM. This only hurts the end users, not anybody they are beholden to RIGHT NOW in order to attempt to become the supreme overlords of the livingroom, like they so desperately want to be.

      Exactly. Who cares about existing users in markets they already control, who are addicted to you and will stay with you forever? After all, when you have to spend all of this time throwing chairs about, f**king killing Google, figuring out ways to steal Apple's successful online music business out from under them, and scheming to keep those Linux guys from getting anywhere, you can't be focused on such silly things as customer support. No siree! Win, win, win! That's what I always say!

  • But... (Score:2, Interesting)

    by feld (980784)
    Their solution certainly said that we aren't to open any MS Word documents. Does this mean Microsoft will pay unemployment to the people that deal with Word documents all day, but can't open them due to security issues?
    • Their solution certainly said that we aren't to open any MS Word documents.

      No it doesn't. Here's the text. Read it carefully. It's very complicated:

      Do not open or save Word files [the part you conveniently left out]that you receive from un-trusted or that are received unexpected from trusted sources.

      Got it? I hope so. This suggestion is ALWAYS true, regardless of whatever known bugs there may be in existence at the time.

      • Re:But... (Score:5, Insightful)

        by wytcld (179112) on Friday December 08 2006, @12:11PM (#17162992) Homepage
        "received unexpected from trusted sources"

        "Expected" is the tricky word there. Most people who receive Word docs in the course of work expect their normal, trusted sources to send them documents that are themselves somewhat new, newsworthy, you know, containing information that's worth sending. A doc that's totally expected probably didn't need to be sent.

        Let's say you're the editor of a newsletter or magazine. You expect docs from a few score people who occassionally submit stuff. You expect them to show up with e-mails that say, "Hi George, Here it is!" The bad guys can easily fake that stuff - and often do - but you're a normal editor, not a security expert, so you give the normal English reading to "receive unexpected," and this stuff all looks like stuff you expected, so you open it....

        What Microsoft should say is, "Don't open any attached docs without phoning the source first and specifically confirming the file." As it is, they're saying just enough to cover their ass ("We warned you!"), without saying enough to enable the typical user to really practice safe Word use.

    • Their solution certainly said that we aren't to open any MS Word documents.

      Before talking about the solution, why not go read the advisory [microsoft.com] first?

      From TFAdvistory:

      Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources.

      Let me translate for you: Do not open random word documents downloaded from unknown sources because they could be infected. If somebody sends you an email with a document you weren't expecting or without any context (ie su

      • Re: (Score:2, Interesting)

        by feld (980784)
        Yeah, ok. Like it's that easy. Tell that to the Human Resources lady who has to open up Word documents containing resumes/cover letters from random people. Get my drift? Why do you all have to be pricks without thinking first?

  • Popeye (Score:3, Funny)

    by spidkit (992102) on Friday December 08 2006, @11:42AM (#17162622)
    Wimpey: "I will gladly fix it on Tuesday."
  • "The software maker is working on a security update, but apparently needs more time..."

     
    So be nice and give 'em a few extra days to come up with some patches (it's the sporting thing to do!!) After all, all that innovation makes it tough to respond quickly to threats to their legacy apps!!
  • I wonder what the vulnerability situation would be like if Open Office...Star Office were more common.
    I personally am glad that I don't use Microsoft for my Office needs.
  • That I could tell, nobody answered my question the last time this issue was reported on slashdot- is Word 2007 immune to this issue?

    Heh heh heh. Did I just imply a conspiracy? No really. That would be totally stupid, unethical, immoral...
    • I would frankly be pretty surprise if the parsing code (and if this is a buffer overflow, I'm sure it's a flaw in the parser) is significantly different in Word 2007. If I was a betting man I'd wager that Word 2007 is vulnerable as well.

    • Re:Word 2007 (Score:4, Interesting)

      by Nasarius (593729) on Friday December 08 2006, @12:45PM (#17163436)
      Conspiracy? Nah. For once, MS doesn't really need strongarm tactics to sell a product. Office 2007, with the first UI overhaul since the days of Windows 3.1, is genuinely worth the upgrade. And it's not even publicly for sale yet. So while you're free to rightly accuse them of incompetence for failing to patch their older (and current) products in a timely fashion, they're probably not being evil.

  • Shucks (Score:3, Funny)

    by Overly Critical Guy (663429) on Friday December 08 2006, @11:53AM (#17162740)
    A spokesman for Microsoft has said that they will issue no patches on the next 'Patch Tuesday' for versions of Word vulnerable to the recent zero-day threat.

    And why should they? The devs are still trying to finish Twilight Princess on the Wii, goshdarnit. Leave them be! The users can last without opening any attachments from anybody for a little while longer, right?
  • I'd rather they take a little more time and "fix" it the first time, rather than having to issue multiple patches to fix it, each one opening up more glaring holes. Of course, I'd prefer it wasn't there to begin with, but hey, the world isn't perfect.

    • Re: (Score:3, Funny)

      by db32 (862117)
      Typo Notifaction Post

      Typed: ", the world isn't perfect."
      Corrected ", Word isn't perfect."

  • Why would they? (Score:4, Interesting)

    by Osiris Ani (230116) on Friday December 08 2006, @12:20PM (#17163102) Homepage
    "There is no mention whatsoever of the omission in the latest advance notification at the company's security site."

    My first thought leads me to ask, why would there be any mention of bug fixes that are not included in a patch cluster's content notification? Why would any company specifically call out features that are not being provided in a particular software distribution, in circumstances other than the discovery of a clear and consistent workaround (aside from the standard "temporarily avoid use of [software x]")?

    The situation of miscellaneous zero-day exploits must be embarrassing enough already; I couldn't imagine them calling even more attention to it. "Hey, guess what we're not fixing next week. Check it out!"

  • Here's how we get it fixed. (Score:4, Funny)

    by nobodyman (90587) on Friday December 08 2006, @12:53PM (#17163576)
    Here's how we get microsoft to act. Let's just tweak the headlines a bit, from:
    New Zero-day Attack Affects Word Users


    To:
    New Zero-day Attack Circumvents Zune DRM


    There, much better. I guarantee Microsoft will release a patch *immediately*.

    • Re:uninsightful (Score:4, Funny)

      by LearnToSpell (694184) on Friday December 08 2006, @11:53AM (#17162744) Homepage
      Somebody forgot to turn on his sarcasm detector this morning...
    • Have you had your sarcasm detector serviced lately? It seems to be acting up.

      The point implied was that since everyone in fact does use Word, the it is not cool. You see the play on words there? You see what he did? He said the opposite of what he meant. That is called sarcasm. But I'm sure you don't need me to tell you that.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.