MS Office Zero-Day Under Attack

paulBarbs writes "Microsoft is warning users to be on the lookout for suspicious Excel files that arrive unexpectedly — even if they come from a co-worker's e-mail address. In an advisory, Microsoft confirmed a new wave of limited "zero-day" attacks was underway, using a code execution flaw in its Microsoft Office desktop productivity suite. Although .xls files are currently being used to launch the spear phishing attacks, Microsoft said users of other Office applications (Word, PowerPoint, Outlook, Access, etc.) are potentially at risk."

How old are you?

[HomelessInLaJolla]

Dear Exploit,

How old are you? How long have you been available in the wild? How long did your brother exist in SP1 before you came along in SP2? Do you have a cousin which works in Win98/SE? How long have corporate managers been using you to spy on their employees?

Signed,

Secret Admirer

Re:

[imemyself]

Wow. People are still using OS/2 and its derivatives? Not only still using it, but switching to it? I haven't heard anything from OS/2 zealots in a long time.

Re: eComStation and OpenOffice.org

[Planesdragon]

I also don't have to worry about the vendor shutting down my OS or apps remotely in the future.

Hi. I'm a PC user, with an HP laptop, and Office 2007. Not too long ago I had Vista Beta on this thing. And you know what? I don't have to worry about the vendor shutting me down ever. You know why? Because I live in a country that follows the rule of law, and can prove in a court that I purchased these things legally.

Part of me wishes they'd try -- it's amazing how good the upgrade from "punative damages" would be.

Re:

[glindsey]

I don't have to worry about the vendor shutting me down ever. You know why? Because I live in a country that follows the rule of law, and can prove in a court that I purchased these things legally.

So your solution is that we keep receipts of every single thing we purchase because the burden is upon us, the consumers, to prove that everything we have purchased is legal?

Gee, that sounds like a wonderful solution. "Why are you so worried about the government mandating cameras in your house? Surely, if you're

Receipts

[Dobeln]

"So your solution is that we keep receipts of every single thing we purchase because the burden is upon us, the consumers, to prove that everything we have purchased is legal?"

No - just for the expensive stuff. I certainly do - I don't expect them to repair my LCD TV out of the goodness of their hearts if it breaks, etc. Validation failure in Vista seems even less likely than my TV giving up.

I should add I presently run XP Corp PE (Pirate Edition). Works like a charm, but I won't pretend to get all morally

Re:

[profplump]

Couldn't the onus be on the accuser to say, I don't know, prove that their accusation? Something like innocent until proven guilty? I know it's novel concept but we could, in fact, just assume that people are acting within the law until they demonstrate otherwise. Yes, people could use that assumption to do bad things, but it also lets people who aren't doing bad things get on with their lives without inteference.

The company is explaining to you that you will bare the burden of proof of ownership

That's patt

Re:

[bogd]

From what I've heard, Vista will disable some of its features if it considers itself a pirated version. Considering the track record of its predecessor (the many cases where XP flagged down legal versions as being pirated), you may just come to the point where that happens. I wish you lots of luck going to court with that...

And I really mean it - if enough people do that (and manage to actually win the case), maybe MS will reconsider its policy of "stop the pirates, no matter how many legitimate users ge

Re:

[kjart]

Could you tell those CSS folks that Geocities called and they want their website back? Thanks.

Re: eComStation and OpenOffice.org

[dr.badass]

For Christmas I bought a system from CSS.

Did you get an employee discount?

Hey, user_ecs: Are you an ad-bot troll?

[KWTm]

You have made 11 posts [slashdot.org] so far, and EVERY SINGLE ONE is an ad for the E-com Station business that sells computers.

In the past 24 hours, you made FOUR posts, all within TWO HOURS of each other. They were all ALL ads for E-com Station. Other than those four posts, there was nothing else for the past year-and-a-half.

Prior to that, two years ago you made FIVE posts, all within ONE HOUR of each other. They ALL advertised E-com Station.

There were two posts prior to that. Guess what they ALL advertised?

No, it's

When will people and businesses learn?!

[Anonymous Coward]

How many more exploits will we need to encounter with Microsoft products before people realize that it's just not worth it to use such flawed software?

I would have thought that businesses would be the first to learn. They are the ones who tend to be the most affected by situations like this, especially when hundreds or thousands of Windows-based computers on their internal networks become compromised. It costs them a lot of money to clean up those systems.

Of course, such expenditure could have been prevente

Re:

[Anonymous Coward]

Well, in Microsoft's defense, the next version of Windows is going to be even more secure! Stick with us, because we care, damn it! Honest! I swear!

. .. and if anyone disagrees, I will throw a chair at them to prove just how much we care!

Signed,

Ballmer

Re:When will people and businesses learn?!

[Technician]

I would have thought that businesses would be the first to learn. They are the ones who tend to be the most affected by situations like this, especially when hundreds or thousands of Windows-based computers on their internal networks become compromised. It costs them a lot of money to clean up those systems.

At my place of employment (100% MS shop) they have had too many of these kinds of problems. As a solution, all attachments are filtered and removed. It it was an attachment we were expecting, then we could apply to recieve the attachment unless it is an executable. To send an executable file (including MS documents) we are advised to send them as encrypted zip files.

I don't expect this exploit of the week to be much of an issue for us Monday morning except for a couple road warriers who may have gotten it from home.

Re:

[rahrens]

The Agency I work for filters and blocks .zip files, too. They have proven to contain harmful executables in past malware attacks, too.

Re:

[Technician]

The Agency I work for filters and blocks .zip files, too. They have proven to contain harmful executables in past malware attacks, too.

I wasn't very clear.. We filter ALL attachments including zip files. Un-encrypted is deleted. Encrypted is held and can be requested if you were expecting it.

We know about the short note telling you how to use this password to decrypt the attached encrypted zip. It was a hack to get past filters. It is still a way to get past filters, but with the additional step of con

Re:

[Fred_A]

So you have to first send a postcard with the password and the hash to the zip file and then email the zip file ?

I'm so glad I don't work with large corps any more. This is getting completely insane. The people I switched to FOSS desktops don't know how happy they ought to be...

Reminds me of that Dilbert strip where the PHB sent some file to someone then instructed his secretary to fax a copy as well "in case he didn't read his mail" and then to snail mail a printout "so that he'd have a clean copy".

Re:When will people and businesses learn?!

[Beer_Smurf]

We use a system that is so hosed that we smash every computer with a hammer before it comes in the door.
Great.

Re:

[Nasarius]

To send an executable file (including MS documents) we are advised to send them as encrypted zip files.

What the fuck? Why not just eliminate ALL these problems by requiring the use of PGP internally? Enigmail is absurdly easy to use, and I'm sure there are plugins even for Outlook.

Re:When will people and businesses learn?!

[Jessta]

You obviously aren't paying attention.
There have been many security flaws reported for OpenOffice.

The problem is not Microsoft specific. It's a problem with overly complex software. Word processors are overly complex which means that there is a lot of code that can contain errors. Most users don't use the full functionality of the software and therefore don't require it to be so complex.

One of the great advantages of gentoo(and other source based package management) is that you can leave out functionality in a program that you're not going to use. This means less code that can be exploited.

Re:

[LeDopore]

Serious question: "How many gentoo users actually DO hand pick the features they compile?" My guess is that:

1 It might be hard to know what you can safely leave out of a compile and not break anything
2 It's difficult to foresee every function you are going to want in a program at compile-time, even if you're familiar with it
3 There are so many programs on a typical Linux box that to hand-choose modules for them all would take ages.

I guess in some environments (like cash register systems) you're doing only

Re:

[Jessta]

That is true. The php ebuild has a scary number of use flags.
I guess that's a problem that needs solving.
A nice module loader, like in the linux kernel would be nice but having it automatically load required modules wouldn't solve the problem. So users would need to know what modules they needed loaded.

I'm still amazed at the size and complexity of office related programs.

Re:

[ultranova]

I'm still amazed at the size and complexity of office related programs.

You shouldn't be, really. After all, it's perfectly logical. The number of features is a selling argument for a word processor that needs to compete not only against other products but also its own earlier versions. That's why the number of features - and thus complexity - can only ever grow.

What I'd like to see is something completely different, a document making system that would cleanly separate content and presentation, a bit l

Re:

[rifter]

The problem is not Microsoft specific. It's a problem with overly complex software. Word processors are overly complex which means that there is a lot of code that can contain errors. Most users don't use the full functionality of the software and therefore don't require it to be so complex.

I never saw the point of allowing scripting within word processing documents, for instance. It violates the fundamental premise of seperating code from data. It was bound to cause problems, it has, and it pretty much

Re:

[Jessta]

I never saw the point of allowing scripting within word processing documents
It's about making MS Office a development platform, which to me sounds really expensive. At $700 AUD per user before you even start development, it's not very competitively priced.

Re:

[Jessta]

once you start taking stuff out you are potentially opening up code paths that have minimal coverage/testing
Really depends on how the code is structured.

Re:

[grcumb]

businesses need to be able to share documents with their business partners and clients, thusly, they must support the same file formats as their business partners and clients.

The moral of the story is: If everyone else jumped off a cliff, why yes, we would jump too.

It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety.

Re:

[Anonymous Coward]

It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety. you missed the moral, friend. The moral is that we value our ability to conduct business above our individual safety.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[c6gunner]

We value conf.....listen stinkynuts, standards have nothing to do with conformity, and everything to do with making day-to-day life possible. If you "don't want to conform", fine, feel free. Wear a clown costume to work, cook your breakfast on top of your VCR, make up your own language, and fuel your car with lemonade. Me, I can maintain my individuality while still following common-sense standards.

Re:

[grcumb]

We value conf.....listen stinkynuts, standards have nothing to do with conformity, and everything to do with making day-to-day life possible.

Precisely. And that's why I didn't say a word about standards.

If, however, you accept that the de facto 'let's use this format because everyone else does' way of working constitutes a sufficiently complete definition of 'standard', and if you are going to claim that the risks, in terms of security, cost and flexibility, cannot be mitigated by mere virtue of the ine

Re:

[c6gunner]

Christ. Let me guess - you still own a betamax machine, right?

These decisions are more difficult that simply looking at competing products and seeing which one is "superior". If you can't understand that there are literally dozens of factors which play into these decisions then I don't know what else I can say to you. As a quick overview: businesses need to consider long term support costs, compatibility with other users, and re-training costs for their employees. Those would be the minimal considerati

Re:

[civilizedINTENSITY]

In what way is betamax more inherently safe? Is there anything about its design that is inherently more secure? Can a VHS tape virus even ever "own" your system? Please try to understand the issue. The rant at hand isn't against standards, it is against de facto standards that are insecure. Everyone drives a car. No on uses horses. This doesn't mean that saying a Corvair blows up and is dangerous means we want to go back to horses. It means we want the companies who make unsafe products to get their

Re:

[c6gunner]

Ah. So this is really just another "Microsoft is unsafe" rant. Well. That's been done to death, all the dumb claims have been answered, and people still continue spreading the myths. Whatever. I'm not getting into a pointless religious argument with an Open-Source zealot.

Re:

[indifferent children]

So this is really just another "Microsoft is unsafe" rant. Well. That's been done to death

Excuse me sir, but did you read the summary at the top of this page? I don't mean RTFA, just the summary.

That's been done to death, all the dumb claims have been answered, and people still continue spreading the myths.

If by 'people' who are spreading 'myths', you meant Microsoft officially warning their customers about 'risks', then I guess you're right.

Re:

[bursch-X]

Common-sense standards. ...of which MS is part of? What do you mean with "common-sense" standards? The non-open pseudo standards that have been pushed down our throat, just because mister Monopoly says so? I do have a problem with "standardizing" on the complete mess that MS Windows and MS Office actually is. There's no consistency in file formats, even MS' own products more often than not bungle when it comes to opening an older version of their file formats.

Re:

[rifter]

There's no consistency in file formats, even MS' own products more often than not bungle when it comes to opening an older version of their file formats. ?? What? please cite examples. The only time I ever saw a newer version have issues opening a old files was when lots (and I mean lots) of custom coding was done in that old file. This was with excel (the spreadsheet program that is way to big for it's own good). I have never seen a newer version of word, or pp screw up. I uninstall access whenever I see

Re:

[ElephanTS]

It's an unfortunate but inescapable aspect of human societies that we value conformity above our individual safety.

Although you're exaggerating a little for effect you're right. However, conformity is essential for the coherence of societies and not necessarily 'unfortunate' all of the time. That point is well established in socio-biology. If you took away the very strong drives for conformity society would quickly collapse. Knowing this though, we have to be on guard for symptoms of group-think that are de

Re:

[grcumb]

Actually, slashdot is full of groupthink itself which often annoys me.

I would argue that 'groupthink' is not at all a helpful term, as it indulges in the very thing it objects to.

But without it, I would have a hard time describing the individual(s) who modded me 'over-rated' in retaliation for having an unpopular point of view. 8^/

Re:

[ElephanTS]

happens all the time here. It can be crushingly narrow minded IMHO

Re:

[grcumb]

[I]ts got nothing to do with conformity. Its [sic] to do with *being able to share documents with your business partners*.

It has everything to do with conformity. I have no problem with the importance of being able to 'share documents with your business partners'. That's reasonable and universally appealing. I do find it unfortunate, though, that people continue to do it in a way that is neither secure, sustainable nor cost-effective, and then refuse to make any effort whatsoever to mitigate the problems

Re:

[pallmall1]

businesses need to be able to share documents with their business partners and clients...

Does that include sharing bank and credit card passwords, and social security numbers with spammers and phishers?

Um... That's why standards exist

[Colin Smith]

businesses need to be able to share documents with their business partners and clients, thusly, they must support the same file formats as their business partners and clients.

That simply means you need standardised file formats [wikipedia.org], you don't need the same software.

 

Re:because it's not that easy

[zcat_NZ]

If only there were a single, well defined and completely open document format that could be used by anyone, with any office suite. That would be just great.

Re:

[HomelessInLaJolla]

Too bad. The world forgot plain text in favor of featureware a long time ago.

Re:

[a_n_d_e_r_s]

If only there were a single, well defined and completely open document format that could be used by anyone, with any office suite. That would be just great.

ISO 26300 aka Open Document

Re:

[civilizedINTENSITY]

Actually such matters as what document formats to use should be negotiated.

Re:

[rifter]

"I'm on OS X and if a client or contractor sends me"

Most businesses can not afford or would not like to treat their a client like that. They are your client because you work for them. Unless your business is "IT general awareness" or "Subtle OS agenda pushing", you are not providing them a very good service. Maybe you are from the bizzaro world where the customers and clients do not come first or your clients have no choice to come your way because of prior arrangements and/or you are part of a much larger

what?

[macadamia_harold]

MS Office Zero-Day Under Attack

*rereads headline* what?

Re:what?

[JoshJ]

It's simple. Microsoft's "Zero-Day" product has been under attack by Offices. Probably for being so full of zeros. They need to fill in more of the 0's with 1's.

Re:

[HomelessInLaJolla]

The zeroes and ones also need to be properly sorted. You may have your zeroes and ones for free but you'll have to pay someone (I'm homeless and available to start work tomorrow morning) to arrange them correctly.

Re:

[jZnat]

Well, it's redundant to say that because "zero-day" implies there are exploits in the wild already.

I open Excel files 1 day after I receive them

[product byproduct]

to protect myself against 0-day attacks.

Does not affect Office 2007

[ThinkFr33ly]

The fact that this does not affect Office 2007 suggests that Microsoft is learning from their mistakes.

This is further supported by other software they have released that went throught their "secure development lifecycle [microsoft.com]" initiative, including IIS 6.0, IIS 7.0, Windows Vista, Windows Server 2003, etc.

Of course, IIS 7 and Vista have only been out there for a few months now... so, obviously, the jury is still out on them.

Do we know this for sure?

[Anonymous Coward]

Do we know for sure that Office 2007 is not affected? Without the source code being available to us under an open source license, I don't think we can, as a community, safely say that it is not affected. All we can do is speculate, or blindly trust Microsoft if they say it's not affected.

Re:Do we know this for sure?

[DelawareBoy]

If you follow that logic, anything not open source is open to that vulnerability, Microsoft or not...

However, if you actually try the code which does impact Office 2003 and earlier additions, it does NOT work. Makes me glad I got my free copy of Office 2007.

Re:

[zCyl]

Makes me glad I got my free copy of Office 2007.

Uh huh. I bet the exploit doesn't work on my free copy of Open Office either. :-P

Re:

[DelawareBoy]

My Word 2007 allows me to save in the new Word format, Word 1997 - 2003 (which allows reading things TEN years older, not 3 as you have said), PDF, XPS (which I don't know why I'd use), .txt, RTF, HTML, and a few others..

Why spread this FUD?
Hate Microsoft because of legitimate reasons (like anti-trust), NOT for reasons made up, like a little girl.

Re:

[civilizedINTENSITY]

Our physics department keeps OpenOffice around especially for its ability to deal with MS Word documents. So many students use such a variety of MS Word versions, and Word isn't all that great at opening various versions. When Word can't open Word, that is a sad state of affairs.

Re:

[ThinkFr33ly]

Very true... except that if you're worried about involuntary lock-n, there are 16 file types you can save your documents in, many of which are very widely support. You can also install additional file type support, such as the Open Document Format.

So I guess it's not true at all. Never mind.

Re:

[HomelessInLaJolla]

True. O'07 is in the 0-15 day section. It'll take the original exploit author a few more days to track down the new memory location, recompile, and test. Maybe the new memory location floats. That might take another day or two to peruse the proper .dll and determine the floating method.

Re:

[cnettel]

From the article, it's not just that it fails to work in O2007, it's stated that it's not vulnerable. I'm pretty sure that the current file won't work on Office 2004 for Mac, but that's still listed as vulnerable. If they're consistent, the codepath is really fixed/changed in the new version.

Anyway, I'm surprised to see Access in the list of "possibly vulnerable". I guess it might be some part of the VBA parsing, since, except for that, lots of the file logic is different (the databases are not compound OL

Re:

[HomelessInLaJolla]

You didn't read far enough

Load KERNEL32.DLL using a hardcoded address specific to Windows XP Service Pack 2. On other versions of Windows, Excel will simply crash

All of the other actions listed in the exploit sequence seem to be legitimate actions which, unless Microsoft wants to rewrite legitimate function calls or handle the "XOR shellcode" on a case by case basis (apparently, if it's allowed, there was/is a legitimate use for it someplace), cannot be blocked without creating major compatibility/useability issues for legit users.

If the exploit can be written for one hardcoded address, which can be found, then it can be written for any ha

Re:

[kosmosik]

> The fact that this does not affect Office 2007 suggests that Microsoft
> is learning from their mistakes.

Not really. It also may be that nobody targets bugs in these products yet.

FreeDOS also has not many known vulnerabities. ;)

Re:

[fermion]

The fact that this does not effect MS Office 2007 merely indicates that MS has closed previously exploitable holes, and the pros have not had time to package current exploits into the framework needed by the script kiddies. Even if we see fewer attacks in the future, that could still mean several different things. It could mean that MS Office 2007 is more secure. It could mean a growing competence by users to compensate for MS failure to provide a secure system. Or it could mean that such exploits have

Re:

[ThinkFr33ly]

The fact that this does not effect MS Office 2007 merely indicates that MS has closed previously exploitable holes

Actually, that's probably not the case here. If Microsoft knew about this particular hole, they would have issued a patch for in for previous versions. They probably had no idea about this hole. The reason it doesn't affect Office 2007 is probably because Office 2007's basic approach to handling documents is different from previous versions. They treat all documents as potential threats. In other words, the secure development lifecycle made Office a more secure product, and this prevented a previously unkn

Bill was RIGHT.

[Anonymous Coward]

The other day, Bill Gates suggested to Newsweek the the Mac is super-insecure due to lack of code base drama within Mac OS X:

The number [of Vista security flaws] will be way less because we've done some dramatic things in the code base. Apple hasn't done any of those things.

He was so right. It is time for Mac users to upgrade to Vista, after all, TFA says:

Confirmed vulnerable: [...]Office 2004 v. X for Mac.

There you have it fanboyz... CMD-. your life away! Vista all the way baby!

It's past time for a better approach

[haruchai]

After all these years, the same software bugs seem to continually crop up. I guess that no currently available platform is safe but can't we do better? It has been 2 decades of worrying about viruses, worms,trojans, format string errors, buffer overflows, etc. Microsoft was a latecomer to the "make software secure" game but it has been about 5 years now and the song remains the same. So, my question is, who's doing it right and how ?

Re:It's past time for a better approach

[HomelessInLaJolla]

> So, my question is, who's doing it right and how ?

Code has become so enormous that the answer is, more than likely, nobody.

I'm still puzzled. Spreadsheet programs, word processors, database programs, etc. etc. etc. all fit on one, maybe two, floppy disks at one time. If anyone wonders how to write secure code the largest starting point is: cut out the advertising glitz and cruft.

But then the rest of the population would happily go back to sticky notes, $2.99 calculators, pencils, the telephone, US Mail, and the kitchen table (for solitaire) and that wouldn't be profitable for the market sector. So, love it or hate it, just view the security industry not as a problem to be solved but as a tiger to be fed and groomed.

Re:

[cnettel]

Well, I think you'll find that apps of that era were NOT resilient to malformed input. Maybe we could get them right if we aimed for the same functionality now, but I almost doubt it. (Well: if you put a workforce equivalent to the complete Excel team onto making a console app with the functionality of the original 1-2-3, I guess they could make it reasonable safe. At least until you press some F key to recalculate.)

Re:

[HomelessInLaJolla]

> apps of that era were NOT resilient to malformed input

What? Again I say, what?

Apps of that era only had 8-bit character sets to deal with. Malformed input was so much easier to check for. Not that the expanded character sets of today are any real excuse but still, again I saw, what?

Re:It's past time for a better approach

[flyingfsck]

MS wrote loads of stuff with C++ and the C stings library especially, is total crap. Also, with C++, it is fundamentally impossible to know when it is safe to destroy an object and free its memory. MS is therefore suffering from a bad choice of compiler and coding methods years ago. Their problems won't go away anytime soon.

Re:

[Watson Ladd]

Lisp, J, O'caml, Erlang, Smalltalk all look like safe languages to write in. And yes, they have operating [wikipedia.org] systems [common-lisp.net] in Lisp.

Re:

[pe1chl]

There are a couple of things that you can do to avoid this kind of mishap:

- office workers should not work under an account with administrator privileges. when applications exist in the company that require administrator rights, they should be phased out. there is no excuse for still having such bad program code around in 2007.

- the user account being used should not have write permission in directories like /windows /program files etc. in our systems, the only directory with write permission is the user

OO

[len_p]

I'll open the XLS file in OpenOffice. I use Linux anyway :) Len [www.len.ro]

Re:OO

[zCyl]

Linux? never heard about it...

It's simple. Linux is to Windows what Data was to Hal.

Gates asked for it...

[bigredgiant1]

Maybe this is related to Bill Gates' recent comments, saying he dares someone to do to Microsoft what has recently happened with OS X and zero-days. Careful what you wish for. http://apple.slashdot.org/article.pl?sid=07/02/02/ 1940232 [slashdot.org]

Re:

[steeviant]

I say we just put up with the problems in Windows.
Windows just needs time to mature.
At the moment Microsoft are undergoing a big shake up.
Everyone has their foibles, and Windows is no different.
No software is perfect.
Microsoft are really trying to turn things around.

Re:

[steeviant]

Bill Gates is a great man, he is giving all his money away to charity.
Without Microsoft computers would be much harder to use and more expensive.
Etc.

I wasn't so much trying to be funny as regurgitating some of the sugar-coated bullshit I've been spoon-fed by the media over the past couple of years leading up to the release of Vista.

My honest opinion from what I've seen of Bill Gates is that he seems very insincere most of the time, like he is trying to hide deep seated insecurities behind a veneer of smugne

Re:

[Bert64]

What you have to consider when looking at charitable donations is:

How much is actual cash, and how much is given away as products (remember microsoft's products cost them virtually nothing to reproduce).

What kick-back do they get in the form of tax breaks? (when donating products, assuming the tax break is based on the retail cost, they can still make huge profits purely from that because the reproduction cost is so minimal).

How much is the PR worth? Donating to charity is simply a form of marketing, how co

totally offtopic

[DragonTHC]

I'm shocked that Billy Joel needed a vocoder to perform the national anthem at the superbowl

Re:

[HomelessInLaJolla]

I'm homeless. I wasn't able to see it. Let me know how funny the commercials were.

Just wondering if this IS MS marketing?

[zappepcs]

Lately we've seen memos and emails suggesting just how far MS is willing to go, perhaps in the future we'll see emails or memos describing how malicious software was released into the wild to help people decide to buy the new 2007 applications to go with their new Vista PCs?

Re:

[TubeSteak]

You can embed excel spreadsheets in Office, PowerPoint, even a simple html file.

I wonder if this exploit is specific to files with the .xls extension? or is it a just an exploit that requires excel to load.

If it's the latter, that's a much bigger problem than the former, especially considering the fact that you can embed spreadsheets in html.

Glad I switched

[AlphaLop]

I am so glad I switched to open office. Now whenever one of these things happens I send the article to my friends along with a link for OpenOffice

Re:Glad I switched

[mccalli]

I am so glad I switched to open office. Now whenever one of these things happens I send the article to my friends along with a link for OpenOffice

Do you send links to any of these OpenOffice vulnerabilities [google.co.uk] as well?

Cheers,
Ian

Re:

[caseih]

Vulnerabilities in OO.org notwithstanding, a few things we must keep in mind: The cost of getting the latest openoffice? Do you need a "genuine" copy of OpenOffice to qualify for patches? Seems like OpenOffice, for all its warts, still comes out ahead in this one area. For home users, this can be a huge point. Of course, the underlying OS (as of windows XP) is still a huge security problem, despite using firefox and oo.org.

Re:

[smoker2]

Interesting how most of those results are announcing *patches* for OO vulnerabilities, and the OO on MS contingent is by far the biggest proportion anyway.

I can't be the only one

[antifoidulus]

who thought of the grunt voice from Warcraft II when they read the headline.

Mac vulnerable?

[Angostura]

That's odd - the advisory suggests that Mac Office v.x and 2004 are vulnerable, but that certainly doesn't chime with the mechanism quoted. What's going on here?

Re:

[steeviant]

Bill Gates is right! Apple are lying to everyone about how secure their OS is!

It's really vulnerable to all the same problems as Windows, and this is proof.
Absolute irrefutable proof from an utterly incorruptible independent source!

Nevermind that...

[Sodki]

... look how pretty Ribbon is!

It's not funny, why laugh?

[suv4x4]

I fail to see why posts talking about vulnerabilities in widely used software is tagged "haha". Is it really so funny?

The zombies that will result from those attacks will send spam even to your tricked out Linux PC. You're laughing at your own expense. Have fun.

It's called Schadenfreude

[BearRanger]

http://en.wikipedia.org/wiki/Schadenfreude/ [wikipedia.org]

Especially after that interview with Bill Gates in Newsweek. It's not that people don't feel for Microsoft's victims. It's just that when you make the claims Gates did you have to be able to back them up. Time and time again Microsoft has shown that they can't.

The Irony

[Tom]

Hi Bill. Didn't you just brag about windos security [slashdot.org]?

I dare anybody to do that once a month on the Windows machine.

February: check

Re:If only 50% of the population used MS Office

[cnettel]

Yeah, cause we know that pyramid schemes and MLM require each and every recipient to join the game. If only 50 % of the population used Office, but each infected machine sent out two copies (and each was opened), we would have a steady state of fresh infections. Logic like yours might have worked when the primary vector was the actual work documents, or floppy disks. With mass mailings, even a very small fraction could ensure a significant outreach. The question is simply if the explosive phase will be delayed enough to put extra countermeasures into place.

Re:

[Colin Smith]

but each infected machine sent out two copies (and each was opened), we would have a steady state of fresh infections

I think we can take it as read that the number of mailings and openings are related to the size of the addressbook and human psychology respectively. Both of which will be comparatively constant. Even with a mass mailing the effect would be massively reduced. You go from an explosion to a trickle.

Re:Falling Sales?

[sqlrob]

You can also avoid the attack by setting %TEMP% to no execute permissions. Interesting that they don't say that.

Re:

[TheThiefMaster]

Unfortunately a lot of installers seem to extract themself to %temp% and then run one of the extracted files to continue, so this isn't a permanent solution. Unless you're not ever going to install anything that is.

Re:

[miro f]

try reading the article you linked to

0-day exploits are released before, or on the same day the vulnerability -- and, sometimes, the vendor patch -- are released to the public. The term derives from the number of days between the public advisory and the release of the exploit.

the zero day you're referring to is 0 day warez, that is, warez that are released before the actual product. A 0-day exploit means that the exploit is in the wild before the vendor knows about it.

Re:

[gelfling]

I work for a large company that probably spends several tens of millions of dollars a year over and above the green dollar cost for the licenses just downloading and installing patches and fixes for an endless series of 'maybe' threats in Windows. The problem is that with all of these fixes you can't really know which are real and which are theoretical and which can be ignored and which can be mitigated some other way. We just mooooove! along like cattle installing one patch after another wasting time and m