Microsoft Word Security Flaw 529
JWL-23 writes: "cnn.com is reporting that a Microsoft Word flaw may allow file theft. Furthermore, they plan on not fixing Word 97, leaving millions of users out in the cold. Yet another reason to try OpenOffice.org." It still takes more than running Word to expose the contents of your hard drive though.
Incidentally (Score:5, Interesting)
Isn't it sad when security flaws make you all nostalgic...
Why should they fix it? (Score:3, Insightful)
Microsoft may come up with a patch for it. All you will have to do is call their 900 number and sit on hold for 20 minutes.
OpenOffice... (Score:3, Interesting)
I had a couple of mishaps with it that were due to odd Word markup, I suspect, but overall it's been a pleasant experience.
Security flaws such as this drive me closer and closer to completely abandoning MS Office in any fashion.
Platform helps... (Score:2)
The class based system also helps keep out the bugs. As does the fact that the code is open source. I'm not sure if you're aware or not, but most heavily used open source products get patched within a few days of announcements of vunerabiliy.
I'd bet money that OpenOffice doesn't have as many vunerabilites as MS Office.
Ignorant, biased fool.
Re:Platform helps... (Score:2, Funny)
OpenOffice is *NOT* a Java application.
I know, it's shitty and slow, and you'd think it was, but it's not.
security (Score:5, Funny)
Re:security (Score:3, Interesting)
It's almost as if MS was staffed entirely by PHBs...
Re:security (Score:2)
Microsoft's Top Priority... (Score:3, Funny)
Makes me think of the ZDNet interview with Jim Allchin [com.com] the other day.
Q: ... What's at the top of your agenda these days?
A: Quality is at the very top: Excellence in design, architecture and relationship to customers is very important...
I guess he didn't get the BillG memo that security should have been listed somewhere in there. Ah, but we shouldn't expect every employee to have gotten that memo.
Theoretically, we could assume he meant security as part of design and architecture, but we've been given very little proof the Microsoft includes it in those points.
of course I won't believe it's a top concern until I see Mr MonkeyBoy on stage clapping out and changing "Security, security, security security..."
Re:Microsoft's Top Priority... (Score:3, Insightful)
Not even remotely true. StarDivision, the original owners of the suite from whom Sun bought StarOffice, was already quite popular in Germany - polularity that had built up going all the way back to when it had been a popular DOS WP kind of like WordPerfect was here.
Caldera even shipped early StarDiv versions of StarOffice with their OpenLinux as one of the major things that differentiated it from the rest of the Linux crowd. Back in those days, the fact that Caldera had capabilities like StarOffice and LISA (which was the first of the smart & friendly Linux installers we take for granted today) put it far ahead of the competition. It's fair to say Caldera was a good 18-24 months ahead of all other Linux distros in this timeframe. I know - I was looking seriously at it at the time at a large computer company here in Austin...
Applix was always a horrible office suite, but it had one really cool feature that never really got used in the Linux world: Applix is *very* good at processing, graphing, munging, displaying, etc. real-time data streams, which is whay most of Apllix' revenue back in those days came from selling stuff to Wall Street traders and the like.
Re:security (Score:2)
Here I'm thinking (admittedly naively) about "digital rights management". Question is, what level of confidence/assurance/responsibility of security do companies like Microsoft, Oracle, Intel, etc., provide? Do the RIAA/MPAA (even the US gubbmint) have enough confidence in these companies to "do things right"? There is sufficient evidence out there to avoid a certain OS vendor to provide secure solutions.
YOU LOOK LIKE YOU'RE STEALING A FILE! (Score:5, Funny)
ZDNet's take on this story (Score:5, Informative)
http://zdnet.com.com/2100-1104-957786.html
Re:ZDNet's take on this story (Score:2, Informative)
a Microsoft word flaw (Score:2, Offtopic)
Re:a Microsoft word flaw (Score:2, Insightful)
Others could include "trust[worthy]", "secure", "reliable", "open", and some others that have slipped my mind.
Re:a Microsoft word flaw (Score:2)
Doug
Open Office (Score:3, Insightful)
My sister's entire school district is switching to it, it's cheap and open source, so theres no "were not going to fix it" crap.
Schools have been sold on the idea that students need to learn the microsoft products for the business world. But I say if you learn open office you'll be able to use office 2000 should an employer some day down the road still be using it.
Re:Open Office (Score:2)
You sound quite young and naive. Companies in the past, today and tomorrow are not going abandon productivity suites such as MSOffice because of these vulnerabilities/exploits. The reason why the majority of schools teach proficiencies in these products is that the majority of businesses *use* them.
I used to be a zealot as well. A few years of working every day has turned me into a realist.
Thank god I downloaded openoffice last night.
Phew, that was a close one!
Re:Open Office (Score:2)
Believe me, when our school realised they would save over $9000, the switch was a no brainer.
All it takes is for some exposure, and some businesses looking at their savings, and people will not care if there software is Microsoft or not, especially with their "Trustworthy computing" campaign.
Social Engineering (Score:2, Funny)
" If an attacker can persuade a target to open, modify and then return a document to him he can snaffle sensitive files on a user's PC. "
This isn't a huge bug with office it's a huge bug with USERS.
Re:Social Engineering (Score:3, Insightful)
I receive documents for review and editing from up to 400 different people -- and I'm not even all that high up the food chain. This would easily work on me -- and I'm very security concious. This isn't like "don't click on attachments from people you don't know" -- it falls more into the category of "don't ever use word and outlook and office for what they're designed to do." (I know -- use OO... When somebody convinces the government to do that...)
Re: VERY EASY Social Engineering (Score:3, Informative)
But back to my original point - there are many contexts where it is literally day-to-day routine for lawyers to email Word documents back and forth, with each recipient detaching and saving the file, throwing in a few edits, and sending it back. In some situations, such as court documents that typically are negotiated, then filed jointly (e.g., proposed pretrial and scheduling orders), this interaction occurs among parties who are adversaries in a lawsuit - the farthest thing I can imagine from a trusted exchange.
This alone allows substantial opportunity for exploitation. Even if you don't know any specific filenames, it seems as though you could easily grab the Registry, which is always named the same thing, and learn at least some path and filename information from it. And also keep in mind that many firms (not ours, fortunately) use a stupid auto-format that appends the path and filename into the footer of a document. Let's say I was an unscrupulous lawyer co-drafting a scheduling order, and knew about this exploit. I might go through the earlier files and records in the case, and look at the briefs my opponent filed. If the filename was in the footer, I could rig the scheduling order to get the brief, which would contain not only the printed text I'd already seen when the brief was filed, but perhaps leftover redlines, comments, those mysterious fragments at the bottom, etc.
To answer your obvious questions: (1) no, I haven't tried it, and I'm not planning to, so I don't know if it would actually work, and (2) I have sent the Bugtraq link to the one non-worthless person in our IT department, and (3) yes, I realize this is not a macro exploit technically, so turning macros off won't help. But folks, this is really scary, and I am sure that legal practice is not the only line of business where "enemies" or untrusted parties exchange Word documents via email. That is how the world does business these days.
Faith in Microsoft? (Score:4, Funny)
"It's incredible to me that Microsoft would turn its back on Word 97 users," said Woody Leonhard, who has written books on Microsoft's Word and Office software. "They bought the package with full faith in Microsoft and its ability to protect them from this kind of exploit."
To paraphrase Douglas Adams, "Bill says, 'I refuse to fix bugs, for patches deny faith, and without faith I am nothing.' "
Re:Faith in Microsoft? (Score:3, Funny)
If only Bill could disappear in a puff of logic.
isn't it odd (Score:3, Interesting)
I just wonder... did qualcomm try to blackmail microsoft first, before releasing the "scoop" on the bug?
Re:isn't it odd (Score:2, Insightful)
Secondly... are you just grabbing conspiracy theories out of thin air? Where did you even come up with this? I would like to know.
Re:isn't it odd (Score:2, Interesting)
Re:isn't it odd (Score:3, Insightful)
You're confused: Microsoft released the bug. Qualcomm just did a little free QA.
Hmm.. Screwing 97 users, huh? (Score:2)
Up in the air. May. Key words and phrases that denote that no final decision to "screw" users of '97 have been made.
Of course, 'bugged' documents could easily be captured by any number of third party virus scanning suites, which I would surely hope any use in an office environment who opens e-mails with reckless abandon would use.
catching up to emacs (Score:2, Funny)
MS-Word and document exchange (Score:5, Informative)
Old software is a risk? (Score:4, Insightful)
I am having a hard time getting my head around the concept that newer software equals software with "less risk". I do not understand why a product, open or closed, is inherently more "risky" due to its age. Perhaps she means un-patched old software? Is she advising users of a genuine risk, or is she making the case for a revenue stream and saying that IS Managers who do not stay "less old" in their application selections are jeopardizing their companies? Although she admonishes Microsoft to fix the problem, it seems her implication is that said managers are negligent, as opposed to the software vendor who may or may not patch the hole they wrote.
Re:Old software is a risk? (Score:2)
You're not the only one. One of the main reasons why Office 97 is still in use is because of how long it has been around to prove itself. I know my company tests software fairly extensively before making any mandatory desktop upgrades - Office 97 is still the standard here, and Windows 2000 wasn't installed across the company until last fall. When productivity (money) is at stake, most companies will not risk switching to unproven software, and many might choose not to switch at all if the existing solution works. It is especially true with Windows that any significant change could result in serious problems, no matter how much testing has been done. Multiply that by thousands of employees, and that's some serious IT overtime, er, I mean decreased productivity.
Re:Old software is a risk? (Score:3, Insightful)
Not True (Score:5, Informative)
That's not entirely true. It is true that before this story broke, Microsoft had no plans on updating or offering any new fixes for anything '97.
However, CNN and AP reported this morning that Micorsoft hasn't ruled out a fix and that they are in the process of determining what it would take to make a fix available.
hidden codes (Score:2, Insightful)
"Microsoft suggests users view hidden codes in every document they open"
Most people I know don't even like looking at non-printable characters...
While they're at it, they may as well suggest that everyone examine binaries manually before they run them.
It's not suprising (Score:2, Insightful)
file sharing (Score:3, Funny)
Ridiculous (Score:2)
Satirizing this stuff is almost obsolete. Your word processor can send confidential files without you knowing it? What's next, your email client and movie player? Oh
See? That's hardly even funny anymore - people expect it. Timothy's right, though - the rubber meets the road with the IT manager. When users come to you asking for an office suite for home, play up what a nightmare Microsoft malware is, and how easy and free OS software is. People are starting to get this, and OS software is going to empower them.
Re:Ridiculous (Score:5, Insightful)
No, I'd say use your head and give some insightful advice, rather than spout off like a ranting zealot. Don't "play up" anything. Give the truth.
Don't lie about how easy it is to install and configure the OSS equivalents. Don't pretend they're going to be 100% compatible. And in gods name, stop with the "microsoft owns your soul" rants. Once that user realises you lied, there goes your credibility, your 'stroke'. Next time they'll ask for advice from the kid at the counter of the local Office Depot.
If OSS is going to 'empower' people, it won't be through a bunch of FUD and politics. Let it sink or swim on its own virtues.
This isn't a message directed at you, but rather to all who want to actually help open source be taken seriously.
Re:Ridiculous (Score:5, Interesting)
We had this paper tiger straight from the "newbie factory" of the local college. We had a task for a particular client, which boiled down to a fileserver with a big shared folder for images (photos).
So, this kid starts immediately frothing at the mouth about linux and SaMBa. He lied (probably out of ignorance) about how it's completely seamless on a Win2k network. He ranted about how much we'll save by not having to pay to liscense another copy of Win2k for the client.
Well, he got the marketing types convinced. Next thing I know, we're (we as in ME, I do the work around here) knee deep in all the kludges, hacks and nonsense involved in getting the SaMBa box to work exactly as we wanted it to, logging onto the Win2k domain, retrieving user lists, faking NTFS security, etc.
The management, the client, everyone involved became increasingly frustrated.
Long story short, we pissed away countless man-hours before finally acquiescing and just installing another Win2k pro box, which took all of 5 minutes to configure.
The kid has since left, and now about 6 months later, I have other projects that scream for the likes of linux, SaMBa, MySQL. Noone in this office wants to hear it, and think I've become some sort of zealot.
To me, it's just a matter of the right tool for the right job. SaMBa wasn't the right tool for that task, but it is for others. But the frenzied ideology has basically driven it out of this office, at least for the time being.
It's just an anecdotal example of how one well-meaning zealot can do much more damage than good. It happens to be one of my pet peeves.
So, in the meantime, I continue to advocate OSS solutions where they're practical. And its slowly but surely working. I was actually allowed to use a spare pentium box and CoyoteLinux to replace a buggy router in our testing 'bullpen'.
I guess I don't see OSS as 'a cause'. I try to think through problems logically and practically. Sometimes OSS is a logical, practical solution. Sometimes not. I just hate my options being slowly limited as people in the 'industry' line up on one side of the imaginary fence of the other.
You say to-may-to, I say to-mah-to. (Score:2, Funny)
Hey, new feature in Word!
10 years (Score:2, Insightful)
Why not apply the same rule to software security fixes? Sure would do a lot to motivate better design.
Re:10 years (Score:2)
Why not apply the same rule to software security fixes? Sure would do a lot to motivate better design.
Because software isn't really regulated. Think about it...can you build your own "open-source" automobile and operate it on public highways without it being approved by the Department of Transportation? I'm not sure, but I'm guessing you can't.
If the software industry is forced to make "security fixes" available for 10 years after initial release, then there will have to be some kind of authority that approves software packages (which of course would cost money) such that a company is legally responsible. Then there would be even less incentive for businesses to use open-source packages because their closed-source competitors have to legally provide 10 years worth of security fixes.
Some clarification (Score:5, Informative)
2) I was not out to find yet another M$ bug. I was using Word for my daily work when I stumbled onto this. It was one of those "I wonder what this button does" things.
3) The vulnerability is actually a lot more serious than the AP and bugtraq posts reveal. There is actually a way to skip the last step where the victim returns the bugged file. In other words, just editing and saving (or printing) the bugged file is sufficient. Look for a new bugtraq post early next week.
Re:Some clarification (Score:3, Insightful)
I'd ask that it be modded up but its already maxed out.
If you can persuade someone to do that... (Score:2)
If people are going to be doing this to documents from people they don't know, I don't how they're going to be smart enough to figure out that joe12345@hotmail.com isn't actually their tech support guy/marketing person/whatever who needs this file for some real reason?
Re:If you can persuade someone to do that... (Score:2)
Silly users (Score:2)
That and the fact that most people don't delete their old mail.
stealing files? (Score:2)
maybe we can get the riaa involved and sick them on M$ since its M$ that is causing the 'file sharing' violation (ie, if some user 'shares' files via Word that weren't for public consumption).
wouldn't that be schweet to get M$ in trouble with the riaa. I'd buy a ticket to THAT event!
New backdoor policy. (Score:4, Interesting)
Refer to:
http://news.com.com/2100-1001-273276.html
h
Simple solution? (Score:2, Funny)
Uh huh. Like that's going to happen.
I imagine next month they're going to suggest that everyone view the source for web pages they visit to get around the latest IE bug.
Is this a macro virus? (Score:3, Funny)
It strikes me that I know enough VBA that I could probably write some horrific trojan
While no great supporter of his Majesty Satanic, this article seems rather a stretch of the
Come to think of it, such a stunt is likely also possible in Word Basic under Lose3.1, for the 286 diehards out there. Shall we also excoriate Redmond for failing to skin dive in that septic tank of code? Some old bastard in Scotsdale, AZ might be writing his memoir using that application, you know...
A Poorly-Written Article (Score:3, Funny)
Incidentally, Microsoft isn't "leaving millions of users of Word 97 without a fix." The fix is to upgrade your five-year-old copy of Word, get all the "great" features Microsoft has included since 97, and put money into Microsoft's coffers so they can develop great new features for Word 2007. Of course, that's Microsoft's solution. The better solution is to wipe your hard disk and download the Red Hat ISO or buy a Mac before you become further entangled in Microsoft's web.
If they were that gullible, this is the least worrisome of their problems. FUD in an AP article? I am shocked! I hope that's not the fix. "Ford suggests drivers check their oil and tire pressure before each time they start their cars."Re:A Poorly-Written Article (Score:3, Funny)
WORD (Score:2)
Microsoft suggests... (Score:2, Funny)
Microsoft. What insecurity to you want to exploit tomorrow?
targeted audience (Score:2)
The article mentions that the reason this is an issue is because the manner in which files would be stolen follow a normal business process among corportate types... Receiving an email from a company member. Editing it (for markup or review), then sending an email to someone else. Secretaries are good candidates for generic attacks, since they'd often need to review documents. But even executives are prone to such unattentative activity.
this is insane (Score:3, Interesting)
Insane. You know, if Isuzu discovered a fatal flaw in all Rodeos going back through 1997 yet announced they were only going to provide fixes for models '00, '01 and '02 there would be a congressional investigation.
Completely insane.
Re:this is insane (Score:4, Insightful)
This is what makes me not use M$. (Score:5, Insightful)
But, referring to Microsoft engineers, McGee said "there's only so far back they can go."
No. There's only so far back they WILL go. There is a HUGE difference. Microsoft has CHOSEN not to support it, it's not that they can't.
What's the issue? (Score:2)
Come on....Word 97? Who expects Microsoft to do something to fix problems in that? They have had 2 major (4 if you include the Mac versions) releases since then. You think Netscape is going to issue a patch for 4.7x now that version 7 is out? Just one example of many.
Ending support issue (Score:2, Informative)
Really another reason to use openoffice? (Score:4, Insightful)
If you are using Word97 and somebody else is using WordXP. The other person will get the patch.
Opensource software now...
You are using KDE1 and somebody else is using KDE3. Security Hole X that is in both. KDE3 will get 'patched' or at least fixed, I doubt that KDE1 will get fixed. The only benefit here is that you could potentially fix it yourself, but if you are using KDE1 i doubt you really would.
Re:Really another reason to use openoffice? (Score:4, Informative)
Instead, they release a new version with the bug fixed. Usually code patches are available, but how many people using KDE actually compiled their version?
Ok, so commercial software and open source software developers really want their users to use the most up to date versions. The difference is, MS wants their users to fork out a few hundred $$$ for their new fixes and gotta-have features. For KDE, you can just download the latest version or get it from a friend. That's why MS is evil for not patching '97. People paid a lot of money for it and expect MS to support it. I personally can't seen any feature worth paying several hundred dollars for an upgrade to Office 2000/XP over '97 and neither can millions of their customers.
Now you tell me who's looking out for their users.
Eventually Microsoft won't even bother (Score:2)
Since the service period will have expired, Microsoft will not be fixing this problem, and will instead recommend upgrading to OfficeBall Z for $1000 a copy.
perhaps overstating the obvious but... (Score:2, Interesting)
It makes me wonder if MS marketing is blowing the bug way out of proportion -- the average user hears 'Word 97 will let people STEAL your documents' and runs down frantically to the local CompUSA and buys a copy (or 2 or 3, depending on how many machines, of course
I haven't seen a proof of concept or anything, but I wonder how serious this bug really is. Just my $0.02 US.
Check this out... (Score:5, Interesting)
Near the bottom there is often information from other documents of the sender that they were recently working on. I don't know why it saves this. Maybe something to do with the undo buffer?
At work I used to look at internal memos that would be sent out on a weekly basis and find out all sorts of other stuff that was going on.
Re:Check this out... (Score:3, Informative)
There's some other ways of getting weird extraneous data dumped into Office files -- see this Microsoft Knowledge Base document [microsoft.com] for more info. Fast saves are by far the worst culprit, though.
If you're really concerned about this sort of thing, the best thing to do (besides using a different office suite) is to pipe public documents through GNU strings first to make sure nothing conspicuous is embedded.
Excuse me? (Score:3, Interesting)
They say that like other companies don't orphan software after 5 years. Programs become obsolete. Are we to ask Adobe to support Photoshop 4 still after it's had (at least) two major releases after it?
MS Word == newest P2P client? (Score:3, Funny)
Word in Insecure (Score:3, Insightful)
Bizarro World (Score:3, Insightful)
Intruders (Score:4, Funny)
This horrible bug could even allow invaders to install malicious or undesirable software such as MS-Word 97.
Oh, wait
Yet another reason to try OpenOffice.org (Score:3, Insightful)
What, you mean linus still produces patches for 1.1.x? Or that samba still fixes holes in 1.8.x? Or that apache still fixes holes in 1.2.x?
Re:Yet another reason to try OpenOffice.org (Score:3, Insightful)
No, but Linus, Samba and Apache don't charge $200+ for the updated versions of their software with the bugs fixed.
Re:Yet another reason to try OpenOffice.org (Score:3, Informative)
Actually, there are still new releases to the 2.0 kernel series, which is the "circa 1997" (think "Word 97") kernel series. They're at 2.0.40-pre6 right now.
Of course, perhaps the original poster meant that people should try OpenOffice not because patches are released for older versions of Open Source software, but rather because the upgrade to the latest, fully patched version is free?
A Fix! (Score:4, Informative)
Sub AutoOpen()
'
' IncludeTextBarrer Macro
' Macro created 9/13/2002 by Geoff Speare
' Created for Word 2000, use at own risk, etc.
'
Dim count As Integer
Dim vbFix As VbMsgBoxResult
Dim blFoundOne As Boolean
blFoundOne = False
For count = 1 To ActiveDocument.Fields.count
If ActiveDocument.Fields(count).Type = wdFieldIncludeText Then
blFoundOne = True
vbFix = MsgBox("An INCLUDETEXT field has been found. Would you like to lock it? " & _
"(Select All and then Ctrl-4 will unlock all fields if you change your mind.)", vbYesNo, "INCLUDETEXT Exploit Detection")
If vbFix = vbYes Then
ActiveDocument.Fields(count).Locked = True
End If
End If
Next
If blFoundOne Then
MsgBox "Your document may have a field which secretly includes text from another file. You may wish " & _
"to Reveal Field Codes (ALT-F9) and examine the document closely before saving or distributing it.", vbOKOnly, _
"INCLUDETEXT Exploit Detection"
End If
End Sub
Obligations to fix flaws (Score:2, Insightful)
This lack of responsibility on the part of proprietary software developers is one of the main selling points of open source software. It's so difficult to define what constitutes a "major" problem, and what the seller should be obligated to fix.
Allowing users to steal files obviously falls on the major problem side of the line, but many other problems are in a gray area that is difficult to define. Besides this, most users find that the bugs they consider to be "major" are different than those other users might consider important, based on the way they happen to use the software.
Just another argument for using open-source software whenever you possibly can. If you discover a bug like this and the author isn't willing to fix it, you can always fix it yourself. Why would you ever want to leave this decision to someone else?
Re:Obligations to fix flaws (Score:2)
Re:Obligations to fix flaws (Score:4, Interesting)
1: I didn't write the software in the first place.
2: I'm not a full time programmer, I'm an administrator.
Re:Obligations to fix flaws (Score:2)
Although I am holding an oar next to you in the your boat, the point is that you CAN. WIth closed-source products, you don't even have that option.
Re:Obligations to fix flaws (Score:2, Insightful)
[T]he point is that you CAN. WIth closed-source products, you don't even have that option [to correct flaws yourself].
No, no, no. The point is that one MAY. One has the right to, and one has access to the building materials. In no way does that grant one the ability to implement [nearly any significant set of] fixes. It is unfortunate the distinction is either lost or assumed in these discussions.
Re:Obligations to fix flaws (Score:2)
Are you saying that open source software developers are any more legally responsable for fixing thier bugs then closed source?
Re:Obligations to fix flaws (Score:4, Insightful)
Just another argument for using open-source software whenever you possibly can. If you discover a bug like this and the author isn't willing to fix it, you can always fix it yourself. Why would you ever want to leave this decision to someone else?
Yeah, 'cuz whenever I suspect a shortcoming in the Linux kernel, I break out emacs and beat it back into shape. Right. After I correct any perceived shortcomings in emacs, that is.
I could always hire or convince someone else to fix a problem for me (with open source software), but that might rapidly amount to an obscene monetary of temporal cost (for an individual to bear) after adding up each fix requested, and doing so still leaves the decision to someone else.
So, I basically have to be able to (a) understand and (b) correct the code "behind" the software packages I use in order to derive full benefit from open source software? That line of thinking doesn't seem very compelling to me.
Nine times out of ten (at least), the only difference is that I, as an end-user, am waiting for a different group of people to improve the products I use. Maybe they'll fix it, maybe they won't -- because, as you point out:
Food for thought?
Re:Obligations to fix flaws (Score:5, Insightful)
Open source developers are more responsible than closed source developers? Could you please tell me why?
It's so difficult to define what constitutes a "major" problem, and what the seller should be obligated to fix.
Does it work as a word processor? Will it allow you to read, write, print, and format documents? Well if it didn't do those, then I would say it is a major problem. If it emailed personal information to random people on start up, then I would call it a problem, or if it caused your firewall software to crash everytime you opened a .doc file, I would call it a major problem.
If you discover a bug like this and the author isn't willing to fix it, you can always fix it yourself. Why would you ever want to leave this decision to someone else?
Perhaps because I am not a software engineer, and I know that my mother barely knows how to poerate the mouse, let alone debug complex software.
The problem here, is that someone found a way to exploit a Microsoft Word Feature. Now we can tell them to do things in the name of security, oh wait, isn't that what we all complain Bush is doing?
A very famous man once said something along the lines of "They who would give up an essential liberty for temporary security, deserve neither liberty or security".
You are giving up features for temporary security. Anything Microsoft does will be a temporary fix. There are enough hackers out there that hate microsoft that no matter what, they will find a new way to exploit the software. Now before I hear any, "that's because microsoft sucks, use linux" comments, if all the people out there trying to find cracks and exploits for MS Software were instead going agains Linux, or other open sourced applications, you'd find just as many problems.
Don't believe me. Put up an appache web page on a linux box, or what ever opensourced so. Now have the only line on the page say "You can't hack this box". Get a link somewhere that people are going to see it, and then talk to me in a month as to how safe your page was.
Re:Bad Developer, BAD! (Score:3, Funny)
Re:Bad Developer, BAD! (Score:3, Interesting)
"Now that we got you hooked and your company has stadardized on our product and all of your documents are in our proprietary format...if you want a version that really works (or doesn't possibly expose your data to damage), pay us $200 (a year) for the upgrade!"
Re:Bad Developer, BAD! (Score:2, Insightful)
Well, that sounds like an excellent motivator to try harder to get it right the first time!
Re:Bad Developer, BAD! (Score:5, Insightful)
>try harder to get it right the first time!
Name one major software product that has been bug-free from initial release.
For that matter, name one major software product that has ever been bug-free at any point in its lifetime.
-l
Re:Bad Developer, BAD! (Score:2)
But on a serious note I think that there are bugs and then there are bugs. And this certainly falls into the latte category. So I think instead of just saying bug one should say glaring borderline negligent bugs should fall under this. And I can name many major software products that have *never* had anything even close to this bad.
Re:Bad Developer, BAD! (Score:5, Funny)
Citronella candles?
Re:Bad Developer, BAD! (Score:2)
In the U.S., anyway.
And it isn't quite a 5 year old product -- almost. It actually shipped in late November 1997 *AND* with a major flaw -- it couldn't export Word 95 format correctly, even though it claimed it could. It only did RTF. They fixed that in February 1998.
Re:Riiiight (Score:3, Insightful)
Seriously, I would like to hear one compelling reason to upgrade from Word 97 to a newer version if all you use word for is word processing and basic mail merge.
Re:Riiiight (Score:2, Flamebait)
We are currently planning to upgrade to Windows XP in the next 6 months, but the plan is for us to continue to use Office 97 as there are no compelling business reasons for us to upgrade to later versions.
Office 97 does *everything* we need it for. Period.
Visio 2000 is the only 'recent' version of any Microsoft software that we currently use.
Re:Riiiight (Score:3, Funny)
You are of course assuming that our IT group is stable enough to perform that kind of testing...
Re:Is it just Microsoft with this problem? (Score:2)
I say this only because its so obviously not an exploit if the user must willingly select a file, even if s/he is not aware of what action spawned the file dialog window.
I think its a pretty serious exploit if that is indeed the case.
Re: (Score:2)
Re:Why OpenOffice ? (Score:2, Informative)
I actually just installed OpenOffice on my home PC's Win2k drive (still gotta get it for the Linux drive). I have to admit that I've never tried GobeProductive, but I did use the old StarOffice (5.2) for a while. I thought it stunk. OpenOffice is quite comparable to MS Office in terms of usability. On my system it was quite a bit faster than MS Office as well. So let's see, OpenOffice is (1) free, (2) compatible (> 90%, probably) with MS Office, (3) available right now for multiple OS platforms. Granted, GobeProductive might be faster than OpenOffice, but come on, do you really need the file to open instantaneously?
Maybe someone will come up with a quantum office productivity suite that will open files before you need them...