Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Security IT

Microsoft To Block Flash In Office 365 Starting January 2019 (bleepingcomputer.com) 42

An anonymous reader writes: Microsoft plans to soon block Flash, Shockwave, and Silverlight content from activating in Office 365, it said. The block, however, will only be applicable in Office 365 subscription clients -- and not in Office 2016, Office 2013, or Office 2010 distributions, the company added. The change is set to come into effect starting January 2019. This is a full-on block, and not just Microsoft disabling problematic controls with the option to click on a button and view its content, BleepingComputer reports. The block means that Office 365 will prevent Flash, Shockwave, or Silverlight content from playing inside Office documents altogether.

Microsoft cited various reasons for taking this decision. It said that malware authors have abused this mechanism for exploit campaigns, but also that Office users rarely used these features. In addition, Microsoft said it was also taking this decision after Adobe announced Flash's end-of-life for 2020.

This discussion has been archived. No new comments can be posted.

Microsoft To Block Flash In Office 365 Starting January 2019

Comments Filter:
  • by Oswald McWeany ( 2428506 ) on Tuesday May 22, 2018 @09:06AM (#56652850)

    Whilst I have to commend MS taking the action to remove these nasties from Office, I have to ask... ... why did it allow them in the first place?

    • by MachineShedFred ( 621896 ) on Tuesday May 22, 2018 @09:10AM (#56652874) Journal

      Likely for HTML emails. And yes, that's still stupid.

    • why did it allow them in the first place

      I remember once the goal of computers was to be able to do anything anywhere regardless of whether it made sense to do so. Complete seamlessness on both an application and content level. It's a logical extension of OLE allowing native editing of spreadsheets embedded in word documents for instance. Not a crap goal by any means, but one that in its generic case may not make a lot of sense for individual specific use cases.

      It stands to reason that a content element completely ballsed up from a security point

    • by jellomizer ( 103300 ) on Tuesday May 22, 2018 @10:05AM (#56653240)

      Well lets go back 20 years.
      HTML 3 was the common version of HTML. Which had a lot of necessary features missing, So tools like Java Applets, Active X Controls and Macromedia Flash were made to fill in the Gaps. It wasn't great but it solved the problems that was happening.
      Java Applets were always really slow, Active X was insecure and dangerous, Flash was the fastest at the time, and worked across platforms.
      Microsoft later made Silverlight to try to take over Flash, with minimum success.

      Active X and Silverlight were part of Microsoft Browser War arsenal. Because Microsoft was hoping by winning the browser war, they would have control of the standards. While they won the war by IE 6, their objective to control the standards didn't pan out too well. However its attempt created a large number of legacy programs that used such plugins. That is hard to get rid of.

      Now that HTML 5 Supports most of what These legacy plugins did. They are no longer needed, but removing them needs to be a gradual planned event.

      Why did they start in the first place? Because the standard wasn't fully supporting the features that were needed.

      • by tepples ( 727027 )

        HTML 3 was the common version of HTML. Which had a lot of necessary features missing, So tools like Java Applets, Active X Controls and Macromedia Flash were made to fill in the Gaps.

        Yes, there were some gaps in HTML's styling model, which CSS eventually resolved. But quite a few vocal Slashdot users, particularly those who have disabled JavaScript, would argue that there were no serious gaps in a document format to begin with.

        • Instead of a Java applet, a software publisher could instead ship a stand-alone Java application that the user could choose to download and install.
        • Instead of an ActiveX control, a software publisher could instead ship a stand-alone Windows application that the us
        • Except that general users were being told that downloading and installing apps was a surefire way to get a virus. Something that just ran in the browser was seen as safe (for a while anyway).

      • by Gr8Apes ( 679165 )
        Honestly, as a document format HTML was pretty much fine for everything necessary 20 years ago. Applets/ActiveX/Flash were providing interactive functionality that HTML was never intended to supply.
  • by Anonymous Coward

    If they're worried about security, shouldn't they also block virus vectors such as MS Word and Excel?

  • by Anonymous Coward

    Houston, we think we found the problem, and it is us.

    • At the company I work for we use a sever products that have exclusive interface with Flash or Sliverlight. Our concern is what happens when these products have reached thier End of Life. I know the first thing a lot of people will say is 'switch vendors'. It's not that easy.

      We would love to but we have contracts, working relations, and thousands of hours of setup and training on these products. We are looking for alternatives. But until we find them we have to launch VM's for these applications.

      • by darkain ( 749283 )

        I still use HP LaserJet 2100 printers in production. They are a little slow and clunky, but are otherwise perfect. No maintenance needed after setup other than paper filling once a week and toner every several months. They have a "web" based configuration interface though, and by web I mean it loads a bunch of Java applets (one per menu, and another for the main body). I keep a WinXP VM around with Java 6 and Internet Explorer 6 just for this particular case. I'd honestly suggest building things like this n

    • If that update will be like the updates to Windows 10, expect that the first version will Flock Bash.
  • They were able to play in *Office* before? Seriously? Why?

  • I've never seen any Office documents embedded with Flash, Shockwave or Silverlight inclusions that I know of. Blocking these because they could contain malware means that someone will, or has already, figured out another vector to inject malware into Office files. Others more knowledgeable can comment on the possibility.
  • Ok, Javascript next, please.

    Oh. Wait...

    • by tepples ( 727027 )

      Say you are designing a form into which a user can enter data, and the requirements for this form include quickly validating data on the client side to give feedback that is faster than a round-trip for authoritative server-side validation. Not all users of this form are using the same operating system. Other than JavaScript, what means for real-time client-side validation would you prefer?

      • Javascript in a web application, using a browser for input that runs in a sandbox.

        Next question.

        • by tepples ( 727027 )

          Question 2: A vocal minority of users file support tickets to the following effect: "I don't want any JavaScript. I liked HTML better back when it was a document format." What should I tell them?

  • by ErikTheRed ( 162431 ) on Tuesday May 22, 2018 @10:34AM (#56653442) Homepage

    Yet they still try to cram Silverlight down our throats continuously on Windows Server updates (yes, I know that with enough hassle this can be turned off, but...). There are probably like six people using it for some oddball VDI application; for the rest of us it's a stupid nuisance.

  • It's not the technologies, it's the platforms that implement the technologies and the crappy code they represent that create the exposure. But it's
    easier to just block the technologies.

    On a positive note, I guess this shows folks on O365 how easily their TOS can be fucked with.

    • So what you are saying, is that Flash would be completely excellent if it weren't for every flawed and exploitable version of Flash Player, and every web browser it ever plugged into, and every OS that ever ran it.

      But Flash is just fine, guys!

      In case you are sarcasm-impaired: Flash-specific security exploits don't work if Flash isn't there.

  • I didn't know you could even do this. So it won't be missed by me.

    Apparently the hackers knew though !

    I wonder if they'll get rid of all DCOM stuff though?!

  • In an Office 365 update last month, Microsoft removed EPS image support. The EPS filter had been defaulting to 'off' since last year (could only be enabled via the Registry), but now they've removed support altogether. Without warning, and without indicating to the user what has happened (the user just gets a red cross instead of an image).
    This has bitten us in the ass bigtime, as we have libraries containing thousands of EPS files, which are used for publishing to Word files. Needless to say, we're migrati

  • Adios, you motherflashing software cesspool.

Technology is dominated by those who manage what they do not understand.

Working...