PDA

View Full Version : Vulnerability in Microsoft Word (&viewer) & Works


davidh
December 6th, 2006, 06:39 PM
Microsoft Security Advisory (929433)

Vulnerability in Microsoft Word Could Allow Remote Code Execution
Published: December 5, 2006

Microsoft is investigating a new report of limited “zero-day” attacks using a vulnerability in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006.

http://www.microsoft.com/technet/security/advisory/929433.mspx

Grinch :(

davidh
December 7th, 2006, 07:54 PM
Although Microsoft doesn't rate its advisories, others have pegged the new zero-day as critical. Danish vulnerability tracker Secunia, for example, labeled the new flaw as "extremely critical," the top-most ranking in its five-step scoring system.

http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=196602447

DH

ndebord
December 7th, 2006, 09:33 PM
Although Microsoft doesn't rate its advisories, others have pegged the new zero-day as critical. Danish vulnerability tracker Secunia, for example, labeled the new flaw as "extremely critical," the top-most ranking in its five-step scoring system.

http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=196602447

DH

Davis,

Thanks for the info (I use Word2000). The idea that it is a zero day flaw doesn't make me happy, nor does the anticipation that MS will not introduce a bug fix on the 12th.

fhaber
December 13th, 2006, 02:51 PM
Not patched in December's Patch Tuesday releases. "We're working on it, hard," is the MS line.

There's always Word 2007. I'll surprise you by saying that, on casual use, I find the new interface to be a work of near genius. Yes, I said that about something from Microsoft. And therein lies the rub.

And then there's the fact that it phones home, and could deactivate itself, and stores everything in XML unless you intervene, and leverages our facility with Word-previous hardly at all, and will be fatal for offices that depend on Visual Basic, cross-platform (Macs). Difficult decision.

Lindsey
December 13th, 2006, 05:05 PM
There's always Word 2007. I'll surprise you by saying that, on casual use, I find the new interface to be a work of near genius.
Wouldn't be hard, IMO, to improve on the version I'm using now (part of the Office 2003 suite). I pasted a table from Excel into a blank Word document the other day, and then wanted to insert some text above the table. Never could figure out how to do it, and finally ended up giving up and doing without.

Then there are the work order forms for our banking software vendor that formatted in Word. Never have figured out how to copy and paste text into them without the pasted text being treated as a numbered list. And I can't make the numbers go away! Very frustrating. Thank goodness they have recently started accepting work orders through their customer portal on the web. But there are just innumerable instances in which trying to make Word do what you want it to do is like trying to convince a 2-year-old to finish his supper. You know you're not going to win in the end, and you're just going to end up with a mess to clean up for your trouble.

And then there's the fact that it phones home, and could deactivate itself, and stores everything in XML unless you intervene ...
Ah, geez. Is it one of Microsoft's development specs that obnoxiousness has to be included with any new feature?

--Lindsey

ndebord
December 13th, 2006, 07:44 PM
Not patched in December's Patch Tuesday releases. "We're working on it, hard," is the MS line.

There's always Word 2007. I'll surprise you by saying that, on casual use, I find the new interface to be a work of near genius. Yes, I said that about something from Microsoft. And therein lies the rub.

And then there's the fact that it phones home, and could deactivate itself, and stores everything in XML unless you intervene, and leverages our facility with Word-previous hardly at all, and will be fatal for offices that depend on Visual Basic, cross-platform (Macs). Difficult decision.

Frank,

Not difficult at all. I will move to WordPerfect if forced and since I'm on W98se, all the new stuff doesn't make me happy. If I had any choice in the matter, I would still be using Word6 (and perhaps Word6 for DOS).

ndebord
December 13th, 2006, 07:47 PM
Then there are the work order forms for our banking software vendor that formatted in Word. Never have figured out how to copy and paste text into them without the pasted text being treated as a numbered list. And I can't make the numbers go away! Very frustrating. Thank goodness they have recently started accepting work orders through their customer portal on the web. But there are just innumerable instances in which trying to make Word do what you want it to do is like trying to convince a 2-year-old to finish his supper. You know you're not going to win in the end, and you're just going to end up with a mess to clean up for your trouble.

--Lindsey

Lindsey,

The formatting problem is something I deal with all the time in Big Pharma. My solution has been a kludge. I use a DOS text editor (QEdit) as a cutout. Copy to it, paste back into Word, and all the formatting crap goes away. Word is infuriating in the way it picks up formatting.

Judy G. Russell
December 13th, 2006, 10:24 PM
There's always Word 2007. I'll surprise you by saying that, on casual use, I find the new interface to be a work of near genius. Yes, I said that about something from Microsoft. And therein lies the rub.

And then there's the fact that it phones home, and could deactivate itself, and stores everything in XML unless you intervene, and leverages our facility with Word-previous hardly at all, and will be fatal for offices that depend on Visual Basic, cross-platform (Macs). Difficult decision.Oh geez... ain't that a conundrum, and then some!

Lindsey
December 14th, 2006, 09:43 PM
The formatting problem is something I deal with all the time in Big Pharma. My solution has been a kludge. I use a DOS text editor (QEdit) as a cutout. Copy to it, paste back into Word, and all the formatting crap goes away. Word is infuriating in the way it picks up formatting.
I'm pretty sure I tried that. Didn't make any difference. Something to do, I think, with the way the form itself is set up.

--Lindsey

ndebord
December 14th, 2006, 10:17 PM
I'm pretty sure I tried that. Didn't make any difference. Something to do, I think, with the way the form itself is set up.

--Lindsey

If you're just using the cut and paste method of NT, then it will probably pick up the old format. However, if you actually paste it into QEdit (and I would assume any number of other DOS editors), when you rehighlight it and paste it into Word, the formatting should be stripped out.

Lindsey
December 15th, 2006, 12:03 AM
If you're just using the cut and paste method of NT, then it will probably pick up the old format. However, if you actually paste it into QEdit (and I would assume any number of other DOS editors), when you rehighlight it and paste it into Word, the formatting should be stripped out.
No, that's what I did -- it wasn't QEdit, it was either TextPad or UltraEdit -- but it didn't make any difference. (I should note that the original was just ordinary paragraphed text; I'm not sure just what it was that made Word treat it as a numbered list, but I think it must not have been anything to do with something embedded in the text, since it did the same thing when copying from a plain text file.)

--Lindsey

Judy G. Russell
December 15th, 2006, 12:14 AM
No, that's what I did -- it wasn't QEdit, it was either TextPad or UltraEdit -- but it didn't make any difference. (I should note that the original was just ordinary paragraphed text; I'm not sure just what it was that made Word treat it as a numbered list, but I think it must not have been anything to do with something embedded in the text, since it did the same thing when copying from a plain text file.)Word is such a PITA for thinking it knows better than you do how you want something formatted. GRRRRRRR!!!

sidney
December 15th, 2006, 01:28 PM
Well, there's always OpenOffice.org which has just released version 2.1. I haven't played with that version much yet, but version 2.0.x has worked very well for me at reading in various Word and Excel documents and writing out documents that were readable by other people who use Word.

I'm not a fan of that whole genre of word processing that does what it thinks you want to do and who knows what that might be. I'm using LaTeX for all of my thesis work and scientific articles. There has been a learning curve, but I get to see everything that contributes to the formatting and tweak it until it is right without the frustration of the word processor fighting me in mysterious WYSIWYG-whether-you-like-it-or-not ways.

Judy G. Russell
December 15th, 2006, 03:10 PM
I'm not a fan of that whole genre of word processing that does what it thinks you want to do and who knows what that might be. I'm using LaTeX for all of my thesis work and scientific articles. There has been a learning curve, but I get to see everything that contributes to the formatting and tweak it until it is right without the frustration of the word processor fighting me in mysterious WYSIWYG-whether-you-like-it-or-not ways.Our office uses Framemaker from Adobe, which is much the same: a learning curve but enormous flexibility and it does what you tell it and ONLY what you tell it. But I hear Framemaker is being discontinued for the future. Sigh...

ktinkel
December 15th, 2006, 03:57 PM
Our office uses Framemaker from Adobe, which is much the same: a learning curve but enormous flexibility and it does what you tell it and ONLY what you tell it. But I hear Framemaker is being discontinued for the future. Sigh...They discontinued the Mac version several years ago. It is an odd beast, but Framemaker has some interesting powers, including straddle heads and almost good footnoting that page layout apps still do not have.

But at this point they either have to rewrite it substantially (and it isn’t Adobe code — they acquired it from Frame in more or less its current state) to work with OpenType fonts or have a growing support nightmare. So I wouldn’t be surprised to see it go away altogether in a year or so.

Adobe can be ruthless with acquired apps that do not fit neatly into their general plans. They have bought and shelved dozens of useful programs.

ktinkel
December 15th, 2006, 04:02 PM
'm using LaTeX for all of my thesis work and scientific articles. I used to use PageMaker for everything. It was tractable and I knew it very well, exports plain text if need be, and was always open on my desktop. Beat Word hollow.

But Adobe bought Aldus, and PageMaker is no longer useful. InDesign is much too cumbersome to be used that way. For me, anyway.

My late father-in-law did everything in dBase. He had an inherited KayPro, and that was the only program on it with any sort of documentation. So he wrote letters (and everything else) in data field-organized paragraphs.

sidney
December 15th, 2006, 05:15 PM
Our office uses Framemaker from Adobe, which is much the same: a learning curve but enormous flexibility

Framemaker has an interesting history. When I worked at Apple I knew someone there who had written part of it. He designed the portion of it that lets you express things using mathematical expressions. While doing that he ended up including the ability to do symbolic analytic evaluation of calculus expressions. It was never documented, since nobody figured out how to include it in the manual without confusing most of the users, but it was enabled in the default system. Talk about flexibility!

The symbolic calculus system was later the basis of a portion of the 3D graphing calculator accessory that he wrote for the first PowerPC version of the Macintosh. That product has an amazing story (http://www.pacifict.com/Story/) behind it. Windows came with a simple calculator. The PowerMac came with a 3-D animated symbolic calculus graphing calculator.

Lindsey
December 15th, 2006, 10:25 PM
Word is such a PITA for thinking it knows better than you do how you want something formatted. GRRRRRRR!!!
Amen to that!

--Lindsey

Lindsey
December 15th, 2006, 10:28 PM
I get to see everything that contributes to the formatting and tweak it until it is right without the frustration of the word processor fighting me in mysterious WYSIWYG-whether-you-like-it-or-not ways.
And again I say: Amen! That's what drives me the most crazy, that I can't see what it is that is telling Word to do what it is doing, and I therefore can't find a way to make it do something else instead.

--Lindsey

Judy G. Russell
December 16th, 2006, 08:39 AM
t this point they either have to rewrite it substantially (and it isn’t Adobe code — they acquired it from Frame in more or less its current state) to work with OpenType fonts or have a growing support nightmare. So I wouldn’t be surprised to see it go away altogether in a year or so.Adobe can be ruthless with acquired apps that do not fit neatly into their general plans. They have bought and shelved dozens of useful programs.All I can tell you is that my office will be patching Framemaker together to keep working long after I retire! It's perfect for book publishing.

Judy G. Russell
December 16th, 2006, 08:45 AM
The symbolic calculus system was later the basis of a portion of the 3D graphing calculator accessory that he wrote for the first PowerPC version of the Macintosh. That product has an amazing story (http://www.pacifict.com/Story/) behind it. Windows came with a simple calculator. The PowerMac came with a 3-D animated symbolic calculus graphing calculator.What an absolutely fabulous story... front page of the NY Times business section even!!! Those folks definitely deserve the title of Geek. With the capital letter.

Judy G. Russell
December 16th, 2006, 08:47 AM
Amen to that!To give you an idea of just how bad I think Word is, I have a solid rule with my students: Thou Shalt Not Get Help With Thy Classwork. (I'm not interested in grading what a student can do with tons of help; I'm interesting in grading what a student can do, and then helping the student do better.) But there's one exception to that rule: Thou Certainly Mayest Get Help With Thy Word Processing Program.

Judy G. Russell
December 16th, 2006, 08:49 AM
And again I say: Amen! That's what drives me the most crazy, that I can't see what it is that is telling Word to do what it is doing, and I therefore can't find a way to make it do something else instead.The thing I miss most about WordPerfect (everybody uses Word these days, damnitall) is the "show codes" command.

ktinkel
December 16th, 2006, 10:09 AM
All I can tell you is that my office will be patching Framemaker together to keep working long after I retire! It's perfect for book publishing.Well, for technical footnotey book publishing. Not too great for fiction or any book with requirements for really good typography.

But it is definitely a valuable piece of software for publishers, and it is a real shame to see it dwindling away.

Judy G. Russell
December 16th, 2006, 10:20 AM
Well, for technical footnotey book publishing. Not too great for fiction or any book with requirements for really good typography.OPur stuff is pretty footnote-free (thank heavens!) but I think you could make Framemaker do what you wanted with fonts and other typesetting issues a whole lot more than you could ever get Word to do it!

But it is definitely a valuable piece of software for publishers, and it is a real shame to see it dwindling away.There we agree 100% and then some.

Lindsey
December 17th, 2006, 12:13 AM
Thou Certainly Mayest Get Help With Thy Word Processing Program.
LOL!! And I like your philosophy about "no help with the classwork." I have a real problem with the amount of help that many schools now expect parents to provide for homework. Aside from the fact that parents may not really have a clue themselves what the assignment is about, it seems to me that too often the homework assignment becomes, in effect, a joint assignment for parent and child. And I have doubts about how much good that really does the child in the long run.

--Lindsey

Lindsey
December 17th, 2006, 12:15 AM
The thing I miss most about WordPerfect (everybody uses Word these days, damnitall) is the "show codes" command.
Absolutely. I was never a heavy user of word processors; even now, I use Word only occasionally. So a lot of the coding that was revealed was pretty much Greek to me. But "show codes" at least gave you a shot at cleaning it up when the text didn't end up formatted as you expected, and WYSIWYG efforts at fixing it didn't get anywhere.

--Lindsey

ktinkel
December 17th, 2006, 08:31 AM
I think you could make Framemaker do what you wanted with fonts and other typesetting issues a whole lot more than you could ever get Word to do it!For sure!

Yet people publish books in Word all the time now (not for the major commercial publishers, but a lot of short-run books never see any publisher — or editor, proofreader, or production supervisor). It boggles the mind — not only is the result less than wonderful, it makes the work so difficult.

Judy G. Russell
December 17th, 2006, 01:04 PM
Yet people publish books in Word all the time now (not for the major commercial publishers, but a lot of short-run books never see any publisher — or editor, proofreader, or production supervisor). It boggles the mind — not only is the result less than wonderful, it makes the work so difficult.Tell me about it. I'm literally about two hours away from finishing a job I got conned into by an 81-year-old fifth or sixth cousin -- editing an 804-page manuscript written entirely in Word and with all kinds of formatting and font changes and... I will be so glad when I'm finished, I may cry.