Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Bug Microsoft Security

How Do You Handle New MS Word Vulnerabilities? 157

Posted by Cliff from the it-maybe-time-to-look-into-a-new-word-processor dept.
chipperdog asks: "With yet another zero-day exploit of MS-Word document files, what are fellow system admins doing to protect themselves against these threats? I have been blocking all .doc and .dot at the mail and proxy servers until malware scanners have signatures to detect and block the malicious files. Of course, this caused a uproar with the users, as there were continuous calls like: 'When can I send and receive Word files again' and 'I can't get anything done if I can't send/receive Word files'. Any suggestion of sending documents in different formats (like rtf, html, txt, or pdf) results in even more creative user 'feedback'. Has anyone done anything creative in their handling of word files — like having qmail-scanner pipe all .doc attachments through something such as wv to convert them to a less exploitable format?"
This discussion has been archived. No new comments can be posted.

How Do You Handle New MS Word Vulnerabilities? More

How Do You Handle New MS Word Vulnerabilities?

Comments Filter:

  • You can't... (Score:5, Insightful)

    by Otter ( 3800 ) on Friday December 15, 2006 @04:39PM (#17260856) Journal
    You can't suddenly cut off the exchange of Word documents in any modern business. Unless you can justify bringing your company to a halt over some vulnerabilities with no real-world risk, you just can't do it.
    • And why is that?

      Because MS's proprietary formats mean that the vulnerabilities in their code preclude easy backup plans should a new exploit like this come out.

      I would say that MORE businesses need to be crippled by the threat of infection via Word. Maybe then the powers-that-be in those companies will start looking long and hard at alternatives to Word and software with other proprietary formats. Advise the PHBs: "Well, look, you can either take the risk of $HORRIBLE_WORM_ATTACK or you can deal with no

    • Re: (Score:2)

      by Jhon ( 241832 ) *

      with no real-world risk

      I question your use of the word "no" here. I think you are incorrect. Proof of concept exploits are out there and I think it's a matter of time before something nasty gets released.

      I'll agree that at least for now the risk is low, but I think that's going to change over time. Further, one needs to assess risk vs. loss. Our shop is a mid-sized lab. We can afford to spend a few hours a week of our IT staff sifting manually through filtered DOC attachments. The consequences of a

    • Re: (Score:3, Insightful)

      by Todd Knarr ( 15451 ) *

      Why would banning Word documents bring your company to a halt? Word will open RTF files (for example) just as automatically as it will it's native format. It can save as RTF almost as easily as it's native format, it's at most 2-3 extra keystrokes once in the entire lifetime of the document. RTF handles all the text formatting, images and such that Word's native format does. The only things it doesn't support are the active content and such that malware uses, and I don't see that as a problem. So why should

    • While I agree with you that 99.9% of business would scoff at the notion of cutting off exchange of Word documents in the name of protection, the idea that there is no "real world risk" is naive. And the minute an exploit starts bringing business to an abrupt halt, I guarantee you that everyone from the CEO down will be screeming for the bleeding to be stopped by ANY means nessasary. And that would include ceasing to use Word and finding some alternate method of exchanging business documents that is safer.
    • Just use OpenOffice. It will exchange most documents just fine. The ones it has problems with are either poorly designed or malicious; they are rare enough that it's not a problem in real life, and they can be sent back to the sender to get fixed.

    • Re: (Score:2)

      by noz ( 253073 )
      Unless you can justify bringing your company to a halt over some vulnerabilities with no real-world risk, you just can't do it.
      In fact the risk is very real. Managers need to choose between $$$ and security. I'll give you three guesses which one is chosen most.

      Also, do they actually know about these vulnerabilities? I'm a Debian user and they send me an email when vulnerabilities become known. Does Microsoft do this too?
    • >no real-world risk

      I believe the usualy reliable Otter is a couple of days out of date here.

      Targeted attacks using the Word vulnerabilities [computerworld.com]
      Panda reports attack code which they call iTable.A [darknet.org.uk]
      For what it's worth, Symantec reports wild occurrences of Word exploits [symantec.com].

      We found a malicious Word document that was written in Portuguese and added detection for it as Trojan.Mdropper.T. The document contains an exploit that drops an executable file, which then installs a downloader threat and opens a clean Word docum

    • OpenOffice allows you to read & write MS-Word docs without having MS-Word. This has worked well for many of my customers, & they enjoy the PDF document production & the ability to recover many broken MS-Office documents simply by opening them in OpenOffice.

      OpenOffice also runs on more platforms & is developing faster, & the docs are much easier to externally process (they’re basically ZIPped XHTML in a moderately sane format).

      Oh, yes, and it’s much cheaper ($0 per seat) &

  • At least for now we filter... (Score:3, Informative)

    by Jhon ( 241832 ) * on Friday December 15, 2006 @04:40PM (#17260874) Homepage Journal
    All attached DOC files are filtered and placed in to a users quarnetine folder (which they have access via a web browser). Simple permissions keep them from accessing the file itself until it can be checked. Once checked, permissions are changed and the user can pull the document.

    It's frustrating for the end user as they don't have instant access to their attachment (sometimes there's a 4-hour delay before the file can be manually inspected -- still waiting for some def-files!) and it's taxing my staff time-wise to do this (we've got better things to do than check for any monkey-business in word documents). We've suggested everyone convert to PDFs and send THOSE and it's been working but it's still a disruption.

    • Re: (Score:3, Informative)

      by CerebusUS ( 21051 )
      As I've noted elsewhere, if you think your filter is protecting you, you are wrong:

      "Do not rely on file-name extension filtering. In most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with Word. Filtering for common extensions such as .doc, and .dot will not detect all Word documents."

      source [eweek.com]
  • % strings $1 | less

    (I'm almost serious).
  • Tell the users to rename the files to .dat. That's what we do for sending files around that our mail server blocks. The content of the e-mail would tell the user to rename the file back to .doc. We often send vbs scripts around that we rename to .txt to get around our mail server.

    • Re: (Score:2, Funny)

      by caserio ( 144860 )
      Your users are smart enough to do that? I want your job.

    • Re:Rename the files (Score:5, Insightful)

      by Rob T Firefly ( 844560 ) on Friday December 15, 2006 @04:53PM (#17261084) Homepage Journal
      I don't presume to know your job, but if your users need to subvert the protection scheme in order to use the system for its intended purpose and do their jobs, the protection scheme needs some serious work.
    • That solution does tend to work, and IMHO is fine. The problem isn't Visual Basic or Word itself, it's the fscking email client that auto executes everything, and clueless users that will open every single email attachment no matter who it's from.

      Clueless users can't be trained. IT people have been trying to train them for years, but the malware problem keeps getting worse because these users can't grasp very simplistic concepts. What amazes me is that companies continue to hire people like this that need t

      • Re: (Score:2, Insightful)

        by bb5ch39t ( 786551 )
        What amazes me is that companies continue to hire people like this that need to use computers constantly as part of their job, yet don't have even the most basic computer skills.

        The reason is simple. Such people can be hired for less money per hour. This increases profitability and thus directly affects management's bonuses. That is what matters to management. Any problems caused by this are obviously the technicians' fault .

  • Open Office (Score:4, Interesting)

    by Scott Lockwood ( 218839 ) * on Friday December 15, 2006 @04:43PM (#17260932) Homepage Journal
    It's amazing how, we've been fighting this uphill battle to get our users to use Open Office, and now all of the sudden, managers are calling us to make sure all of their users have it. :-) Some days, I like my job. :-)
    • If you can't install programs on your work computer, there's always...

      (1) Portable Open Office: http://portableapps.com/apps/office/openoffice_por table [portableapps.com]

      It is "no-install" in the sense that the file you download just unzips OO into a folder for you.

      If the download size is a big deal, (2) Portable Abiword [portableapps.com] is much smaller, but only does basic word processing stuff.
      • Excellent! Fortunately, we have very liberal install policies - we in IT control who gets what. Those are very good resources though - I really like the idea of a portable open office that I could have on a key fob or whatever.

      • Re: (Score:2)

        by darkonc ( 47285 )
        Open Office has (or, at least, had) a 'network install' option, You install it in a shared partition, and it's available for everybody who has access to the share. The hard part, at that point, would be setting OOWriter as the default application for opening .doc files --- but I'm sure you Windows gurus can figure out how to do that.

        You probably also want to set up OO to save in .doc format as a default (or maybe not!).

        This is actually really good timing for the OpenOffice group, as they've just rele

        • Re: (Score:2)

          by Lehk228 ( 705449 )
          a better option would be for the oo.org community to put togeyther an email filtering system that will take all outbound odt files and convert to XML word files unless **NOCONVERT** is included in the subject line, then that string is simply stripped and the odt file is left alone.
  • Coworker of mine has a sawed off hoe handle, which he maintains was useful for maintenance on an obscure now-obsolete color proofer. Routine application of this to users is beneficial in stopping the spread of these documents.

    Heh.

    The bulk of our traffic here is excel and powerpoint, so limiting word documents hasn't been a real problem. Additionally, corporate used to require stupidly high end router hardware in all parts of the building which was abusive on the budget, but, at times like this, comes in han

  • Wow... glad you don't work for me. (Score:5, Insightful)

    by everphilski ( 877346 ) on Friday December 15, 2006 @04:43PM (#17260940) Journal
    Killing your company's productivity by not allowing the exchange of information? A big no-no. Plus it is all-to-easy to get around (rename the extention, zip the file, etc).

    A better solution is to educate the users - send out a mass email explaining the vulnurability, that you shouldn't be opening and doc's you aren't expecting. If you do it is your own damn fault and the timeliness of the fixing of your machine can not be guaranteed. There is no reason to choke business as you have and quite frankly the users have every reason to be upset.

    • Re:Wow... glad you don't work for me. (Score:4, Insightful)

      by Joe The Dragon ( 967727 ) on Friday December 15, 2006 @04:46PM (#17260994)
      So what to tell the people in HR that are expecting resumes?

      • Re: (Score:2)

        by Aladrin ( 926209 )
        Tell them not to open the doc if the resume wasn't in good English. It might help them do their job better at the same time, as a bonus.
        • Tell them not to open the doc if the resume wasn't in good English. It might help them do their job better at the same time, as a bonus.

          Too bad the resume is the .doc file. We'll put you down under a list of "people who just don't get it". Unless you were trying to be funny. Then we can put you down on the list of "people with no sense of humor".

          • Re: (Score:2)

            by Aladrin ( 926209 )
            Oy, 1 word wrong and you flip out. Replace resume with 'email body' and poof, it makes sense. I'm sure most people could handle that. I've been here near 10 hours, and it IS funny, if you 'get it'.

      • Re: (Score:3, Informative)

        by MarcoAtWork ( 28889 )
        have one admin with vmware player and a vm that mounts read-only the quarantine folder on the network where any 'suspect' doc is dumped (resumes, attachments from untrusted sources, whatever), in the vm convert the .doc to .pdf and put it in a separate directory that is instead accessible from everybody. Of course the vmware image should be configured NOT to have access to absolutely anything but this one 'quarantine' host.

        Users then access the pdf files from the 'safe' area normally, if you want to just ha

      • Re: (Score:3, Interesting)

        by Todd Knarr ( 15451 ) *

        I like the position my ISP's HR people take: "The posting said "No Word documents accepted.". The job's as a senior network engineer. It's going to require lots of detective work to troubleshoot obscure and arcane problems. If you can't figure out how to use Word's "Save As" to save in RTF or HTML, you are not qualified for the position. If you can't figure out that "No Word Documents accepted." means we won't be accepting Word documents, you aren't qualified for any position.".

        • Nice! Now, all they need to do is add the line "MCSE holders need not apply" and they're all set.

        • Re: (Score:2)

          by Coryoth ( 254751 )

          I like the position my ISP's HR people take: The posting said "No Word documents accepted."

          I can't understand the appeal of submitting your resume in Word format anyway. If I'm writing a resume I'm normally going through and being a perfectionist and getting everything "just so". The last thing I want to do is spend all that time and then have my resume appear completely differently on my employers computer due to font issues or something. If layout matters (and really, for a resume, you should care) then s

          • Re: (Score:2)

            by dgatwood ( 11270 )

            Just to be pedantic, neither postscript nor PDF make that formatting guarantee either unless you embed all necessary fonts. Ask yourself how many people know how to do that.... :-)

            I'd recommend HTML. That way, at least you know that the flow will be sensible, unlike some lovely PDFs I've seen....

            • Re: (Score:2)

              by Coryoth ( 254751 )
              Just to be pedantic, neither postscript nor PDF make that formatting guarantee either unless you embed all necessary fonts. Ask yourself how many people know how to do that.... :-)

              That depends on how the PDF is generated. If you're using PDFTeX then it isn't very hard at all.

              • Re: (Score:2)

                by cos(0) ( 455098 )
                The rhetoric question remains: "Ask yourself how many people know how to do that...."

                PDFTeX? About three.

            • Re: (Score:2)

              by wfberg ( 24378 )
              Just to be pedantic, neither postscript nor PDF make that formatting guarantee either unless you embed all necessary fonts. Ask yourself how many people know how to do that.... :-)

              OpenOffice.org embeds all fonts (subsetted) by default. So does PDFCreator or Distiller. I'd be hard pressed to come up with an example of a widely used pdf creation tool that doesn't.

          • There's one problem. His HR person reads resumes on a Mac using a 22" monitor with all the bells and whistles. He reads resumes on a system with exactly one font: fixed-pitch Courier, with pages a fixed 80 characters wide and 50 lines high. Both of them have to be impressed by the resume for it to get considered. When deciding that layout matters, think long and hard about your assumptions about how your layout will render. Then there's the question of fonts. Sure, that one font looks great on your system.

            • Re: (Score:2)

              by Lehk228 ( 705449 )
              save as PDF, then by default it will be scaled by page/screen width and the font is embedded in the file (you are using openoffice to make the PDF aren't you?)

              • One word: VT100.

                • Re: (Score:2)

                  by Lehk228 ( 705449 )
                  if the person you are sending to is 30 years behind the times, you can always save as ASCII text

                  • He's not 30 years behind the times. He needs to access his e-mail from anywhere, regardless of connection. He might be working on a high-end workstation, a laptop or his PDA. It may not support remote graphics. He can't use a client that stores information locally, because he changes machines all the time. But for anything text, PuTTY or some sort of terminal emulation gives him full access to every one of his office machines from anywhere. Once he has that he doesn't need client software locally, he's got

        • I see it more like "sending a Word document makes some assumptions about what software the recipient will have installed". I personally feel PDF is quite a bit more ubiquitous, so I always use PDFCreator (which installs a PDF virtual printer). Then from Word you just print it out to PDF.

        • Re: (Score:2)

          by BiggyP ( 466507 )
          Any user who ignores the request to stop sending word documents and for some inexplicable reason takes personal offence when asked to save as RTF or similar should be shot, that ought to do it. I rejoice on the rare occasions that i receive RTFs instead of DOCs.

          Of course ending this blind reliance upon MS Office would be a nice option, though i can't ever see it happening, the users would riot if they discovered that their viral email attachments didn't behave the same way as they did on carol's computer at
      • Don't hire any IT staff that send fucked-up word document resumes.
      • So what to tell the people in HR that are expecting resumes?

        Tell them to require that resumés be submitted as .pdf files.
    • Clueless users can not be trained, and HR insists on hiring the clueless. So while 99% of your users will get the memo, only 50% will read it, and only 50% of those will actually understand what they are reading. 25% of those that understand will abide by your new "email rules." What are we down to now???

      Welcome to corporate, employee number 877346...

      • Can I get an ahem to that? You can write the most lucid, rational, educative, polite but firm email, with step by step instructions and even screen shots and diagrams, and users still do not get it. I would say 50% reading it is about right. However, as far as understanding goes, it seems most people don't want to understand. They are with happy doing things the way they always have, and don't want to use any brain power to change. Heaven forbid though you have to take their machine away to clean up th

    • Re: (Score:2)

      by Sloppy ( 14984 )

      Killing your company's productivity by not allowing the exchange of information?

      He's talking about executable code, not merely information. These aren't documents, they're programs. MS Word just calls them documents.

      Your point stands that the users need to be educated, but you should never let them frame the problem dishonestly, as though they were really merely asking to be able to email "information" back and forth. What they are asking for, is pretty bizarre and horrifically unsafe. Yes, I know it'

    • ``A better solution is to educate the users''

      It's also number 5 on the list of The Six Dumbest Ideas in Computer Security [ranum.com].
    • ``Killing your company's productivity by not allowing the exchange of information?''

      Only if your company cannot be productive without accepting files that are security hazards. In that case, you have two choices: either you no longer accept the security hazard and take a hit in productivity, or you exchange the certain hit in productivity for a risk of something probably much more damaging. Either way, you pay a price for tying your productivity to known insecure products. Of course, not using these product
  • Any suggestion of sending documents in different formats (like rtf, html, txt, or pdf) results in even more creative user 'feedback'.
    Then tell them to zip the files and then they'll get through the filter. Problem solved.
    • Some of us - like basically everyone who cares - have filters that will scan the contents of common archive formats like zip, rar, ace, zoo, lha, lhz, .tar.{gz,bz2,Z} files, etc.
      • That's great, but my comment was aimed at chipperdog. He created a problem, suggested a work around (pdf, rtf) which users balked at, and then doesn't know what to do. I was pointing out that he could offer suggesting that users zip the files. The best solution would be to remove the blocking of files that people need to get their work done.

  • Its pays to be thorough (Score:5, Funny)

    by PingSpike ( 947548 ) on Friday December 15, 2006 @04:51PM (#17261050)
    We nuked the site from orbit. It was the only way to be sure.

  • The simplest way. (Score:4, Insightful)

    by revxul ( 463513 ) on Friday December 15, 2006 @04:55PM (#17261098)
    OpenOffice.org.

  • Quarantine (Score:3, Insightful)

    by Knara ( 9377 ) on Friday December 15, 2006 @05:01PM (#17261182)

    When we have viruses exploiting Word files, part of our security team sends out a notice that says we're temporarily quarantining the files until we can have them cleared. But really, you can't indefinitely stop word files from coming in.

    I'll admit I'm too lazy to read the exact detail of the exploit, but shouldn't this whole situation be alleviated by good, layered network security anyway?

    • I'll admit I'm too lazy to read the exact detail of the exploit, but shouldn't this whole situation be alleviated by good, layered network security anyway?

      Well, the latest vulnerability allows a malicious word doc to run code on the users machine. Assuming I wrote a userspace piece of malware, I could easy start sending stuff (anything the user has access to, theoretically) out port 80 to a collection point. Since windows will open documents with unknown extension but proper Word headers in word, filterin
  • We keep the AV scanner at the gateway up. We keep the spam filter at the gateway up. We keep the AV on the desktop up-to-date.

    Right now there's no good RPC-exploitable worm for Windows. Any word-based infection is going to be localized to a single machine (or, at most, to those machines a user has remote local administrative rights on). So, we watch. We stay at yellow allert, and we don't panic. Because right now, there's nothing to panic about. The ability to spread a virus/worm/mal* to a single mac
  • Wouldn't it be possible to automatically strip all macros from the documents? Of course, some documents wouldn't survive the alteration unscathed, but for most of the documents I don't think the end users would even notice a difference.
    • Round-trip convert to OpenDoc. Not only will that strip evil macros, it will also make it easy to migrate to OpenOffice.

  • MIMEDefang.. customize mimedefang-filter (Score:5, Interesting)

    by jayjay_1978 ( 1040480 ) on Friday December 15, 2006 @05:18PM (#17261446)
    Setup MIMEDefang to convert M$ word attachments to PDF using openoffice.
    Any attachments with a .doc extension or a mimetype of application/msword go through this process.
    Also to reduce the overhead, get the sha1sum for the word document, and save the pdf to .pdf
    Before any documents are converted with openoffice, get the sha1sum. if a .pdf already exists, use that file.

    This stills allows people to get the content, which is most of the time, all they want.

    There is also a program called antiword that will convert ms word documents to text, PDF, or PostScript.
    But openoffice does a better job.

    • If someone wants to edit the file, you have to buy copies of Adobe Pro for editing, right? Or can openoffice handle pdf editing?

      Or use plain text, which will suck if there is any kind of formating in the .doc file, which is most of the time.
    • ``Setup MIMEDefang to convert M$ word attachments to PDF using openoffice.''

      So that attackers can automatically attack your systems (without you having to click) by exploiting vulnerabilities in OOo?

  • Re: Antiword or Catdoc (Score:2, Informative)

    by lky ( 246353 )
    Well I use Linux so I dont have MS Office but I extract the text from MS Word documents using Antiword or Catdoc and then read them in Vim.

    Antiword: http://www.winfield.demon.nl/ [demon.nl]
    Catdoc: http://www.45.free.net/~vitus/software/catdoc/ [free.net]

    Add this to your .vimrc to make it automagic:

    autocmd BufReadPre *.doc set filetype="msword"
    autocmd BufReadPost *.doc silent %!antiword "%"
    autocmd Filetype msword call s:MyMSWordSettings()

    function! s:MyMSWordSettings()
    set readonly

    • Thanks for the links. I know this problem isn't proven on OS X, but based on the executive summary I'd suppose it could be an issue, so to Mac OS X people, textutil(1) can read doc and convert to txt, html, rtf, or even webarchive, so you get all the images.

      Textutil is in /usr/bin on an install of OS X, and just acts as a wrapper for the OS X text word processing subsystem.

    • Funny you should mention VIM. It had an arbitrary code execution exploit not that long ago, based on modeline interpretation.

      Thankfully, VIMs presence is.. um.. low, compared to Word. Still, the HORROR! Being owned by a malicious ASCII file!

      YMMV
      Ratboy
  • With yet another zero-day exploit of MS-Word document files, what are fellow system admins doing to protect themselves against these threats?

    Yet more evidence of the truth and beauty of the Church of Emacs [dina.kvl.dk].

    Or, if one is into truly antediluvian forms of worship, Ed, man! !man ed [gnu.org].
  • Simple. My employees know not to open any file that they don't know what it is. I really don't know how you can get any simpler or more effective than that.
    • This shows a false sense of security, which is the most dangerous condition. All it takes is one person who has an infected laptop to email to another person a document which they created themselves, and your internal network is open to the attacker.
       

  • 'When can I send and receive Word files again' and 'I can't get anything done if I can't send/receive Word files'.

    If your users need to send/receive executable code from/to strangers (which is essentially what they're asking for) then you're in a nasty situation.

    If you're the boss, one obvious thing to do is to make them sign something to the effect that the cost of cleaning up after their willful unsafe practices, will come out of their own paychecks.

    Let's assume you're not the boss.

    You can't trust sca

  • You should be limiting .DOC email exchange anyway (Score:4, Interesting)

    by slamb ( 119285 ) * on Friday December 15, 2006 @06:38PM (#17262540) Homepage
    Even ignoring viruses/worms altogether, it's not a good idea for users to be exchanging .DOC, .XLS, and .PPT files through email. People do this for two reasons:
    1. Exchanging finished documents for reading. PDF is better:
      1. It can reproduce the results exactly.
      2. It doesn't include Word's "change tracking" information which can cause embarrassing leaks.
      3. It's a standard with many interoperable implementations.
    2. Exchanging in-progress documents for revision. At least for stuff limited to your company, a version control server (like Subversion [tigris.org] with friendly TortoiseSVN [tigris.org] clients) is better:
      1. Doesn't cause email storage to grow enormously. Instead, a server actually meant for this kind of thing stores only deltas. And only one copy of each document - on most mailservers, the disk space consumed by an attachment is proportional to the number of recipients.
      2. Lets you easily find the latest version of a document. ("Did he send me another copy after this? I'm not sure.")
      3. Lets you easily retrieve any previous version, see changes/authors/checkin comments. (I don't trust Word's built-in change tracking, and you shouldn't either. Its security model is flawed, and I don't think it's reliable to begin with.)
      4. Supports locking/unlocking documents to prevent conflicting changes.
      5. With some setup, supports diffing and merging [tigris.org] office documents. You can maintain branches!
      6. Supports searching - where I work, we've plugged in swish-e [swish-e.org] for full-text searching over our documentation repository.
    I wish my company would just block all .DOC and .XLS files sent from one employee to another. It'd force them to use the documentation repository and save us all a tremendous amount of pain trying to dig through email for the right version of some Product Requirements Document. It'd also stop the whining from people complaining about hitting their email storage limits all the time.
    • SVN and CVS for the end user? Ha. I had a good laugh at that one.

      • Re: (Score:2)

        by slamb ( 119285 ) *
        Stop laughing. We do it, and it works well. TortoiseSVN makes it really easy.

        It doesn't take much technical sophistication to handle "update" and "commit", and that's 95% of the operations on this sort of repository. Very little branching, some use of logs...but really, what people need is a place to put documents that fires off commit emails and where it's possible to get a log or pull an old version if necessary.

        As far as the sales guys are concerned, it's a lot like a network share, except that they

  • I only run MS Word in my hermetically sealed house, which I never leave.

  • Remove the root cause (Score:3, Insightful)

    by 6031769 ( 829845 ) on Friday December 15, 2006 @08:20PM (#17263552) Homepage Journal
    We do not use Microsoft Word at my place of business. This is therefore no longer a concern. If any sysadmin thinks this is a problem, it's clearly time to approach the PHB with it in terms that they will understand. Something along the lines of, "Yes, I'd love to tackle that super-urgent issue of yours, but I'm too busy fighting these n MS Word vulnerabilities" where n is greater than zero. That ought to do it.

  • Remember, everyone in your company has a job to do; your job is to help them do their jobs. Sometimes employees will be impacted by security issues; but when their time is spent primarily working around your paranoid security restrictions, then you're hurting your business. Right now, you're more likely to either 1: Get fired, 2: insult an important business client, 3: piss off a valuable employee who will decide to move to a company who doesn't have an @$$h0l3 running their network...

    It's good that you

  • Either be very diligent with your backups (which you should be anyway) or just don't use it. "Viruses" and general issues with computers (MS products specifically) are the counter part to 'other people on the road' when driving your car. You either put up with the dangers and prepair yourself for the pain or simply don't get involved.

    Fortunately with computers you can just make backups and only loose a day or two of production if everything goes to shit. Not so possible with a head on collision at 50mph.

  • I stopped using Word back in 1997 when I couldn't get a simple (C) to not be turned into a copyright symbol in a document. After several hours of searching help and disabling what seemed like hundreds of preferences that began with "auto," I pasted the document text into Netscape Gold's HTML editor and never looked back.

    I've given the PHBs plenty of trouble since then by not accepting DOC files (or later on Excel files either). They can't figure out how to save in any other format (which was my suggesti

  • Risk (Score:2)

    by martin ( 1336 )
    Apply the the standard, Threat/Likelihood/Impact risk model before you start on these things.

    So you block Ms-Word, what's the threat (and it exploited yet which is Likelihood) and finally what's the impact of the threat. Now apply this your actions. ...

    Another thing I'd say various IE issues are more of a risk than little exploited (to date) in Word.

    Given the time you are spending, the impact you're having on the business, is your 'fix' worth it?
  • The trouble with trying to filter, is that the word format is a binary blob without any documentation...
    It's quite easy to filter out things like the jpeg exploit, just try opening it with a jpeg library on the filter server, the exploit jpegs won't load properly and error, or you can convert them on the fly to another image format.
    Ofcourse this brings up a risk to your server, but the risk is much smaller, the server is likely to be hardened, could be running many different os's on several different hardwa

Slashdot Top Deals

"More software projects have gone awry for lack of calendar time than for all other causes combined." -- Fred Brooks, Jr., _The Mythical Man Month_

Close