From: Bob Rankin
Subject: TOURBUS - 26 Sep 02 - Hole in Your Office
In case you've been living in la-la land for the past decade or so, you already know that Microsoft Office is probably the most dangerous software you have on your computer -- unless you're running Outlook or Microsoft Internet Explorer, which sometimes give Office a good run for its money.
Today's TOURBUS article is written by Bob Crispen, who is Patrick's father. His contact information is at the close of the article.
The various versions of Office have accumulated a truly mind-boggling record of security holes and built-in susceptibility to viruses and exploits. Let me repeat that: BUILT-IN susceptibility to viruses and exploits. There are people at Microsoft who worked hard to make Office as vulnerable as it is.
Now if you expect a long rant here about Bill Gates being in league with Beelzebub, you've come to the wrong place. My rant isn't against anybody at Microsoft, it's against you! Let me explain. Say what you will about Microsoft, they're the most fanatically customer driven company that ever existed. If their customers want it, they get it. Year after year they've asked their customers (that's you and me) whether we valued convenience and features more than we value security. And every single time, we've said yes.
If you want to be able to put Excel spreadsheets inside your PowerPoint show, use Word to edit your email, or collaborate with other people on producing a document, the engineers at Microsoft had to open up a hole to let that happen. If it turns out that some villain discovers that hole and rides through it on horseback with a hundred of his friends, looting and pillaging everything in sight, whose fault is that? As Pogo said, "We have met the enemy, and they is us."
Here's the latest exploit. You're Bob, and you're working on a Word document with Alice -- Alice and Bob are the two main characters everyone in security uses for their examples. If we could just find out who Alice and Bob are and keep them away from computers, life would be a lot simpler. ;-)
Alice emails you a Word document. Like a good careful Tourbus rider, you scan that document for viruses. It comes up clean. So you open it in Word, make a few corrections, and send it back to Alice. What you don't realize is that Alice has joined the Dark Side, and that along with your document, you've just emailed Alice your credit card information, your tax returns, and your love letters to Vanessa, the 19-year-old cheerleader you met in a chat room who is actually a 55-year-old septic tank cleaner named Gus.
Or perhaps Alice didn't send the letter at all. Maybe Mallory knows you and Alice are working on the document, has grabbed a copy (there are way too many ways that could happen), and sends it to you, pretending to be Alice.
Now, tell the truth, do you actually check every email address you send a reply to every single time? Didn't think so. Neither do I, though I try. And if "Alice" puts a note on the bottom saying she's working from home and she's changed her email address, Mallory's probably going to get that document along with the private files I didn't know I was sending.
You can find a more detailed explanation for how this exploit works at Woody's Office Watch. What's more, even though Microsoft hasn't written a patch yet that will plug this hole, Woody has. Now I know you're probably asking yourself, "How do I know that Woody isn't a villain? Can I trust his software on my machine?"
Well, even if you haven't heard of Woody, I have, and so have lots of subscribers to his wonderful mailing lists. I can't see into somebody's soul any better than the next guy, but I know he has an excellent reputation, he's been around for a long time, and he definitely has a lot to lose if he intentionally or unintentionally spreads malware. And his patch has been out long enough that if there was a problem with it, I'd have read about it on the security lists.
As long as we're thinking about Office, we might as well see if we've got all of Microsoft's security patches for Office. If you haven't been keeping up with your Office security patches, or if you just inherited a computer from somebody and don't know whether they've kept up with the updates, or even if you're pretty sure you've got everything, but better safe than sorry, head to the Microsoft Office site:
If you've got Office 2000 or Office XP, you're in luck. Click on Product Updates, click "Scan my computer to find out if I need any Office updates", and off you go. In fact, if you're a loyal Tourbus rider who visits Windows Update at least once a week, Windows Update should have discovered that you needed Office patches and installed them for you (if you've got Office 2000 or Office XP).
But what if you aren't running Office 2000 or XP? Then you've got a really unpleasant afternoon ahead of you. You'll have to go download and install the patches yourself. Click on Download Center, select the version of Office you have, and start reading and downloading. Some of the things you'll need, others are just nice to have. Alas, you've got to read the descriptions and decide for yourself.
Here's a hint that can save you some aggravation: if you install the patches in chronological order -- install the one with the earliest release date first, and so on -- it'll go a lot easier. You'll discover that some of the service packs (big collections of patches) will include some of the patches you already installed, but I don't know any way to tell for sure that you've installed all the patches you need unless you install all of them.
Note that the Office downloads page lists the patches in *reverse* chronological order, so you have to go to the end of the list and work backwards. You might want to take a chance and just install the service packs, but I've always figured, as long as I'm doing it, I might as well be thorough. I've installed a whole pile of Office updates on Windows 95, 98, and Me, and the worst that's ever happened is that the installer told me a particular patch had already been installed.
I know, you'll hate it, but I think you'll hate what happens if you don't install those security patches a lot worse. So grit your teeth and get to it. If you happen to notice that the security patches take up more space on your hard drive than the installation of Office did, well, you've got nobody to blame but yourself and your friends who told Microsoft that they wanted the features that opened up those holes.
-- Rev. Bob "Bob" Crispen (crispen at hiwaay dot net)
Now wasn't that clever of me to throw in a plug for my Linux book? That's all for now, I'll see you next time! --Bob Rankin