Microsoft Word 2003, 2007, 2010, 2013
See Icon ->
Microsoft has warned its Word software is vulnerable to a newly discovered dangerous bug – which is being exploited right now in "limited, targeted attacks" in the wild. There is no patch available at this time. The flaw is triggered by opening a maliciously crafted RTF document in the Microsoft Office word processor, or opening …
See Icon ->
Well isn't it good that I'm still using Word 97...
Fortunately I stuck with WindowsXP and OfficeXP so I'm safe
Well the good news is that OpenOffice is safe if fed a maliciously crafted .doc file.
NO, no, no, no .... RTF is pretty old ... since Office 97 and 2002 are no longer supported, I guess they have the issue, however, it will simply not be patched.
Microsoft Word 2003, 2007, 2010, 2013, and Office for Mac 2011 are vulnerable, according to Redmond. Microsoft Office Web Apps, Automation Services on SharePoint Server 2010 and 20103, and Outlook 2007, 2010 and 2013 when using Word as the email viewer, are also affected.
Legacy code or what!
Their latest Web Apps replicate a bug of Word 2003???
Code review any one?
Well, they DO have to keep the backdoors open for the spooks....
They were too busy with the ribbon to actually worry about what's under the bonnet.
I bet if you fired up a VM with Windows 3.1 and ran WFW 2.0 the same bug would still be there...
(But at least the UI would be better than Word 2013.)
Lordy no! All those little buttons with tiny black and white icons of printers, floppy disks, etc?! And so buggy it crashed at least once a day (ok maybe that was Win3.1 as well)?
Ah those GPFs...
Given the age of the vulnerability, I wonder whether any one has bothered to check how non-MS products handle this maliciously crafted RTF document.
What else is there...?
I imagine anything that can open Legacy Documents but we all know about them.
Just need to start worrying when exploits on plain text files start to appear.
They have been around for years. A text file with something about typing the "Format" of the "C:" drive to speed up your computer.
You don't want to know.
Having a ridiculous bug like that, spread over a decade of versions is one thing..
But it's been known by Microsoft since the end of January. It's now almost the end of March, and there's still no patch for a remote code execution vulnerability, that's potentially in the wild??
If you ever wanted a reason to use open-source then this is it!
January what year?
I'll accept it might be a difficult to patch the bug, regression test it, and still get it packaged for the March patch release. BFFS, why didn't you announce the mitigation options earlier?
Just goes to show that all new versions have been mostly cosmetic changes.
"Just goes to show that all new versions have been mostly cosmetic changes."
And not for the better !
Yes, that's what I think too. However the little woman disagrees and applies more and more mascara and potions to hide the wrinkles.
Think I'll go out looking for some new hussy (free and open and obviously without viruses, etc.)
"all new versions have been mostly cosmetic changes"
That is a bit of a stretch. RTF was never the main document format for MSWord. http://en.wikipedia.org/wiki/Rich_Text_Format shows some changes to the RTF format over the years, but I don't necessarily see why you feel they should rewrite all of their code with every release. (Wouldn't that make it harder to ensure compatibility with previous versions -- something MSOffice users do have an interest in keeping?)
MS Office- Crap yesterday, crap tomorrow. You can rely on it.
downvote for the misogynistic comments.
Problem is... people don't know their arse to their Microsoft Word document most of the time in the home or office-scape. Especially when Word (AFAIK) conceals each document under the same icon. You'd need to understand what a file extension is to avoid opening a malicious document.
Even worse, someone could easily send a mass *.doc/*.docx and disguise an RTF underneath as the later versions will auto detect the format?
To be fair there's no suggestion that any free open and virus-free hussy would be interested in having him!
I wouldn't except
The whole point of the Vista and Windows 7 rewrites according to MS was that they were re-writing the code from the ground up to make it secure. And with that commenced the directive of making security Job #1. Which to me implies checking the code with all your security tools at each release. As an earlier poster noted, the absence of Word 97 or earlier versions doesn't mean the bug doesn't exist in them, only that MS haven't arsed themselves to test them. So it could be a 20+ year old bug, but it is confirmed to be at least a 13 year old bug.
"The whole point of the Vista and Windows 7 rewrites according to MS was that they were re-writing the code from the ground up to make it secure. And with that commenced the directive of making security Job #1."
MAKE HIM STOP!!!
I ABOUT PISSED MYSELF LAUGHING....
Oh, better now.
People are still using Microsoft products?
"Mainstream" support for Office 2003 ended back in 2009 - and "extended" support for it ends early next month. I wonder how many installations of this won't get patched, particularly if this issue doesn't get patched by next month's cut-off? 2007 is out of "mainstream" support too, and I'm sure it's far from extinct out there - and probably far from currently patched...
We only "upgraded" to 2007 just before Xmas. It was installed "vanilla" (no sp). Our I.T. team don't like updates. At all. I mean ANY updates for ANY software. Now whenever I have a meeting with our road warriors I make them fire up windows update before we get started
How long (oh Lord) have we been telling Microsoft *not* to couple Word with Outlook? I know I told them, circa 1998, that it was a bad idea.
It still is.
Don't know about coupling Word with Outlook, but the insecurity of the Outlook preview mode has been known about since Outlook 97/98...
Office 2004 for Mac no longer runs under 10.7 after the upgrade from 10.6. Libre Office is now useable even if it does still take far too long to load, so no point in paying for the upgrade.
I have warned the rest of the family wife uses PC's and kids might well run various versions at home and at work.
Oh and I'm reminded why I never liked Outlook so never more than glanced at it, let alone set it up. Thunderbird does just fine and dandy.
Recycled plastic - good
Recycled code - bad
Recycled trustworthy code - doubleplus good
"Recycled code - bad"
Code re-use is pretty standard practice, actually. No-one is going to re-write every part of a very large software project each time an iterative version is released, especially the legacy parts. If you did that you'd (a) never release a new version and (b) introduce more bugs with each version than you would otherwise.
But 10+ year old code is dragging it out a bit. At least review it, especially since it loads external data.
I suspect the original coder is long gone, and it's spaghetti code that no one dares touch.
This actually come closer to what I was thinking. Also I have known occasions where re-use of 'good' code has been a disaster because the new dev didn't properly understand it and tried to use it as-is.
I know this to be true cos it wos me!
>>"But 10+ year old code is dragging it out a bit. At least review it, especially since it loads external data."
By that logic parts of the PATA modules in my Linux kernel should be re-written with every iteration of GNU/Linux. It loads external data and its over ten years old. Point is that the OP I replied to said re-using code was bad. That's crap and every experienced software engineer on a medium large project knows how unfeasible and counter-productive it would be to re-write everything especially legacy parts, just because a new version was coming out.
OP made an ignorant comment that code should not be re-used from one version of an Operating System to the next. You lose all credibility taking issue with me correcting the OP.
Good code is good code, no matter how old it is. The term "bit rot" was debunked a long time ago. The trouble is that good code isn't that easy to come by.
Or if you prefer, there's the old adage that I recall from my programming days - there's no such thing as a finished product; just one that's in a high state of debug. :)
"The term "bit rot" was debunked a long time ago".
I think you'll find that "bit rot" was humorous shorthand for the well-known problems that arise when an originally crisp, efficient system is gradually patched and "enhanced" year after year. It's the programmer's version of what Verity Stob calls "cruft" from the end-user POV.
I know this to be true cos it wos me!
And there's the difference between you and MS. MS would never admit that in public.
"That's crap and every experienced software engineer on a medium large project knows how unfeasible and counter-productive it would be to re-write everything especially legacy parts, just because a new version was coming out."
I don't think it's been suggested to re-write all code for every iteration. (Why do you people bicker back with edge cases and extreme counter-arguments?)
I have written code, and it's been running for years. It doesn't get touched, it does what it's supposed to do. I've also written shitty code where I feel sorry for the next person to maintain. I've also been on the receiving end of shit code.
But don't you do code reviews, especially on code that already had similar issues? Or are you the type to leave code well alone once it's proven to work?
When you have code in high-risk areas, running on the vast majority of desktops over the world, and you're getting an obscene amount of money for it - it's more of a case of responsibility.
I'd love to know if a code analysis tool would have picked this bug up, or if a second glance at the function would spot something... but I guess we'll never know.
>> PATA modules in my Linux kernel should be re-written with every iteration of GNU/Linux
A pathetic example! That code (and any updates to it) can be reviewed by anyone, and it's not dealing with data directly from the Internet - ie, in emails.
Old code should be reviewed, every so often. The security landscape has changed a lot in the past decade.
"OP made an ignorant comment that code should not be re-used from one version of an Operating System to the next. You lose all credibility taking issue with me correcting the OP."
Sorry, I was just trying to add something to the discussion regarding reviewing old code... I'm not here to gain credibility, or score points.
>>"I don't think it's been suggested to re-write all code for every iteration. "
OP wrote "Code re-cycling is bad". Other than an accompanying sentence saying that "plastic recycling is good", that was the sum total of their post. I responded pointing out that code re-use is standard practice and attempting to re-write everything would introduce more bugs.
Then you argued with me.
If they are just going to put a new polish on the same old turd, then why FFS do people go out and get the "newest" one?
Everyone needs to stop buying the "new" crap to make a point.
I know, I know... Good luck with that.
I've done my part... See icon -->
Bit Rot is still valid, but not for code. It is however prevelant at the hardware level in lots of cheaply made ROMs and CDs. I have an Atari 5200 that has suffered from it.
I don't think it is a bug - more of an oversight.
The root of the issue seems to be the time when Ms thought that t'internet would be a great way to do systems management on Windows PCs remotely and all that IE6 development stuff that so many organisations and (ActiveX?) are still snagged into?