back to article It's now 2017, and your Windows PC can still be pwned by a Word file

Microsoft has begun its 2017 with the release of four updates to address security holes in Windows and Office, while Adobe has posted fixes for more than three dozen vulnerabilities in Flash and Reader. Microsoft's January patch load includes: MS17-001, a fix for the Edge browser to address a flaw that would let a malicious …

Meanwhile, Adobe is updating blah de fucking blah

jesus christ. it never stops. luckily, i dont have to worry about it as of about a year ago. i dont even use flash on the floors here anymore

35
0
Silver badge
Devil

Re: Meanwhile, Adobe is updating blah de fucking blah

I stopped doing *anything* flash when gnash wouldn't play with the latest unnecessary change to the file format. I don't need Adobe's spyware running on a BSD or Linux box, after all! Fortunately, HTML5 has taken care of that. Now, why IS anyone using flash these days?

17
0
Trollface

Re: Meanwhile, Adobe is updating blah de fucking blah

I have it on good authority that the number of patches exceeded the number of lines of source code several years ago and now they just release useless patches so that people don't forget who they are ...

18
0
Silver badge

Re: Meanwhile, Adobe is updating blah de fucking blah

TicketMaster's 'choose your own seat' thing still, bizarrely, requires Flash.

But who are we kidding. The real answer is "porn". It's *always* "porn".

4
0
Anonymous Coward

Re: Meanwhile, Adobe is updating blah de fucking blah

Because BBC.

Thats why i have to read the BBC at work as i aint installing flash on my own gear.

3
0
Silver badge

Re: Meanwhile, Adobe is updating blah de fucking blah

>Because BBC.

>Thats why i have to read the BBC at work as i aint installing flash on my own gear.

As has been reported here many times, user agent switcher browser extension, use an iPad user agent, problem solved.

Ohh, and do contact the BBC on this matter, if we all do, they will get their act together!

6
0
Silver badge

Re: Now, why IS anyone using flash these days?

Because vSphere console

2
0
FAIL

Re: Meanwhile, Adobe is updating blah de fucking blah

A problem with Flash? - surely not - it's so relia....................."£$%^&*(!!!!!!

D'oH!

Actually, I understand Adobe are changing it's name to CRASH next month.

0
0
Anonymous Coward

Re: Meanwhile, Adobe is updating blah de fucking blah

can't speak for everyone but i use flash to spy on your mrs while she's changing out of her bloomers.

meh meh meh meh

0
1

Re: Meanwhile, Adobe is updating blah de fucking blah

Somewhat nitpicky, but that "unnecessary change" to the file format was essentially a complete make-over.

This is what brought it from "scriptable animation (primarily vector) toolkit" to "full-fledged application runtime". Back in the days it was actually really cool compared to the alternatives for cross-platform/in-browser stuff, or even graphical RAD in general (as to the latter, it actually still is to a large extent).

2
0
Anonymous Coward

It never stops...

"Adobe has posted fixes for more than three dozen vulnerabilities..."

Does Adobe have any clue about their own software, or is it just a fly by night situation? Wouldn't you consider a major rewrite at some point? When your only real product depends on graphical performance, you'd think you'd rewrite the software for the best performance, let alone security. Adobe is lost in the 90's.

In case you're out of the loop on what's going on in "Creative Cloud".

1. Massive price hikes, volume licensing is a joke now.

2. Photoshop updates are basically bug fixes just like Flash.

3. Lightroom updates consist of porting photoshop "fun" features to it.

4. Everything performs horribly compared to competing products.

5. Massive price hikes.

I literally run WinTin just for Photoshop, it's a nightmare.

18
0
Silver badge

Re: It never stops...

In case you're out of the loop on what's going on in "Creative Cloud".

CC is also an acronym for Cash Cow.

A Cash Cow in the software world usually means a product which is no longer actively developed, but enough customers are locked in to milk it all the way.

13
0

Re: It never stops...

Well considering Adobe's biggest expense is Udder Cream (TM) ...

2
0

Re: It never stops...

If Photoshop is terrible and it edits pictures, why doesn't someone use Capitalism to replace it with a better program?

If it is expensive and rubbish, it would seem like a good target.

I don't use it so I know nothing about alternatives.

2
0
Silver badge

@MyBackDoor Re: It never stops...

Wouldn't you consider a major rewrite at some point?

'Cause Adobe know that the writing is on the wall for Flash and not even they're stupid enough to through money at a re-write for a dying product....

2
0
Silver badge

Re: It never stops...

similarly to "nobody got fired for buying IBM" - Adobe being established vendor is next to impossible to replace in enterprise (even if price/terms of service appeared ridiculous for mortals spending real/own $).

1
0

Re: It never stops...

They'll have to stop milking it eventually...

0
0
Anonymous Coward

Re: It never stops...

I literally run WinTin just for Photoshop, it's a nightmare.

Could I point you at Affinity Photo then? Far more resource friendly, better code, easier to use and at a price it makes it basically silly NOT to buy it.

They tend to have the betas freely available in their forums, so you you can try before you buy.

Not affiliated, just a happy user (on Mac, but there's also a Windows version).

5
0
Anonymous Coward

Re: It never stops...

If Photoshop is terrible and it edits pictures, why doesn't someone use Capitalism to replace it with a better program?

That is already happening, also because not everyone is happy with the whole subscription malarkey. Affinity make damn good software that may not yet be as overfull featured, but it's scary fast, amazingly well supported (via forums where you actually get an answer!), FAR simpler to use and stupidly cheap for what you get. And they make great tutorial videos for it too. I especially like their support for full 360º images where you can change and edit information like on a normal image and it will then integrate it - it's very impressive to see.

I haven't touched an Adobe product in ages. The only thing I have installed is the Adobe Reader, and that hasn't been used (or upgraded) for about 6 months now - the only reason I keep it is because some (mostly government) organisations send me stuff that requires Reader features and are unreasonable about making it work more universally. I've been "Flash free" for about a year now and in general this works, except for the BBC where my browser has to pretend to be an iPad before they do the right thing..

2
0
LDS
Silver badge

Re: It never stops...

Adobe knows it has almost no competition in the higher segment of the market, and it's exploiting it. While Serif+ products are good, they can't still replace (nor probably is their target), Adobe ones in that segment, where you may need to add features (i.e. colour separations, IIRC they added spot colours support last year in Affinity Designer) used only by a relatively "smaller" percentage of professional users, but which are critical for some professional tasks, increasing the overall cost of a product with a limited return, especially if you have to catch up with a product already established as the market leader. But eroding the bottom line is a good way to increase customers and revenues.

For a while company like Corel, Micrografx, Aldus were competitors - but Corel (yet a pale image of the former self) they no longer exist.

0
0
Silver badge

Re: It never stops...

If Photoshop is terrible and it edits pictures, why doesn't someone use Capitalism to replace it with a better program?

Because of network effects. Graphics people are trained in Photoshop, and there is an ecosystem of plugins. Same reason Windows hasn't been replaced succesfully on desktops. Capitalism is powerless with this kind of issue.

0
0
Silver badge
Coat

"Specially crafted"

Sounds like a belated Christmas present.

T'was the night before Christmas, not a sound could be heard

Except for some typing, a file writ in Word

A bug report that had been specially crafted

To tell us that all our computers were shafted

31
0
Silver badge
Happy

Pick a year between 1990 to 2050 and this "news" article would still be relevant. With any luck I'll still be here complaining about it too.

14
0
Silver badge

It's highly unlikely that I'll be here in 2050 and I have to say that I find that thought to be strangely comforting.

7
0
Silver badge
Joke

Posting here in 2050

Perhaps El Reg will award 'gold' badges to those of us who will be well into our 90's?

I'll be 97 in 2050 and will look forward to it as an early letter from King William.

Gome on el Reg, give us oldies something to look forward too....

3
0
Silver badge

Re: Posting here in 2050 - I'll be 97 in 2050 and will look forward to it

All very well for you young folk. But the way things are going with spying, DRM and unreasonable protection of the rich and well connected, I expect that by 2050 things will be back to analog landlines and an extremely thin screen on the wall that shows nothing but cat videos and repeats of Top Gear (like WW2 films, so the kids can wonder at what their parents used to get up to.)

4
0
Silver badge
Pint

Village People!

Young man, why you look so appalled.

I said, young man, better get used to it now.

I said, young man, 'cause you're in a new age

There's no need to read the EULA.

Young man, there's naught you can do.

I said, young man, when you feel so observed.

Shark the wire , and I'm sure you will find

Many ways to lose your data.

It's fun to send te-le-metry.

It's fun to send te-le-metry.

etc. etc.

25
2
Gold badge

Re: Village People!

That is *wonderful* :)

Regarding EULAs, allow me to assist by referring to this comic. Enjoy :).

0
0

"The flaw, designated CVE-2017-0003, allows a specially crafted Word file to take control of the target system with the current user's access privileges"

The principle of least privilege, how many times do you have to be told Microsoft, the default profile should be a standard user.

1
3

"the default profile should be a standard user."

Err... ... it is, and it's been that way for more than 10 years. Ever since Vista.

5
1
Silver badge

For most people PC = single user, and so such a flaw can still encrypt their own files which is all that matters. The OS, etc, can be hosed and re-installed, but few have backups and most Joe Public find out when its too late.

6
0
Gold badge

@Electron; yes; but there are still some programs that don't work properly without higher acres permissions.

@Doc; my account has the privileges to edit my files - that doesn't mean that I want someone pwning my system and stealing/editing/deleting them, even if they still don't have permissions to do admin stuff.

1
1

>Err... ... it is, and it's been that way for more than 10 years. Ever since Vista.

Really !

Tell me what profile are you dumped straight into by default on a single PC install ? Don't give me that crap about UAC and admin, go and add up the CVE's that are mitigated by running as a PROPER STANDARD USER.

https://blogs.microsoft.com/microsoftsecure/2010/03/30/be-safer-run-as-standard-user/

http://www.zdnet.com/article/admin-rights-key-to-mitigating-vulnerabilities-study-shows/

3
2
Silver badge

"but there are still some programs that don't work properly without higher acres permissions"

Lucky then that short cut properties include a selectable per program "Run as Administrator" option...

0
0

This post has been deleted by its author

Silver badge

In 500 Years...

this will all be sorted out and people will laugh about how a Word file could take over their computer. In the mean time I use LibreOffice.

9
1
Silver badge

Re: In 500 Years...

"In the mean time I use LibreOffice."

Some of us need a version of Office that actually works...

Not to mention that full functionality of Libre Office requires Java installed - which is second only to Flash as a security hole...

1
8
Anonymous Coward

Re: In 500 Years...

Some of us need a version of Office that actually works...

If you define "works" as doing what an Office package should do for about 95% of users, LibreOffice can comfortably claim that. You haven't tried using it for more than a week or you'd know that, and it has the added bonus that nobody tries to mess around with the UI to sell a new version so your staff has to relearn again and again where the f*ck Microsoft hid the functions they were using just fine before the update. Oh, and it works on a proper, official, arrived-at-through-real-consensus Open Standard rather than a bribed one that the company itself has trouble supporting, but that's just detail.

Not to mention that full functionality of Libre Office requires Java installed - which is second only to Flash as a security hole...

Been using it company wide for about 4 years now without any Java present. Try judging it based on facts, not on Microsoft marketing. Bonus benefit: our staff can use it at home just as well - no license risks - and it renders the same on Linux, macOS and Windows.

4
1
Silver badge

Re: In 500 Years...

"If you define "works" as doing what an Office package should do for about 95% of users, LibreOffice can comfortably claim that"

Working 95% of the time isn't good enough for most businesses. Hence presumably why adoption of Libre Office is still close to zero....

"Oh, and it works on a proper, official, arrived-at-through-real-consensus Open Standard rather than a bribed one that the company itself has trouble supporting"

Microsoft Office works far better than Libre Office in regards to ODF support. The Libre Office forums are full of issues with it's standards support...

"Bonus benefit: our staff can use it at home just as well - no license risks "

But many of your staff will already have MS Office or Office 365, so it then sucks when their files don't work properly, and features they used at home are not supported in the office.....

0
5
Anonymous Coward

Re: In 500 Years...

"Microsoft Office works far better than Libre Office in regards to ODF support."

No it absolutely doesn't - MS Office's support for ODF is still woeful. If you use both products with any regularity (I do) you'd know this well, and be more qualified to comment.

1
1
Anonymous Coward

Re: In 500 Years...

Microsoft Office works far better than Libre Office in regards to ODF support. The Libre Office forums are full of issues with it's standards support...

Oh, here we go again. Repeating an untruth often doesn't make it reality - and I suspect you know full well that that is utter BS.

2
1
Anonymous Coward

Re: In 500 Years...

But many of your staff will already have MS Office or Office 365, so it then sucks when their files don't work properly, and features they used at home are not supported in the office.....

As a matter of fact, none of our staff use it, for a number of reasons. Our company has some of the strictest security and compliance requirements in Europe for a non-governmental setup and we prove again and again that Microsoft's "EU only" cloud isn't as "EU only" as it pretends to be, and our risk management extends to helping staff and family being secure at home and prevent them being abused as backdoors or being forced/leveraged into becoming so.

We know a lot more about Microsoft than they are comfortable with - and they know...

1
1
FAIL

@TheVogon: Re: In 500 Years...

TheVogon,

may I suggest that you re-read the comment your responded to?

[Paraphrasing] it meets the needs of 95% of users, NOT that it works for 95% of the time...

D'oh

0
1
Silver badge

So a quiet month for Microsoft then...

7
0

So a quiet month for Microsoft then...

We never say that until the patches are applied and the fallout evaluated.

7
1

This post has been deleted by its author

Silver badge

Re: @Chika re update fallout.

Odd, because for several years I was responsible for patching large numbers of servers, and never had a post patch issue.

Only problem recently was caused by a .NET upgrade, and that's really down to the application that relies on it.

Is it really so bad for everyone else? I've never been responsible for desktop deployments of patches, is it worse out there? Never had a problem on any of my personal machines running scheduled updates, so why the derision?

0
1
Silver badge

"We never say that until the patches are applied and the fallout evaluated."

We can as we test before deploying...

1
0
Anonymous Coward

Re: @Chika re update fallout.

Odd, because for several years I was responsible for patching large numbers of servers, and never had a post patch issue.

Yes, but servers is typically not where the problems emerge..

0
0
Silver badge

Somebody close the screen door

My submarine is already full....

3
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018