MS..
..serious about security since -- oh wait !
Microsoft has revealed the guidelines it gives its own developers to help them decide when users need a rude reminder to stop putting themselves at risk of security problems. Redmond's rules boil down to being neat and spruce, but the two adjectives are acronyms rather than items in a dress code. NEAT stands for the following …
"A warning should only interrupt a user if it is absolutely necessary to involve the user. "
So what about the situation where a user (admin in my case) wants to be interrupted? Sometimes such warnings can help you find bigger problems. And yes; most likely you could find those in the event logs, that's not my point since we're talking about interruptions here.
This post has been deleted by its author
Hm let me guess - would you have the same fun at security paper published in pdf format? You know, like the one used by Secunia White Papers etc.?
Now, check the number of exploits against Adobe Reader in recent years compared to Microsoft Word 2007 (where .docx was introduced) or later. Anything coming to mind?
You know, I have actually done some analysis on that (I got bored one day, doesn't happen often), and I found that text files cover about 90% of my needs because it's the fastest medium for my profession, followed closely by images when something is easier explained in a picture (typically hardware related, or a structure). Combine the two and .rtf is all you need.
Next to that come spreadsheets, but that's no longer just info, that's modelling.
From that follows that every other bit of formatting is superfluous (I have to stress that that is for ME) - it may make things look prettier but doesn't add any value - but also doesn't invite the "must add pretty picture to make it look good" syndrome or the hour long fiddling with formatting which doesn't improve the data itself.
Now for data formats. I read PDFs in non-Adobe readers because I have long given up trusting them to produce something that works without the need for updates every hour (very Microsoft compatible), so I'm less worried here - and the process is sandboxed by default.
My personal preference for office format is ODF, which happens to be a European Standard that was achieved by consensus rather than bribery and flat out structural abuse. It just happens to be less risky as well..
Now, to answer your question: apples and pears. That another format is less or more risky is irrelevant. The current format is laughable. I see no real reason why such data cannot be placed online in a wiki or other open, more risk free accessible format. I don't see why users must yet again have this deplorable abomination of an office format rammed down their throats.
Oh, wait. Forget I mentioned it.
It's Microsoft..
" I see no real reason why such data cannot be placed online in a wiki or other open, more risk free accessible format."
I have answer to that, and it's very simple. Some employee of a large corporation (it's irrelevant which one) got paid to produce this document. It was scrutinized by his bosses, bosses of his bosses and also possibly helped by his PA, PA of his boss and perhaps a whole bunch of other people. As much as said employee would have (imaginably) liked to have just written text and be done with it, at some level of large corporations, plain txt just "does not seem to work". Because, as it happens, somewhere up in the hierarchy there are people who get rash on seeing a document without (totally unnecessary) formatting. These are usually the people who care less about the content than about the form. Luckily formatting can be easily added, using local tool of choice.
It is sad that time of technical experts is wasted in getting them to write things down with (totally superfluous) formatting, but that's how these things work.
Sounds like something every developer should take to heart, especially considering how low priority both security and usability tend to get in many development organizations. Catchy acronyms can help, especially for developers to remind each other -- and to communicate with management., as in "Yes, we should actually spend five hours development and testing time to change these messages, in order not to confuse and enrage our users."
is that this is coming from the SAME COMPANY that to this very day gives you jack and squat for info on patches from Windows Update without launching your browser! Would it REALLY kill them to give us more than a pointless KB number that doesn't tell us what the patch is for? maybe a teeny tiny summary, would that be so hard.
Glass houses and stones MSFT, glass houses and stone.