Office Applications? OLE?
I have discovered 3 examples of such atrociously insecure and idiotic shit during my work since the start of the year, sitting on the obscure edge of fundamental business processes but entirely necessary for them to work at this moment in time, thinking "who the fuck decided to introduce the concept of workflow via the medium of Excel spreadsheets", and now we find out that the latest version of windows has a main attack vector via XMLisation so that every company which has installed it can be owned by someone crafting something like :
<OnScriptRequest>
<Request application="Office365">
<command name="host.deleteall"/>
<privilege="administrator"/>
</Request>
<onScriptRequest>
and embedding it in an email (possibly). Good old MS, still amazingly confused about the incompatibility of infinite flexibility and robust security.
Biting the hand that feeds IT
