lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Bill Gates blames the victim

"Richard M. Smith" <rms@...puterbytesman.com> wrote:

>    >>> As long as the patch is ahead of the virus, where
>    >>> does the accountability really fall?
> 
> I'm curious about one thing.  How is the typical home PC user who runs
> Microsoft Office suppose to learn that they now need to download a patch
> to fix this latest critical security hole in Microsoft Word:
<<snip URL>>

And if they do, and are on slow connections, are they (depending on the 
version of Office in use) really going to bother with first d/l'ing the 
service pack they will need to be able to install the patch at all?

This was a huge problem with MS03-026 and home W2K users.  Typically 
running SP0, they needed to d/l a 125MB service pack to get their 
machines to a state where they could install the patch.  Being online 
for the 10 to 20 hours (on bogged down modem lines) to get that was 
entirely unfeasible -- if nothing else, there machine would hang, 
reboot otherwise go septic from all the Blaster traffic they were 
trying to get protected from well before the d/l completed...

> BTW, I tried downloading all of the security patches for my copy of
> Office XP the other day but couldn't.  The update procedure requires the
> original Office XP CDs which are 150 miles away at my other house.

Charming, isn't it.

   Trust us -- we've fixed all the security flaws!

   What?  You want us to trust that you really are a licensed user so
   you can install a security fix that addresses something we missed?

> For 3 or 4 years now, I've been asking Microsoft for a simple option in
> Word to turn off Word Macros since I don't use them.  If this option
> existed, these ongoing security holes with Word Macros wouldn't affect
> me.  Any idea why Microsoft refuses to implement this rather obvious and
> useful security feature?

In Office XP they actually provided it.

Well, kinda.  You can disable all VBA across the whole Office suite -- 
as an install time option you can specifically pick out VBA support and 
set it to "Never install".  If you only use Word and PowerPoint (and 
perhaps just use Excel for very simple things) you should be OK with 
this (though may find that many of the  "wizards" MS salesdroids are so 
proud of aren't much use...)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ