September 28, 2009 at 10:13 pm
Comments posted to this topic are about the item Security Focus
September 29, 2009 at 8:25 am
This is a timely editorial, although you did not mention that the blog you referenced makes remarks about Microsoft Office which at this point, is more vulnerable than Office has ever been since its inception.
A few years ago a few of us were given a presentation out of Redmond to review the coming changes in Office and we were shown the new file format and I have to remark that it was the most stunning moment of apparent lunacy that I have ever experienced in my entire IT career. For those unaware, the new format consists of a compressed, non-protected file that contains XML, JScript, and other sub-components making up an Office Document, Excel Spreadsheet, PowerPoint presentation, etc. You simply use any decompressor, like WinZip, and voila - you have the sub-component files right there to fool around with all you like. If you have Office 2007, go ahead and pick any application and run its file through WinZip and you will see how easy it is to break open the integral parts.
As we sat through this presentation and were asked for questions, just about everyone in the room sat stunned and wide-eyed and asked questions like "Aren't you creating a hackers paradise?" obviously making it so easy to break into these files. We were answered with a vague wink and nod suggesting there was some security feature coming. To this day, none has appeared - you can still crack these files effortlessly, and then mess up any XML, Script or whatever you please. In short, hackers around the world must be in heaven that MS has made it even easier to crack and hose up Office files.
And of course, now that these are compressed "collections" of sub-files, all the more easy to slip in some nasty stuff that can then attack SQL, any other app, or the OS itself. Just package it in the compressed file, and bingo, its hidden and ready to unleash whatever horror any hacker wants to throw. Office files now become excellent "carriers" for hackers mischief.
Why did MS come up with this format? The general answer I have heard is to gain control of the XML standards. That is, thats what is behind most of this - but security? Well, some are saying that in the coming years Office will be THE entry point of choice for hackers around the world.
Personally, I am still stunned and totally baffled that Microsoft has built a brilliant castle with this format - problem is, it has only three walls. MS may garner control of the XML standards, but this format is a dream come true for hackers and I am still waiting - three years later - to see anything in the area of security for this knuckleheaded format.
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply