|
|
|
What Are Microsoft's Intentions Vis-a-Vis the Old Office File Formats?
By: Larry Seltzer
2009-04-14
Article Rating:  / 3
There are 8 user comments on this Network Security & Hardware story.
Since the long-term solution is in place, in the form of Office Open XML, is Microsoft going to let the old OLE Structured Storage formats that we all know and hate wither and die of vulnerability?When Microsoft moved to new file formats for Office documents in Office 2007
it was, for the most part, an admission of the failure of the old formats. If
you remember a couple years ago, there was a seemingly endless stream of
zero-day attacks on Office apps based on vulnerabilities in the old file
formats. Is Microsoft trying to kill off these formats quicker than it lets on?
The old formats, based on OLE2
structured storage, have a FAT-like structure for storage allocation, and
records in the file can become fragmented. This sort of complexity just begs
for errors that lead to vulnerabilities. Creating a whole new file format was a
major undertaking, but as a security matter it was much easier to do than to
"fix" the old formats. Indeed, a fix may have been impossible.
The vulnerability reports and zero-day attacks have slowed down, but they
still happen. In February, we had a
zero-day attack on Excel based on an XLS vulnerability, and just last week a
similar vulnerability in the old PowerPoint PPT files, exploited in
"limited and targeted attacks" in the wild, showed up.
Few, if any, of the reported vulnerabilities in Office 2007 had to do with
support for the new file formats, and almost uniformly you can mitigate the
effects of these vulnerabilities by using MOICE (Microsoft Office Isolated
Conversion Environment), which translates the files into the new Office
Open
Several sources, including the ESET Threat Blog
and The
Register, noted that the Excel vulnerability was unpatched, although Microsoft
did patch it Tuesday as part of a large Patch Tuesday set of updates. But
notice that no
non-security updates were released in that set (other than the usual Junk
Mail Filter and Malicious Software Removal Tool), and that's the sort of update
that ends as Office
2003 and Windows XP enter Extended Support.
Obviously, Microsoft would like to have us all move to the new formats,
mostly by virtue of moving to Office 2007, but that's not happening soon and
Microsoft's not making us do it. In fact, Office 2003 will be
getting security updates for five more years, through April 8, 2014, the
same date security
fixes for Windows XP end. See my last column for more on Microsoft's
long, perhaps too long, support life cycles.
Five more years of security updates add up to an absurdly long period of
time, That's why the theory about the Office formats doesn't wash. It's not the
way Microsoft does things, although perhaps it and the rest of us would be
better off if Microsoft did.
But the ESET blog is right that the damage from targeted attacks can be
immense, and many users may be exposed. If Microsoft is going to claim to
support the old formats for five more years, it needs to make security updates
for them a high priority for five more years.
Security Center
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com
Security Center Editor Larry Seltzer's blog Cheap Hack.
 |
|
|
�������x}kw⸲Z�4ٓ}b4" ;@wvk�ٶI̝?quJ_<�ѓ93 XrIU*J��~$I�="-g0(ٟ8G
ޙ'Twއ{s�UQ!}�PQ2ĠMu� ߧ`�|-sdW3�}fj���uk{#|�J~x'AT�{��!�x9�UΜ�}ٜ#7fGp21X�
{@a:)�N�u`�ϟ[�$�)qHÑh]!YQ�M�X�-:���ۗ<7*�U;�p#f_ʞ0�I^I�"p8$j�>vnGd3#L��=xA/�7![q�4��b'*cO^3h�V\��0F΄; [{K}ۀJ3rNG�"�ScOj$ѡ��N&IEp/0; ��G^C]ñ���X,.R-�iAwtԭ�Q��:S��H��c�1,}�<�E%$�7
�mqO-0U`>2=h��:a;6]�Uh?BWuomzZ[е�#יكC2s7cߟ.wQw1 �T)mO |l�70>}�5�WM�"c��ˡ,fXq/�푦�
�(GRXQ#x>{o�L{`TL3ykT�7�v.iRiu.W��~�]o-ж8
�EyrϺqqNnx��v4y/W@o&37`R!�LTP\h�g"��SclCGG,t;B�rM7Ja߹pK%_iv�d��f1O]ӣ0}_8RAf9n6qm\_]7;
m�_7�g>ߙekfy
3�?��|�Jg3D~3
V�7g7O�7MisAV\B'}:�
Of'ɷV�\vO^EXCY�Cm0MϑBER3�~:mt\5؇>�_4OHF܉,vOɿλ��`HmDm[ܸ̐L\sY�k�a(7�aM�<�~x怒�ȄS�Hu��t��^uEjR᭱J+Ҙ�>r u$yW͜�7�.hr�
Ae)#p?c݅I
�hJq�䠉3ذ�1�"%�hJ@{���� �}Et�AMO���%ތ�!E\r'�eE�!\Jj�!�!
g�|��8Jn.b?
K�.ν�AwWҲ9QZ�KK\M�E�1+]��)\/;mjt:�
xH18�,]evb`\\�Է7�R��f|���b�(7Zxl�2X��jX2>C}fYݛ>��A'EL�٤m;4�}t>G�$>hFƋMrnM�r�Ӈ4�vA���{ݥn]=&tfiPŞ+�ԃ9*`��I��E�6z�vab -d[b�|�l��eV&vφaZLbo��K7�]�,�S�l�-m�u{֊9�6
��ʳ?LBO:ȑRV�tˊ*/ğ[l;y
S�iCW�\g?MןAw��)�iwLI ?,x݅�po�aB?>bѺ)M=�=͇f�
ӛ5/�j�;`b< C>l4`
l4�Tw 6A�0>A̞P��,jXl2|dܣ!]?�`*OCjVzv}n7MAV?�P�y
v�|:�p���9߅#rUϚX� 5<).�&B#5w�&�Q1OzBfepJ
*$,��4� px�j�K=}pG](.EzcgBl�3]s;tOV�/OJb-yhֽk�n�H_ƠP8�.
B[+�܁� I��R%W��}kaԕ %/D�A
n29bX�6�X.4^`N/a<*)Wi�vsla=5&�x&;ߪ&TYw�C�hz#�rASґU|>X;l�� �ʸ66 [IeFլ�|8S �cQD:SW�X<}哏6L'�|�3ې�tx��N)>F�TXfRhjYVL�-F�*=��(���+���ұ擩ۋ�ҢsX^S˺Խa:Ϯ�
�V!0�0xpT30`�Mzi�Om�)�W�&ٰXPr�~���j"�yd\s˰e0\j}��r)+jܸ >CL-i|���@:*}����#"�k躗+*�`k�受^̣nsP�ͨDkJc�\�CК.�[Rw==>8Ȣ\Qނ+69E)Ƙ>�5 b�d��]X�yz�@�gD� ��pHE&@|Zkh��
y= *�rq���-b
(h
bAzp�E��n`bu`1:C�5f.z_;=2dB4�]e�j,F�@{BR.sr)"�ZQU�Z*pW�tveN�${p�/q=�M7;1zZ�;Tz^n�}v݁�/�rϙy >{�V�?fF�>yL��{H�eX0x%GOMqѾ,u�`�ˊ�t�V8|�,�@?
v�: �C\4><�}oc�4�pf
mWq=YJ+j9[�BO�-x[zG};ԻE���X}IMz.O>BQ�e�ڛs;xz跸2�@^5x{oUȌ�)Ĩ�UU)U9}f*�zoR.Eu0HNǝ�Glȡ2)w]COSܷ�V~uC�)&̳i�L�l�[u3
p]g8t�?}�,tdj~
#0:g\�}'�QDnuw "qc��jch_d��xUM+Pm�0&30�ʅφ5#�;
[�LلY�2J�ƚAF`5xj�==cݸM ܴ�B-sC�dKS0ާ'� ��Yn�~jAy̧�c꙯\�fJE�fO6 4D|�\D"pLn�ōap�zGdD">s=&��an.I6�0TbVRP�Xe V^A�ұg.3O}gj�\]~oLw{>JkӘG�2cd^��hV�z\ ԡ�g4\�M���
4yQFk�oZ�KEeH�7)rJY-��~VMn6=IT\SCQ�>4�GM42HF!I�(u(sy:3R\I-(1BoD�D\OsZdm7�,��:
�-6" "��l[
e|פX���OeF3�q1CX=x]dl���j>eWՄθ�4;b̬9[FqYy�Vum4tP�"5H�dVV5XI0ieI˕sZ~�����2aӃ�U}'*\&�Iv�⿿辶�ל��8_arOn͏{W�=`>xTIf:KżAk B9qO;a#2���3��"�p@�ɼ�'
xEn83A��x��
�vB�s9c#|V
n��Mxh=���=a7vpe-�bjW۫ita�.�g BF@�qDWn%�K'5?wD.
)�^}%y0W�&Th~n48��Z&IEqcxH15��6� B�@�y˸O�לY0z!�B�ZUc1z�
A0֢Q?�
Vegu3���_f�3Rt8|Qrw_�A(K7o1F߀>1Kw��xE�xW(k��pL�6bsZ;/��I1?x�Ծhv��|j?"I^�3_�����"Ts�8搌!�&rښS�%CcsOӖO|�B�Za�J;Xa<�u?I}�uYX[�[��NhA�:%ɩ$��=�)�JښIո'"8I5F4A2
uI@?
Mx�4HPW
Pقt��dž5>ܻ8�]l}عm|`��=`l)ZA�"| Nr
<_��`e>b%;yPb�QZ4ՒoeW!>���lj9l0�t`& !9Ϫl>{~�UTJ�۞nOl�#�H6?{�'q�ߋ8�t2Ti�'3XV3w;ѺB�^�ݞM5=ICw5FO9�.�Ս1A�/gp9[�Q�b0x"64NdxYwy"Kx�EıTrc�F`�י*hՁcݮ,�#�3��Á3M�Q6lwI۸&/sP�+�Ƃ'x��]Ge7o�m�\�~挜510=|4�okUe'3�
C7˝۽dNiamǡ8�
�0z^d$4P$YUղZ-WU�$]vd%�
>&�Yp�2�&nl�ځ{�-�3(�l#-u8_2{K7Kx=*^�gL��w.%|@z@pw�{Zg�QJW=�(qu@jjaAbT"z^Z\�dD��[Hڃ}co[#D:
wF#LuW�-3��
��'K
h<7�o2:׃L/C Gf�f7�g9 9��6@�8T�p�\�[w5%pRx25�y�(�h4Rwgt8�lv4H�W
-�~�@�k5ì!�#qZ�Ib��wl;�#ƣtǟ-ۊ&ZQ|;�N8S{K�8�j�RSW�W&6o)?�.��?дg=.0�QAWͼ2.mE>zQc%Fu?Zc{ϗ4ߟa8�~@+hFY�:sPURŃ�&L�5+�dXZcs
&~gȏ��ϊ_\GĖ>
oщi28چͮ<(RR5T�
v� �ވTbޠ�L's}vXw\�3vsC|A�XHUyR*�1\S �ڷ�̦SYKz� &et[��ݯ=#g!�Ғ�(-%)uA�N!g;}<4�ԸjܯT�9KS\j^ '1Awur���sjpe Pf�ъD0]�l4,X�P� eY`$�'L�Ud�X$>f;T�(}�͵Nv _Bh�AWAgT5~ ;RYn!2�Қ64̸�T�zN!gik�JRuL�C1�adU�0br�3$�s*/%�O앋ޔ�n̗}|�E$^?xPE.�^\T�k{�̂Z}[g�*sj!J4{Jk1"ayN5a��R%rLyx}z {)Ē=�p<�(ɺ��g��g(Ji+L?0qDKJ8Z!6Z�g��^�Cf��
_�bd�'PBb{Q��GA�\ݮ�JZ6g�@�R|OXf-PTLk.U� S��=h�F�#�uμJ))_@}�ar�J�0A+Tʕʪ"���!���LB̐�&�p����~!S"��%LSRQ+ ԣS{W#쯊KޯAa0x&�%��;e
00�S}.ux0Lj<��XX�"-}�8�UK�p��XhA^מto
^e;qAIR4`m \*H%G�:h�O¼GW�L!�S4Q$.����
H
�pm;qPQ�&RsrP9��ci ٘[ɻwfj7O�) C��m ��0�_�Glw�-mk:ۀͱ(>;|йE~<τ���p f[�|ı]]5IEJ2H�"6M�O5!0Y�tIw1�Lo3Ku�L�
!]`�����S�VJ=F{}H3K��-4ji;J�}J8��u�Q'���}}}}ޗX)}z~]�J7'Rs@u�c��kI�miL
֜+)Ӿi
Vɼ�[\J[;W9&fdJ]UĆ8�ӣ°C�q<|脽�n��[�#�F�
�H�~Kk[Wݒ�r/:cs#I�(S;}`}]Yۓ5HzSuR^'�8K'a�8W�O�̍1wmC�W�^xU{2-�3Susq#1�44EU`]�u �oE41�>r��RRɗ*k7pHx��[ � Z b�H��oMPI\As@ْ��/"T����r<6c8@�X���א�c+_#B!_ގIC��6FxcD4ƈh,�_9 +W/D5tj֞�J]̠KW'gV@?qh�]�lj�שH1\mw�HN[{,`ʘ
E"�qxFL��IuTk�PR]:��M�30t��x$xHg�6h��m=b!k�~�7�nfl2=0㫄Jī���y�lèÍ6VY���j�ӎ13�qwCmyg{�c
�Z��ɐ;v�0
>K�_/XpRK�T?庥D%R뿄r_<�4#wķIzf
\�4�Bxmm
aZMsz�m6Xoxڄ?fER3o��Z���ߦ�Lm_m�auB#^�&F/t
�ȪhF̲.8wt)۴RR#6]#Լ,��:>('� �ƗY'dz
ZHg�c9#ya0cT0̬,MdfF\���Ӿ���yS~m�Ѓ�>?w}L0g�;�Q�|5Ҟ_V�.W-J�
'*`-k;�hOW&�>-.b1DKb���@/]j�r}����NtX�MB�L^gűݳYx*]�(�Z@�ln��g+hT9T7F�_�@gjF��>~^�EH�#�_O�vg�@�a]I��Yx�ͦF��0a�룼�:6M^џcz@~�RJ~q/sdN0�nG?�$¤훴'O|��D2z(�A�x8�n�'{{[��$']�"gvȏ{"W�tךQN|l:�KpJjyo���
~Ezt $P�b��N4�#xn�I@"6,��A�ˢǽ
!|'w%Ns�n^�(a��?6v�1h}P����#=%1��%Ⱥ=c(LA�+jj5��A�^�"w=5!ckr|D�,?��t�"�V.+>�l?��Q�X�P.CA�9�Kf\�lLUh-���\91�͜E�.
tM�cc%5S+)�ub?]C-ttAk-c"]H1x~��[ޣkmOF׆S�j�9椷 �KTG��(B�bM�`x��bXi
N|csC�!Vi
<68�Vi
�6vn&S+ip�zL�Ko^=C'�ܬXn߮\�cL�mQ�a wc,KjH\��Гc��[Kx6_b���~(�R&gI*
]Z ��0>4��l�dWΕs唂Z,�ʳ?uW�9Z֔VΫ`eE�"Ѳ(er�0,L76�Bu�.�kXl7����-+��7tך�Ra
):d0rל$-,kG�
�6_I�~K<6�0l��-^`wUpjI\�o襍ڵ˔8把`�^P#"�m�M4z2Ah
9��F;2vCW5APH{=�EBMh>#4-�cH:J�sm,Q>2?��6Ƕl[va|�D�uv�7H1�tNu[M�@&(�L�DҙRԣ?SJ1m+Q�^D�b%l�'��J
ށ�ãcS0]�즄�bLʇیh)9Q"oi��ƃ�QΌ)�G���n�iVmI|�.�kp�>a@w7O�+>heeQl+;Y75��UiO8AnH-ݴXZ>Њ�>#oˮI XPp��QMN9(�T~�N����F̋XLst8:7h�.= wz̥�7d?= �N�8=�mǃ�"�a=X *>In�$%�H�"H] �UC
`�xSI ~qh|D~7/esv��
"ϝ�k�`&�X�/�=_�0`*ëٙ#?<�r/��ۅuE)�d���-=2�V<�7sa)}
�r��EA��H��GT~kT�7�/;JEa�#y~�>g�6L-�
D�ɸ"c�(41GJ[!!}s�uä5�1�4�0'l��d
�D=�ps\�l:�ۈ$9�R�"�5L۰flFNy@���sy�%��:H�"V|8s�]J,�rQWc+O
$N1X�ށ.Jge��E�t�0��w�j�9C�(�NlJ ͍$�u�~f��P�6uЁ"(�[��]ă0>]_�/*��LL�32%Lf�lxAQ(�b8Mu;ӟy,ȏ]mwg)��fv\_<Ԛ)пfJ?ӼL)7S}줔//�E
|ji��[���Jo�JO�o�lg�()_~)P~R�(GJy�[)0){ s"?0~)׆S�N?m/�r�q�WU?)�;)w�N
]n
u�Z_ S
}i�>�>�oʁoR�ڿIi�&s$CP^O�.N!�pS�q
�//<�,�)@y
JN",cR\ejL�{�%;[?[_W'BX\jrr+g^6&i5�vKIA
� {} yW��/"yeo�):� �AQQ&�
3l?�][[,Oн�ٺ{'rJݓs+z`~\]M�b}+|UnE�+tOq�2#s�"q6G#�n1'-0�UΉ(c#h�3.ő�s[剹?|�[2�wٱ?\?{��\�pۭঠǻ]h-i�O��W-}~E��ÝxvY^]Y���7�m>ϋ9y}2iA=:o�*+6�:�6a3[� ňC/�s
H;x�_=A/K/�gU4N>]7_S߭�Ҹ_��=Ts쓥>�'~3'XV�)pF �F�^a�%I1z�I���Oa45D��rjhN4pὍ97��F>>��$UR1iy�bP*f~ܓN0l@Dd�1\ ̈ɪ"+ew9�س��V+*B�0�XT����^9�Q(Fuo*K0>в�z!�J1
=4a֭xK1�BDO"�ґWzۃg˘E͛YȌ�L�Eu7/��{_ۑ������f@�2b/�`{8��z5볒0�h83gz�T'mZ��&.eа!�,%sv[?���|vLB�3L՟X&3(W�!;Po.@#�
dϽC�!L�x
uYSA�|#-}�O�.LESzq�;18��,_bY\s��XC�L['l�ylb)m+ dHXU$G�~]�I��L-q{Ȫ�JE��}a!rE>/︷<o,0z.��fYŤe�@��fWjC�ŝ��I��VM�Ί+qMH�_f�]32
/ çn3F ��nt}�>�'}c�kd1Mk��+cI�P<���퉒ՍPv��'��3Ffl@P�܍�-�
?~.�.t�-�~L��ӳ{LVm bxnܙ%̋_S30ƚ 9\LjQ�O"cbF�rd{GoN{.0I|�nH�KU֧f2{N{з��5g�0[|�@9ނg�ܨN{^EVb0��yM&Q�q�?�dxE���#b[p!@�pET'2QT
�Q)Yl��{�d휙�9�9
3/�&U@EqH'@6y
6s6�N`^q=˼+AюY�mwox%+^FڶHM`WH{�XiW��1RpCV)�tOK�}狰��@Nt��H�k,^��zX�"gP9N�Rjãƍ
,c-�ԭ<�?��_Cn&?c5VQٮ�7GLcݰ+`�jzk�E]EtxA&燸[�0pczN��{0^m,eH}+qd.
"�$(jVI�{{A0��&iE-ȣd`C�v�_Ȉ~ph;?�҈�A� wVǰYF!&ۅt;�O80�Ux|�-h\�};ݘ_9i9LgḜ893E~1Z�%L+DvzU�k_^5F�EylT$bB)rY|}�gLo耵�Bjv7Mǎ�C)&DW6K�5�4Ƙb>L1�wMX�+0_�k��Ac�L5Ȳ�(`,��Lv"V�kMΡmbpR!�f�Ʋ�#7cP&X��-ƯB@:S ��.x C��,$?��ˋ�}P�S9�9�.@OI"cXM1}aEo�|1'D+���ƕ�yĺ�@Xqө8Yot\4.˚]w�By־JgV!�$;m��v<8~v�i~m� a�
ѰT\��4�λ+O��,-ݸ�۟.O4hI:F���K]OO��?`(Xk�E�Ch�⍾C01|4ߛSsPUV�Gv�3�HZ��W'�%_mu; o"f/bOf6A_U&s)C�M�W\e\)M}�9V��2;
�fV&|F�Z2cˤ_�?T$<)��
|
Network Security & Hardware 
