the computer industry has been a-twitter for the past few days, concerning a zero-day “bug” in micro$lop word, which gives an attacker full execution control of the victim’s machine — a Very Bad Thing®.
this reminds me of a couple of things that i experienced, more-or-less first-hand, while i was working at micro$lop, and is the PRIMARY REASON why i’m really glad i don’t run machines with their software on them.
there’s this, which outlines what the “bug” is, and how it allows an attacker to take control of a victim’s machine (i put the word “bug” in quotation marks because bugs are usually things that appear in the code by mistake, but it is my impression that micro$lop put this in deliberately, without realising the potential damage it could do)… which brings up the fact that they have known, particularly, about security problems with OLE (which went through a stage where they were referring to it as “ActiveX”), at least since my friend, and computer-god fred debuted The Exploder Control in 1995, which did a clean shut-down of any machine unfortunate enough to be running Windows95 — PLEASE NOTE: the Exploder Control is not harmful, and will not run correctly unless you’re running Windows95 and Internet Explorer version 3, which, by this time, presumably, you’re not. fred’s premise was, and still is, that if you have a method of excersising THAT MUCH control over a machine, it better well be FULLY AND COMPLETELY SECURE, otherwise people WILL take advantage of it.
i worked at micro$lop when the first Word Concept Virus was discovered. it was unique (at the time) because it allowed an attacker to infect a victim’s machine over email, without actually having to have physical contact with the target machine. it worked by utilising micro$lop word’s “normal.dot” template, and required the victim to have macros enabled by default. the new, most recent word problem doesn’t require macros to be enabled, and doesn’t work if the application is running in “Protected View”. so, the solution micro$lop has come up with is to recommend that you run word in “Protected View” in order to avoid this particular vulnerability.
it is significant, to me, that the primary reason we have things like active antivirus software on our computers today is because of actions taken by the micro$lop corporation when i worked there. when i was working there, they were the largest manufacturer of computer software in the world.
and it reminds me of the solution micro$lop came up with to avoid another “bug” in another one of their “excellent” programs, internet explorer: version 3 exhibited a flaw in the way that it displays URIs in the address bar, and by opening a specially crafted URI an attacker could open a page that appears to be from a different domain from the current location. the solution? “Do not click any hyperlinks that you do not trust. Type them into the address bar yourself“… despite the fact that one of the features of all web browsers is that you can get from one source of information to the next, easily, without having to type in long, unintelligible strings of code.
Rule of thumb — Every time Microsoft uses the word “smart,” be on the lookout for something dumb.
— John Walker
A little detective work revealed that, as is usually the case when you encounter something shoddy in the vicinity of a computer, Microsoft incompetence and gratuitous incompatibility were to blame.
— John Walker