Microsoft New Patches for Office Vulnerabilities — Got Root?

This rant is targeted at those who run Windows as root (administrative users in NT, ME, XP, and Vista) exclusively. It also applies to those who run as root in Linux, BSD, and OSX as well. Or any other OS that runs as an all-powerful single user.

It really does make a difference how users run their computers when it comes to vulnerability levels. This is especially true with Windows because of the number of criminals focusing on the most popular platform. Many users either fail to read the documentation to understand how to maximize the security levels afforded by having different accounts or they choose the convenience of running as administrator all the time. So if and when they get some kind of malware in their admin account, it affects the entire computer.

That’s dumb. There’s no need to run entirely as root regardless of which operating system you choose to use.

Microsoft released a critical patch set yesterday for remote exploits that affect Office packages including Excel and Office Outlook. Mac versions of Office 2004 and Office 2008 are also affected by one of the vulnerabilities fixed in this set (that exploit involves a “maliciously crafted” Excel file granting remote control of a system).

Microsoft Patch Tuesday Fixes A Dozen Office Flaws:

Andrew Storms, director of security operations at nCircle, said this month’s patch cycle represented a “shining example” of mitigating Microsoft Office vulnerabilities. He noted that Office users without administrative privileges won’t be affected by these flaws as much as users running with full privileges.

Storms also said that Microsoft’s newer Office apps appear to be less vulnerable than its older ones. “When the support line for Office 2000 and Office 2003 drop off the board, we’re probably going to see a pretty significant reduction in Office vulnerability,” he said.

I think Microsoft has an unfair rap when it comes to security. How can they be blamed for (a) user choice when it comes to running with root privileges and/or without firewalls and other sensible measures or (b) their market share which makes them big targets for cybercriminals? If things were reversed and Apple had dominant marketshare, we’d hear a lot more about how vulnerable their operating system and applications are because that’s where the criminals’ attention would be focused.

I also don’t think open source is always the answer when it comes to these kinds of security issues. I remember some of the exploits discovered in Open Office, including the infamous French military analysis: “A number of the problems described in the report have to do with the basic design of the software. For example, does not perform adequate security checks on the software it runs, the researcher said. And because of the extreme flexibility of the free office suite, there are many ways for writers to create malicious macros, the researchers found.”

Yes, much of that changed in subsequent releases. No, the threat is not over. The Open Office website has its own security section, just like Microsoft’s site does. The Open Office site admits that their project “is a complex piece of software developed by various teams” and accordingly “it can contain security relevant bugs.”

Similarly, there are many Linux users who run as root — the thirteenth most popular distro in Distrowatch‘s list (as I write this) runs exclusively as root and I can think of a few more live CD-based distros that do as well. I don’t buy the safety of a read-only OS that restores when the system is rebooted: data on any hard drive or mountable partition is vulnerable both locally and remotely. I also can’t tell you how many times I’ve seen Macs run in single-user mode as root — seems to be the norm rather than the exception. And they’re using insecure public hotspots!

As long as there’s money to be made from spambots and identity theft or pleasure to be gained from pwning someone else’s system, there will be threats regardless of which operating system and software packages are most popular. The solution isn’t a one-size-fits-all adoption of open source or falling prey to stupid ad campaigns that anthropomorphize computers. The solution is in educated users who are on top of their systems regardless of what they choose to run.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: