Word 2010 Vulnerable to .rtf hack

For system help, all hardware / software topics NOTE: use Coders Corner for all coders topics.

Moderators: Krom, Grendel

Post Reply
User avatar
Tunnelcat
DBB Grand Master
DBB Grand Master
Posts: 13309
Joined: Sat Mar 24, 2007 12:32 pm
Location: Pacific Northwest, U.S.A.

Word 2010 Vulnerable to .rtf hack

Post by Tunnelcat »

If you have Microsoft Office 2010, don't open, OR EVEN PREVIEW ONLINE, from an unknown source or author, any .rtf file. There's a new vulnerability that Microsoft needs to address.

http://finance.yahoo.com/news/microsoft ... 32816.html

http://blogs.technet.com/b/srd/archive/ ... tions.aspx
Cat (n.) A bipolar creature which would as soon gouge your eyes out as it would cuddle.
User avatar
Duper
DBB Master
DBB Master
Posts: 9214
Joined: Thu Nov 22, 2001 3:01 am
Location: Beaverton, Oregon USA

Re: Word 2010 Vulnerable to .rtf hack

Post by Duper »

YIKES! Thank you TC. I hadn't heard anything about this!
User avatar
Tunnelcat
DBB Grand Master
DBB Grand Master
Posts: 13309
Joined: Sat Mar 24, 2007 12:32 pm
Location: Pacific Northwest, U.S.A.

Re: Word 2010 Vulnerable to .rtf hack

Post by Tunnelcat »

Yeah, I went in and set things up in the OS so that Word will NOT open any .rtf file.
Cat (n.) A bipolar creature which would as soon gouge your eyes out as it would cuddle.
User avatar
Top Gun
DBB Master
DBB Master
Posts: 8019
Joined: Wed Nov 13, 2002 3:01 am

Re: Word 2010 Vulnerable to .rtf hack

Post by Top Gun »

It's probably not an ideal solution that I'm still on Office 2003, is it? :P
User avatar
Spidey
DBB Grand Master
DBB Grand Master
Posts: 10724
Joined: Thu Jun 28, 2001 2:01 am
Location: Earth

Re: Word 2010 Vulnerable to .rtf hack

Post by Spidey »

Office 2003 is awesome...you can stick your "ribbons" I will keep my macro buttons.
User avatar
Jeff250
DBB Master
DBB Master
Posts: 6511
Joined: Sun Sep 05, 1999 2:01 am
Location: ❄️❄️❄️

Re: Word 2010 Vulnerable to .rtf hack

Post by Jeff250 »

Top Gun wrote:It's probably not an ideal solution that I'm still on Office 2003, is it? :P
It's fine, but only for a very short time. Office 2003 will end-of-life in April, and then any newly discovered security problems will exist in perpetuity.
User avatar
Spidey
DBB Grand Master
DBB Grand Master
Posts: 10724
Joined: Thu Jun 28, 2001 2:01 am
Location: Earth

Re: Word 2010 Vulnerable to .rtf hack

Post by Spidey »

Well, not really a problem for me, because I don’t open any files with Office 2003 that I didn’t create, and one machine I use it on isn’t even on line.

When I need to open a file from someone on line I open it in protected mode with Office 2010.
User avatar
Sirius
DBB Master
DBB Master
Posts: 5616
Joined: Fri May 28, 1999 2:01 am
Location: Bellevue, WA
Contact:

Re: Word 2010 Vulnerable to .rtf hack

Post by Sirius »

Hmm, fancy. I'm running 2013 so all I have to look forward to, apparently, is a crash.

Hard to say whether 2003 would be susceptible, but they didn't call out any older versions, so it might not be. Memory layout dependent exploits like this are very likely to only work on specific versions.
User avatar
Duper
DBB Master
DBB Master
Posts: 9214
Joined: Thu Nov 22, 2001 3:01 am
Location: Beaverton, Oregon USA

Re: Word 2010 Vulnerable to .rtf hack

Post by Duper »

ugh.. Keep your 2003. buggy. bleck.

2010 is much better and spidey you can still make your own shorts keys if you want, not that many changed.
The ribbons are a different way of looking at things; it's just a tab function. Really no different than your browsers. They group functionality fairly well and if you don't like using that or shortcut keys, there's always the quick launch bar on top .or below the ribbon and between the doc if you want. I use the QL bar quite a bit as there are 5 or 6 functions I use on a regular basis and I don't like hoping between tabs.

There are some serious format difficulties in 2003 that 2010 fixed. It handles imbedded images a WHOLE lot better and the docs are half the size now. 2007 wasn't bad, but they smoothed a lot of semi broken things out with 2010.

Anyways. I imagine that there will be a largeish patch soon.
User avatar
Spidey
DBB Grand Master
DBB Grand Master
Posts: 10724
Joined: Thu Jun 28, 2001 2:01 am
Location: Earth

Re: Word 2010 Vulnerable to .rtf hack

Post by Spidey »

Bugs don’t bother me in the least, all I do is bookkeeping on that version, nothing new.

As far as the macro buttons…no…the only way to get macro buttons in 2010 is some very convoluted system using saved sheets and converting them to add ons, I tried it and it’s very frustrating at best.

Oh wait…you said short keys…no that is not what I meant…I custom designed my bookkeeping system, and it’s highly dependent on MACRO buttons. (changing from OS to OS is bad enough)

And I think I already implied that I do use 2010.

...............................

EDIT:

Sorry, I should have said "toolbars".

I activate my macros from buttons located on several toolbars located at the top and side on the screen. Way too many to keep track of if I were to use shortcut keys to activate, and way too many clicks to use the ribbons.
User avatar
Tunnelcat
DBB Grand Master
DBB Grand Master
Posts: 13309
Joined: Sat Mar 24, 2007 12:32 pm
Location: Pacific Northwest, U.S.A.

Re: Word 2010 Vulnerable to .rtf hack

Post by Tunnelcat »

Spidey, my husband was still using Office 2003 as of 2 months ago. Now he's using Office 2010 because he finally upgraded to a Windows 7 machine and I had a 3 license boxed copy of Office 2010 sitting on the shelf with 2 licenses left. Even with his poor vision, he's gotten quickly used to the interface and toolbars and doesn't seem to mind it now. Oh, he bitched and moaned, but he figured it out. He even figured out how to modify the normal template to keep all the settings the way he wants. It wasn't so bad. If fact, he didn't want the newest version of Office because it's now "in the cloud", like that's a great thing. Not something I want in a personal word processor either. I guess we're old fashioned. :wink:
Cat (n.) A bipolar creature which would as soon gouge your eyes out as it would cuddle.
User avatar
Spidey
DBB Grand Master
DBB Grand Master
Posts: 10724
Joined: Thu Jun 28, 2001 2:01 am
Location: Earth

Re: Word 2010 Vulnerable to .rtf hack

Post by Spidey »

How many times must I say, I use 2010…

If you had to adapt my custom accounting system to 2010 you wouldn’t be singing that tune. It’s a hell of a lot more involved than just learning to use the new interface…which I learned back in 2007 or such.

So I simply keep 2 versions on my machines…what’s the big deal? In fact I’m writing this very post in 2010….doh.

And JFTR....I will NEVER use software from the cloud.
User avatar
Tunnelcat
DBB Grand Master
DBB Grand Master
Posts: 13309
Joined: Sat Mar 24, 2007 12:32 pm
Location: Pacific Northwest, U.S.A.

Re: Word 2010 Vulnerable to .rtf hack

Post by Tunnelcat »

Spidey wrote:How many times must I say, I use 2010…

If you had to adapt my custom accounting system to 2010 you wouldn’t be singing that tune. It’s a hell of a lot more involved than just learning to use the new interface…which I learned back in 2007 or such.

So I simply keep 2 versions on my machines…what’s the big deal? In fact I’m writing this very post in 2010….doh.
:mrgreen:
Spidey wrote:And JFTR....I will NEVER use software from the cloud.
Yeah, and the newest version of Office Cloud is only version 1. No one buys a new software product until at least version 3. :P
Cat (n.) A bipolar creature which would as soon gouge your eyes out as it would cuddle.
User avatar
Duper
DBB Master
DBB Master
Posts: 9214
Joined: Thu Nov 22, 2001 3:01 am
Location: Beaverton, Oregon USA

Re: Word 2010 Vulnerable to .rtf hack

Post by Duper »

yeah. ditto on the cloud thing. Why do I want to keep my data on someone else's computer?? If you can carry a 64+ gig flash drive the size of your pinky nail around.. the whole "convenience" thing goes right out the window. I just bought a Asus Tranformer T100 (half notebook-half tablet) I spent the extra $50 and got the 64 version instead of 32. I put a 32 Gig chip in the side and I'm good!

Back ups? ppbbbt.. that's what external HD's are for if you want. Cloud is a gimmick and probably something else, but I can't reach that foil hat from here. ;)

Oh and Spidey, my apologies. I was just ribbing you about 03'. I'm normally the one that chain's himself to a tree and shakes his fist that the chainsaws of change! ...aaand I normally acquiesce. :\ However, I really had a time of it trying to get around 03 Word. We use a lot of imbedded images and objects in our documents and 2010 got rid of a lot of those problems.

I guess I could always use In-Design, but that's a bit overkill for simple instructions sheets.
User avatar
Sirius
DBB Master
DBB Master
Posts: 5616
Joined: Fri May 28, 1999 2:01 am
Location: Bellevue, WA
Contact:

Re: Word 2010 Vulnerable to .rtf hack

Post by Sirius »

Few things...

Luckily: Bug fixes are rarely large. The update shouldn't break the data cap :)

The newest version of Office kind of has two "flavors" - 2013 and 365. 2013 is basically the same thing, but sold as a one-time boxed-software purchase, rather than on a subscription model, so it's probably more to many old-schoolers' tastes. It isn't cloud-only - it can do everything 2010 can. I'm not sure there are a lot of compelling additions over 2010 though.
Even Office 365 has the desktop version, which is really the more powerful option anyway. There are web-based versions now but you don't have to use them. They do actually seem to be fairly reliable, though, and have been around a few years (3-4? I'm not really certain). They are still behind the desktop versions in feature set, though, and it's possible they always will be. It's difficult to keep track of version numbers for the web apps since web-based applications tend to have much faster releases than boxed software.

For someone with only a few devices (at least only a few they want to use), cloud storage doesn't offer much, no... the USB drive option is generally OK but doesn't automatically sync (which is fine if you know what you're doing, but if you don't it opens the door to accidentally losing track of which version is newer), and you can't plug a thumb drive into a phone or iPad, but you can use cloud storage on those devices.
If you're super worried about information privacy and the NSA, you will probably still avoid it like the plague... and yeah, you can definitely get by just fine without it. It's just a convenience/backup thing.

Edit: Wow, finally hit #5000. Only took 15 years :)
User avatar
snoopy
DBB Benefactor
DBB Benefactor
Posts: 4435
Joined: Thu Sep 02, 1999 2:01 am

Re: Word 2010 Vulnerable to .rtf hack

Post by snoopy »

Sirius wrote:If you're super worried about information privacy and the NSA, you will probably still avoid it like the plague... and yeah, you can definitely get by just fine without it. It's just a convenience/backup thing.
I'm more worried about the "we're getting our hooks in so eventually you don't own any of your data and you lose everything if you decide to go somewhere else" aspect. A big part of my support for open source efforts is aiming to maintain freedom from vendor lock-in, which what I fear from cloud-based office. Microsoft has been working hard for years to keep customers locked into Office... and I like the option to use things like Libreoffice to open my data without having to pay a subscription fee, thank you very much.
Arch Linux x86-64, Openbox
"We'll just set a new course for that empty region over there, near that blackish, holeish thing. " Zapp Brannigan
User avatar
Top Gun
DBB Master
DBB Master
Posts: 8019
Joined: Wed Nov 13, 2002 3:01 am

Re: Word 2010 Vulnerable to .rtf hack

Post by Top Gun »

Honestly I didn't mean to imply that I'm fully against newer versions of Office; I think we have either 2007 or 2010 on the family's computer, and the few times I've used it I haven't had much trouble adapting to the Ribbon interface. But at this point I don't ever plan on using a new version of Office unless I get it as a freebie: I'm not going to spend over $100 for a simple software suite when I can do the exact same stuff I'd use it for with LibreOffice for free.
User avatar
Duper
DBB Master
DBB Master
Posts: 9214
Joined: Thu Nov 22, 2001 3:01 am
Location: Beaverton, Oregon USA

Re: Word 2010 Vulnerable to .rtf hack

Post by Duper »

07's ribbon is a bit of a beast. It was/is about as flexible at a leaf spring compared to 2010. :) 2010 gave you customization, some old 03 functionality that had been pitched out the window. (wow.. unintended pun there) and just seems to be a bit more forgiving. One of the neat things in 2010, you can enable even old 95 functions if you want. You have to dig a bit to find that, but it's there.

Hey Sirius, do you have any idea if MS has had the though to customize their OD model to different platform needs? I.E Mobile, Desktop, Industrial maybe others.?
User avatar
Tunnelcat
DBB Grand Master
DBB Grand Master
Posts: 13309
Joined: Sat Mar 24, 2007 12:32 pm
Location: Pacific Northwest, U.S.A.

Re: Word 2010 Vulnerable to .rtf hack

Post by Tunnelcat »

Duper wrote:07's ribbon is a bit of a beast. It was/is about as flexible at a leaf spring compared to 2010. :) 2010 gave you customization, some old 03 functionality that had been pitched out the window. (wow.. unintended pun there) and just seems to be a bit more forgiving. One of the neat things in 2010, you can enable even old 95 functions if you want. You have to dig a bit to find that, but it's there.

Hey Sirius, do you have any idea if MS has had the though to customize their OD model to different platform needs? I.E Mobile, Desktop, Industrial maybe others.?
They're putting an App version on Apple products, although with a few teething problems.

http://news.yahoo.com/app-fixes-one-off ... 36776.html
Cat (n.) A bipolar creature which would as soon gouge your eyes out as it would cuddle.
User avatar
Grendel
3d Pro Master
3d Pro Master
Posts: 4390
Joined: Mon Oct 28, 2002 3:01 am
Location: Corvallis OR, USA

Re: Word 2010 Vulnerable to .rtf hack

Post by Grendel »

Install EMET. Should have been included in Windows from the beginning :/ Also, get rid of Word and use OpenOffice.

Affected software: Word -- 2003sp3, 2007, 2010, 2013, Word Viewer, Office Compatibility Pack 3, Office for Mac 2011 etc.

https://technet.microsoft.com/en-us/sec ... ry/2953095
User avatar
Sirius
DBB Master
DBB Master
Posts: 5616
Joined: Fri May 28, 1999 2:01 am
Location: Bellevue, WA
Contact:

Re: Word 2010 Vulnerable to .rtf hack

Post by Sirius »

Sorry, OD? I'm not familiar with the abbreviation.

Regarding lock-in, I note that you should be able to tell well ahead of time if something will make platform migration harder or impossible. Especially because there will be many, many voices complaining about it :mrgreen:
It's also a lot less strategically viable to try to pull that off today than it used to be. Even in the emerging enterprise cloud computing market, MS is having to make Azure as interoperable as possible because the customers are just not going to be interested if it isn't.
User avatar
Duper
DBB Master
DBB Master
Posts: 9214
Joined: Thu Nov 22, 2001 3:01 am
Location: Beaverton, Oregon USA

Re: Word 2010 Vulnerable to .rtf hack

Post by Duper »

sorry "OS". Didn't notice that. :oops:
User avatar
Sirius
DBB Master
DBB Master
Posts: 5616
Joined: Fri May 28, 1999 2:01 am
Location: Bellevue, WA
Contact:

Re: Word 2010 Vulnerable to .rtf hack

Post by Sirius »

Kind of. I get that impression, especially with divergence between desktop and tablet models increasing again in the 8.1 update next week - a lot of typical desktop affordances are coming back, and they're not generally visible on tablets - and that's only set to increase by the look of it (there was talk about a remodeled start menu as well, in a later release though). I'm not really sure what sorts of lines would be drawn between form factors or where they'd be though. A large smartphone and a small tablet have a lot in common and it doesn't make sense for the UI differences to be too great in that case.

There is a very clear strategy MS is pursuing of using a common kernel (and even applications framework - as was announced today http://www.neowin.net/news/microsoft-an ... phone-apps) for devices of all types, though... basically the different types would just have different UIs, I would guess. This apparently extends as far as embedded smart devices, which have sometimes been collectively referred to as the "Internet of Things" - it's apparently possible to use Windows for that as well, although the UI is very different, arguably non-existent in many cases. I imagine they had to strip it down massively to do that, but there has already been work in stripping down Windows so they could pack more virtual instances into cloud computing datacenters anyway, so part of the job may have already been done.

Being a little late at night it's difficult for me to know whether I'm making any sense :oops: Guess I will check back in the morning!
User avatar
Grendel
3d Pro Master
3d Pro Master
Posts: 4390
Joined: Mon Oct 28, 2002 3:01 am
Location: Corvallis OR, USA

Re: Word 2010 Vulnerable to .rtf hack

Post by Grendel »

Looks like MS is addressing this w/ next weeks patches.

https://technet.microsoft.com/en-us/sec ... n/ms14-apr
User avatar
snoopy
DBB Benefactor
DBB Benefactor
Posts: 4435
Joined: Thu Sep 02, 1999 2:01 am

Re: Word 2010 Vulnerable to .rtf hack

Post by snoopy »

Sirius wrote:Kind of. I get that impression, especially with divergence between desktop and tablet models increasing again in the 8.1 update next week - a lot of typical desktop affordances are coming back, and they're not generally visible on tablets - and that's only set to increase by the look of it (there was talk about a remodeled start menu as well, in a later release though). I'm not really sure what sorts of lines would be drawn between form factors or where they'd be though. A large smartphone and a small tablet have a lot in common and it doesn't make sense for the UI differences to be too great in that case.

There is a very clear strategy MS is pursuing of using a common kernel (and even applications framework - as was announced today http://www.neowin.net/news/microsoft-an ... phone-apps) for devices of all types, though... basically the different types would just have different UIs, I would guess. This apparently extends as far as embedded smart devices, which have sometimes been collectively referred to as the "Internet of Things" - it's apparently possible to use Windows for that as well, although the UI is very different, arguably non-existent in many cases. I imagine they had to strip it down massively to do that, but there has already been work in stripping down Windows so they could pack more virtual instances into cloud computing datacenters anyway, so part of the job may have already been done.

Being a little late at night it's difficult for me to know whether I'm making any sense :oops: Guess I will check back in the morning!
Makes sense... write & support a single Kernel rather than having to maintain what amounts to a bunch of branches. Same thing with the applications framework...

[snide remark]
Sounds like Windows is continuing its migration toward Linux/Unix
[/snide remark]
Arch Linux x86-64, Openbox
"We'll just set a new course for that empty region over there, near that blackish, holeish thing. " Zapp Brannigan
User avatar
Grendel
3d Pro Master
3d Pro Master
Posts: 4390
Joined: Mon Oct 28, 2002 3:01 am
Location: Corvallis OR, USA

Re: Word 2010 Vulnerable to .rtf hack

Post by Grendel »

Grendel wrote:Looks like MS is addressing this w/ next weeks patches.

https://technet.microsoft.com/en-us/sec ... n/ms14-apr
Fixed w/ MS14-017.
Post Reply