back to article It's 2017 – and your Windows PC can be forced to run malware-stuffed Excel macros

Microsoft and Adobe are getting into the holiday spirit this month by gorging users and admins with a glut of security fixes. The November of Patch Tuesday brings fixes for more than 130 bugs between the two software giants for products including IE, Edge, Office, Flash Player and Acrobat. Microsoft's patch dump addresses a …

  1. Version 1.0 Silver badge
    Facepalm

    WTF?

    I'm starting to think that the entire software world is written by idiots on opium. Clearly we're going to be patching forever - maybe we should consider retreating to FORTRAN, COBOL and Pascal - it couldn't be any worse ... to rephrase Dijkstra, "Programming Considered Harmful"

    1. Mark 85 Silver badge

      Re: WTF?

      Opium? Nah... these are elite programmers so probably the drug of champions: cocaine: "A snort a day makes the stress go away" and all that.

    2. Anonymous Coward
      Anonymous Coward

      Re: WTF?

      Maybe the software is coded horribly to coerce you into purchasing a newer version every few years?

      Or with the current cloud culture: 'ship it and we'll fix it along the way'. Saves on QA money, you see.

    3. Anonymous Coward
      Anonymous Coward

      Re: WTF?

      ... maybe we should consider retreating to FORTRAN, COBOL and Pascal ...

      Won't help. As Ed Post once said, "The determined Real Programmer can write FORTRAN programs in any language". The converse also applies.

      1. Warm Braw Silver badge

        Re: WTF?

        To quote a random web page on the subject of Fortran:

        Probably one of the most undesirable and most useful of the pre-Fortran 90/95 features is the COMMON block

        I've yet to see a mathematical proof that useful features of programming languages are necessarily also undesirable, but experience suggests a strong correlation...

        1. Ken Hagan Gold badge

          Re: WTF?

          "I've yet to see a mathematical proof that useful features of programming languages are necessarily also undesirable, but experience suggests a strong correlation."

          Perhaps I can help. It's not strictly mathematical, but I can offer a good reason for this.

          Nearly all language designers have opinions about good practice and their languages reflect that, making it easy to do the right thing and hard to do the wrong thing. Many languages make it extremely hard to do the wrong thing. (Google for "bondage and discipline", but in the context of languages rather than sex.)

          However, language design is not a science and so eventually there is a real-world need for some sort of get-out-of-jail-free card to let you get the job done. Fortran has its COMMON blocks. C has its unions. C++ has its C-compatible base. Assembly language has self-modifying code. Pascal has ... linker compatibility with libraries written in a proper language.

          Any sufficiently large programming project will end up playing this card.

    4. Anonymous Coward
      Anonymous Coward

      @Version 1.0

      I fear it goes much, much deeper than that.

      Because what does a generic programmer often use? And not just Microsoft, but also on Linux, FreeBSD and any other given platform will you see this happening? Libraries and/or API's. Sometimes up to such ridiculous points that you can get multiple versions of the same library onto the same system (now hinting at BerkeleyDB). Dozens of programmers these days don't necessarily build all their stuff themselves, but also rely on libraries to fill in some of the blanks.

      Now, don't get me wrong, that by itself isn't a bad thing. But many library programmers do exactly the same thing, which can easily in the end lead to cascading effects. Because if there's an issue with a library then all the software which compiled against it will also be affected.

      And things can go only worse from here. Because what would happen if there were any bugs discovered in your average compiler? Even compilers use libraries these days, and libraries which by themselves rely on others.

      I believe that this is one of the reasons why we seem to live in a time where software gets an ever lasting stream of updates and patches. Sometimes it's not because of the programmer, but because of the tools and externals they chose to use.

      1. Anonymous Coward
        Anonymous Coward

        "issue with a library then all the software which compiled against it will also be affected."

        At least you can fix the lib and all dependent programs will be fixed. Think what happens when code is linked statically, and you have to wait for each and every application to be recompiled, if the developers are still around...

        And even with open source, don't expect every user being able to download sources and compile them (maybe fixing issues meanwhile) - that's what greybeards like to do, but not the average user who expect a computer to be a blackbox helping to perform his or her tasks, not a sort of divinity needing constant care and sacrifices....

        1. CAPS LOCK

          ...a blackbox .... not ... a...divinity...

          Amen to that brother.

        2. Anonymous Coward
          Anonymous Coward

          Re: "issue with a library then all the software which compiled against it will also be affected."

          At least you can fix the lib and all dependent programs will be fixed. Think what happens when code is linked statically, and you have to wait for each and every application to be recompiled, if the developers are still around...

          But how do you know the "fixed" library did not introduce subtle changes - perhaps to the parts of the specification which were undefined, but are nonetheless relied upon by an application? The only way to be sure is to fully re-qualify all applications using that shared library - either directly or indirectly.

          Or perhaps the library has removed parts of the API which were deprecated for a long time, but were nonetheless used by an (old, no longer supported) application you happen to need - so that the application won't even start anymore unless you keep the old version of the library around.

          Either way, I see way too many applications which are nominally dynamically-linked, but nonetheless package and manage their own versions of the dynamical libraries rather than relying on the system-provided ones. Sure, sometimes this happens because the developers are lazy and cannot be bothered to do the right thing - but most of time I rather fancy they do this out of necessity.

          At least for the applications running in a controlled environment and not exposed to the big bad internet, I would rather have a statically-linked binary, with as few dynamic bits as humanly possible. This way I can be reasonably sure it will produce reproducible results at least some of the time.

          1. Anonymous Coward
            Anonymous Coward

            "But how do you know"

            "the "fixed" library did not introduce subtle changes" - that is a risk - but something the libraries maintainers need to avoid. That's what automated tests are for.

            "the library has removed parts of the API" - that means you need to release a new version of the library - you can't and never should do this in a bug fix/maintenance release. Sure, if you use libraries from a source known for being unable to perform proper releases, you have to link statically, or deploy your own libraries, but then, all the maintenance duties are on your own shoulders, and you should not leave your customers open to vulnerabilities because you don't care to update your applications.

            Usually libraries which are accepted and installed system-wide are not those in the hands of incompetent developers, and linking to them may avoid expensive processes to update your applications anytime one of the dependencies has been fixed.

            It may also be easier to deploy the new libraries than the whole application.

            1. Doctor Syntax Silver badge

              Re: "But how do you know"

              "the library has removed parts of the API" - that means you need to release a new version of the library - you can't and never should do this in a bug fix/maintenance release.

              Unfortunately a maintainer can do just that if they want - and have been known to do so.

              I agree - an update shouldn't break any program that didn't rely on an undocumented feature. A good start would be publishing the unit tests and the unit tests should have a condition attached: new tests can be added but old ones can't be removed.

        3. Anonymous Coward
          Anonymous Coward

          Re: "issue with a library then all the software which compiled against it will also be affected."

          don't expect every user being able to download sources and compile them (maybe fixing issues meanwhile)

          Why, when my distro maintainers do that for me?

          1. Anonymous Coward
            Anonymous Coward

            "Why, when my distro maintainers do that for me?"

            Do they do it for custom applications as well? Repositories may have a lot of code, but not all the code....

      2. Doctor Syntax Silver badge

        Re: @Version 1.0

        But many library programmers do exactly the same thing, which can easily in the end lead to cascading effects. Because if there's an issue with a library then all the software which compiled against it will also be affected.... what would happen if there were any bugs discovered in your average compiler? Even compilers use libraries these days, and libraries which by themselves rely on others."

        It's called entropy.

      3. Kiwi
        Thumb Up

        Re: @Version 1.0

        I believe that this is one of the reasons why we seem to live in a time where software gets an ever lasting stream of updates and patches. Sometimes it's not because of the programmer, but because of the tools and externals they chose to use.

        While that is true, I'd suggest also a couple of other factors - we're more connected and send more stuff to each other for one. 20 years ago only a small % of people were connected, so even if I got you to run a malicious document there's a very good chance your computer had never had a connection outside.

        Then you have more of our lives online. Internet banking, paypal accounts etc etc. 20 years ago financial data on a computer was hard to extract, and on the average home computer that was nothing more than the housewife's budgeting spreadsheets. Nowadays there's a potential to find banking or credit card info that can be abused.

        Also we have an increasing programming skillset including among blackhats. When everyone thought that Word documents were just data with no way to cause them to run executable code elsewhere in the system, no one bothered to look. Then someone looked, and buffer overruns or other exploits were discovered. Now that the concept is known, anyone can go hunting, and the concept inspires people to come up with new concepts for new vulnerabilities, which when discovered inspire other people to look somewhere else...

        And finally the "fuzzing" tools (etc) that can help find bugs are much better than they were just a small few years ago.

        TL;DR: many of the bugs were there already, but with our more-connected world there's more chance of remote-execution, and with our vastly improved bug hunting tools they're getting easier to find.

    5. bombastic bob Silver badge
      FAIL

      Re: WTF?

      Micro-shaft and Adobe, with respect to the _KINDS_ of "features" that enable such ginormous security craters in the FIRST place, are in a position that is WAY TOO similar to playing a video game where you're battling monsters but you spend your ENTIRE TIME healing the injuries you receive instead of doing damage to the monsters. In those kinds of game battles, you can NEVER get ahead and so you end up LOSING (or getting a REALLY CRAPPY score).

      "The Swarm" of potential attacks on these various attack vectors is just to great. Or so it seems.

      The only possible fix for some of this stuff might just be to DISABLE the "features" with a patch that only allows end-users to re-enable the potentially dangerous features if they accept the consequences and responsibility for doing so.

      Overwhelming potential security problems, and UNDERwhelming responses. Business as usual.

      1. Anonymous Coward
        Anonymous Coward

        Re: WTF?

        bob, the meds must be working, THE use of POINTLESS upperCASE letters is so minimal I could ALMOST read it first _TIME_. Keep up the good "WORK"

        1. handleoclast

          Re: WTF?

          @Lost all faith...

          bob, the meds must be working

          But not yet to the extent that he is capable of noticing that he has a silver badge and figuring out that he can therefore abuse italics and bold.

          1. CrazyOldCatMan Silver badge

            Re: WTF?

            he can therefore abuse italics and bold.

            Now you've done it! I forsee a future filled with random CAPS in bold italic

            1. Kiwi
              Coat

              Re: WTF?

              Now you've done it! I forsee a future filled with random CAPS in bold italic

              What, you mean like Ascot cap, Coif, Do-rag, Bearskin, Academic, Beret, Busby, Ochipok, Cricket, Papakhi, Deerstalker, Toque, Dutch cap, Fez, Karakul, Kepi, Zucchetto, Mao, Beanie, Sailor cap, Caubeen, Tubeteika, Caul, Ushanka, Snapback - to name a few?

              I know I know, outta here...

      2. Anonymous Coward
        Anonymous Coward

        Re: WTF?

        Micro-shaft and Adobe

        What... no cheesy name for Adobe?

        1. Anonymous Coward
          Anonymous Coward

          Re: WTF?

          A-dopey?

          (Replace AC icon with a certain dancing dwarf.)

    6. Tom 7 Silver badge

      Re: WTF?

      Oh and a happy 60th to Fortran while were about it!

  2. Shadow Systems Silver badge

    Dear MS, you suck arse.

    I've made it a habit of running the Windows Update Client (WUC) every time I turn on my computer. It means I often catch patch releases within hours of them being made available. This helps me try to stay as safe as a Win7 machine can be. I'm using the GWX Control Panel to make sure MS doesn't try to sneak past any "upgrades" down the pipe, but I still have to check each offered patch that lands in the WUC list, just to make *dayamn* sure it's not an upgrade in disguise.

    I do not have MS Office installed. I have Outlook & even that was the stand alone version that came direct from MS with no other Office functionality included. In short, I should have *no* need for any Office patch that doesn't apply to Outlook. There's no Excel, PowerPoint, or Word installed, so why should I be forced to download & apply all the patches for those bits?

    I don't know why, merely that MS insists they're required & flagged them as important - thus making them show up in the "you had better apply these or your system is as good as dead" section of the WUC.

    I'm spending ever more of my time having to go through patches that MS sends down the pipe, even though they don't seem to apply to my computer at all. You need to patch Excel on my system? Why? It's not now nor has ever been installed on this machine. That's like telling me you need to fix my Model T Ford for an antilock brakes issue. It doesn't have them, so why the fek do you insist on trying to fix them?

    *Sighs, shakes head*

    At least I don't have anything of Adobe's installed at all. Even if they WERE accessible (they're not), I wouldn't trust them with a fifty metre barge pole.

    I gotta go, I'm still researching patches for "upgrades" in disguise. I'm Sick&FekkinTired of having to police my OS vendor for when (not if) they pull more fekheaded shennanigans. It's why my next computer is running Linux. It's only the Ubuntu installed by System 76 at the moment, but as soon as I'm comfortable with getting around under Orca, I'll be giving it a copy of Mint instead.

    I can't wait to no longer have to defend myself from my OS vendor anymore!

    1. Anonymous Coward
      Anonymous Coward

      Re: Dear MS, you suck arse.

      In other news, man shouts at cloud.

    2. Elmer Phud

      Re: Dear MS, you suck arse.

      Good grief -- is Ms the ONLY author of these programmes?

      Are there other SW firms involved?

      Who the F runs updates every single minute 'just to be sure'?

    3. Packet

      Re: Dear MS, you suck arse.

      An excellent example of why MS is becoming less popular in the enterprise and with home users too.

      Despite the sheer UI mish-mash that is Windows 8-10, it's the maintenance / attacked by something / cleanup after aspect that has become way too cumbersome.

      They've lost the mobile war - portable hardware aka Surface next to follow...

  3. Florida1920
    Coat

    If it weren't for updates

    How would we know it was the second Tuesday of the month?

    (One with the Pirelli calendar in the pocket.)

  4. CrysTalK

    Legit bugs

    More than 130 bugs? So how many of those were intentional backdoors? Patch the old bugs and open new ones to protect our children.

  5. aregross

    "Remember Shockwave Player?"

    Hahahahhahahhahhahahahahahhahah!!!!1!!!2112!#$@

    1. Anonymous Coward
      Anonymous Coward

      @aregoss

      You are laughing hysterically; keep calm are apply patches.

      By the time you are finished there will be more patches

  6. Jakester

    The obsolete Microsoft Works provided a degree of safety because the native word processor and spreadsheet applications did not have macro capability. Microsoft fixed that problem by starting to ship Word with later releases. The word processor was light on features, but certainly more than adequate for most home users.

    1. Anonymous Coward
      Anonymous Coward

      MS Works

      Oh how I wish that was still available, and Outlook Express. For so many users that was perfect. Instead they are forced to use Office, but worse than that, the UI of Office is dumbed down for professional users so that Works users stand any chance of being able to use it - it results in a clasic lose-lose situation. Fecking idiots.

    2. Mark 85 Silver badge

      It might be obsolete but with my handy CD for Works, we still use it for some things. Office might be fine for many things, but it's so bloated just doing the minimal things we (here at home) want to do, Works is faster and gets the job done with out all the crap.

  7. Detective Emil
    Facepalm

    It's 2017, and El Reg is still using this tired trope

    Such headlines duly added to block list.

    1. bombastic bob Silver badge
      Happy

      Re: It's 2017, and El Reg is still using this tired trope

      a lesson from the 3 stooges: they would do the same expected routines all of the time, even in public, and it always got laughs, ESPECIALLY when it was expected. It's because they're funny. Same here. I chuckled at the title. Again. Gotta love it!

    2. unwarranted triumphalism

      Re: It's 2017, and El Reg is still using this tired trope

      About to add

      127.0.0.1 www.theregister.co.uk

      to my block list.

      1. Mark 85 Silver badge

        Re: It's 2017, and El Reg is still using this tired trope

        Bye, bye... don't let the door smack you in the ass on the way out.

        1. unwarranted triumphalism

          Re: It's 2017, and El Reg is still using this tired trope

          Who made you the doorkeeper around here? Quite the sense of self-importance you've got.

          Maybe it's time you had an encounter with reality for once.

          1. Sandtitz Silver badge
            Trollface

            Re: It's 2017, and El Reg is still using this tired trope

            "Who made you the doorkeeper around here?"

            No, no! He's the Gatekeeper, and I think Bob's the Keymaster.

      2. Kiwi
        Coat

        Re: It's 2017, and El Reg is still using this tired trope

        About to add

        127.0.0.1 www.theregister.co.uk

        to my block list.

        P

        l

        e

        a

        s

        e

        d

        o

        !

        Here's

        your

        coat.

  8. Anonymous Coward
    Anonymous Coward

    IE and Edge CVEs ????

    Something I don't really get: Edge was supposed to be the secure and rewritten new browser, without the tons of bloat IE was affected with.

    How come there are CVEs affecting both ?

    1. bombastic bob Silver badge
      Devil

      Re: IE and Edge CVEs ????

      "How come there are CVEs affecting both ?"

      Because it's a definition of INSANITY to try the same thing twice and expect DIFFERENT outcomes...

      1. matjaggard

        Re: IE and Edge CVEs ????

        Please STOP with the capitals.

        1. Elmer Phud

          Re: IE and Edge CVEs ????

          NO!!!

      2. Spacedinvader
        Happy

        Re: IE and Edge CVEs ????

        ...and to achieve DIFFERENT outcomes defines PERSISTENCE

    2. matjaggard

      Re: IE and Edge CVEs ????

      Did you really expect zero code reuse?

      1. Anonymous Coward
        Anonymous Coward

        Re: IE and Edge CVEs ????

        "Did you really expect zero code reuse?"

        Exactly. Anyone who believed that "Edge" was anything more than a re-branding, well, they deserve to use it.

      2. LDS Silver badge

        "Did you really expect zero code reuse?"

        No, but we believed they reused only the good one... oh wait, that would risk to be zero code reuse...

    3. Ken Hagan Gold badge

      Re: IE and Edge CVEs ????

      "Edge was supposed to be the secure and rewritten new browser, without the tons of bloat IE was affected with."

      Dunno where you got that idea from. My recollection is that MS described Edge as "IE but with all of the compatibility code taken out, so it *only* handles pages written to the HTML5 standard". I'm not sure if that was actually true, but it was a fairly plausible thing to try and Edge certainly didn't include support for a lot of old stuff like ActiveX and MHTML so I've no reason to doubt it.

      1. Kiwi

        Re: IE and Edge CVEs ????

        Dunno where you got that idea from.

        I'm only skimming some stuff looking for this, but over at "https://blogs.windows.com/msedgedev/2015/05/11/microsoft-edge-building-a-safer-browser/ Microsoft themselves say "But Microsoft Edge has done more than just re-write the rendering engine. " and "Microsoft Edge is a brand new browser..."

        Those two alone imply that the browser was re-written (you don't buy a new car by overhauling your old one!), but there's more out there that's said that from what I recall.

    4. grumpy-old-person

      Re: IE and Edge CVEs ????

      This has been going on for a very long time - "new" version of M$ software and then a bug that affects every version since 1.0!

  9. mhenriday
    Headmaster

    «The November of Patch Tuesday ...»

    Love it, Shaun !... ;-)

    Henri

  10. Anonymous South African Coward Silver badge

    Any chance of going into sheep/chicken farming at some remote location far removed from all things technology?

    1. Pascal Monett Silver badge

      You can "remove" yourself from all things technology right where you are ; just shut down your router and phone and you're there.

    2. Elmer Phud

      Nope, 'cos all of them rely on 'tech' these days

  11. Duncan Macdonald Silver badge
    FAIL

    IE and Edge

    As MS written browsers have such a horrible security record, I have disabled their internet access on my systems (by using the program control feature of the firewall in Norton). I use Firefox with Noscript and AdBlockPlus instead - while not perfect it is better than the offerings from MS. I also went through the settings in IE and Edge to disable every feature that I could to try to reduce the damage if they somehow got internet access.

    1. Anonymous Coward
      Anonymous Coward

      Re: IE and Edge

      I don't work directly in this part of the tech industry but I feel your pain. Good luck to all of you.

    2. Elmer Phud

      Re: IE and Edge

      And when you do updates you ARE using a bit of IE, but never mind.

      Your blind panic is admirable but very much of the tin-foul hattery.

      Your insecurity is the way in to your machine -- you are an easy mark.

    3. Anonymous Coward
      Anonymous Coward

      Re: IE and Edge

      Norton? You want th NSA slurping your data?

  12. alain williams Silver badge

    What Munich has to look forwards to ...

    if they follow up on the Microsoft office move bribe and ditch LiMux.

    Still: I suppose that it will increase local employment as this will provide work for more system admins.

    1. rmason

      Re: What Munich has to look forwards to ...

      The other side of that coin is that munich are currently employing people who haven't had the software they use to work available to them since the move. Multiple systems/bits of software defined as key to certain roles or depts just don't work.

      1. Anonymous Coward
        Anonymous Coward

        Re: What Munich has to look forwards to ...

        people who haven't had the software they use to work available to them since the move

        It makes me wonder what they've been doing for the past ten years.

        Civil servants, eh?

    2. elgarak1

      Re: What Munich has to look forwards to ...

      AFAIK, Munich is still thinking about ditching LiMux for Windows 10 ... but keep LibreOffice.

  13. Anonymous Coward
    Anonymous Coward

    The fix - time to change the approach

    Assume all code is a black box and insecure.

    That is not an unreasonable starting position - since o/s patches come out regularly to close holes in the o/s code that have been there for years, each product gets update with bug fixes to close holes, and 0-day exploits are regularly found by fuzzers and other discovery tools.

    So if we start from that principle - All code that takes input is exploitable - we can look at treating this as a quarantine and control issue, rather than forever searching for a cure.

    So - logically - the solution is to observer BEHAVIOUR of the code during it's operation at all times. What does it normally interact with (processes & threads, other code, registry values, open application ports) and then BASELINE this as acceptable. Then if the code DEVIATE from this - by calling code it does not normally use, or making calls that are outside of the baseline, then QUARANTINE it.

    Holistically, this approach seems to make more sense than the endless whack-a-mole of fixing security holes in code, and placing the onus on the developers and sysops to chase round their estate endlessly trying to keep up with these, only to know for certain more bugs are still in that new release.

  14. unwarranted triumphalism

    I fail to understand the author's obsession with the calendar

    Is there a magic date on which we are supposed to achieve Utopia?

  15. Muscleguy Silver badge
    WTF?

    Adobe playing games

    So, I just updated Flash on this Mac (Sierra) going there through the system pref pane (no clickjacking, right?). All went as normal except towards the end of the install and after giving the installer permission I get asked for permission to let it install 'a new helper app' that is the only info about said app I got.

    Smelling a potential rat I clicked cancel, had to do it several times and again when it all finished. No opening of the 'success' web page as per normal.

    I'm running my virus checker just in case, but if this is legit Adobe are playing with fire after all the malware filled Flash updates that are around. What is the nature of this 'helper app' adobe and why do I need it? might it be due to Quantum Firefox? If so why not give some information on it?

    Icon to reflect reality

  16. Anonymous Coward
    Anonymous Coward

    A more accurate headling would be:

    "It's 2017, and people are STILL opening dodgy attachments despite being explicitly told not to. and why."

    1. Kiwi
      Coat

      A more accurate headling would be:

      "It's 2017, and people are STILL opening dodgy attachments despite being explicitly told not to. and why."

      I know right? I can't even imagine why people still have word processing software in their businesses. I mean, it's not like staff have to use them to open documents sent by other firms from time to time now is it?

      1. Anonymous Coward
        Anonymous Coward

        Because, of course, it's natual to open an email from a company you have:

        a) never heard of

        b) have never dealt with

        c) have no intentions of dealing with

        d) that you aren't expecting

        I'm guessing your policy is to basically open anything and everything, regardless of if it contains a virus or not - as that's what you have just implied.

        1. Kiwi

          Because, of course, it's natual to open an email from a company you have:

          a) never heard of

          b) have never dealt with

          c) have no intentions of dealing with

          d) that you aren't expecting

          I'm guessing your policy is to basically open anything and everything, regardless of if it contains a virus or not - as that's what you have just implied.

          Yeah. I know it's weird but sometimes, in some businesess, you have these funny things called customers, and sometimes customers contact you out of the blue because you've not yet dealt with them before.

          And sometimes these customers who you've never heard of before send you quotes from other firms to invite you to compete.

          A lot of businesses, quite strangely, rely on customers to remain in business. And if you cannot meet your customers needs, they go elsewhere and you go under.

          I guess your business never grows eh?

          How do you hire staff without checking their CV? Those are usually some form of document.

          And then there's the firms and government depts where staff handle hundreds of documents every day. Companies sending in spreadsheets to tax firms/accountants/IRD etc, clients sending in CVs/quotes (car repairs, medical, stuff for clothing for job interviews etc) to welfare agencies, invoices for work done (verify that the work has been done of course) - the person who opens the incoming invoice may never had heard of the firm claiming the payment - some businesses are a bit larger than mom and pop who only deal with the corner grocery store y'know.

          Some firms need to be able to open documents that come from people they've not heard of, otherwise they don't get new customers and without new customers they quickly go broke. So, what is needed instead of a (sometimes) silly "don't open all these documents under these myriad conditions which won't catch everything (see Wannacry for a start, plus Iloveyou etc etc etc - all from people they knew and trusted) is a robust system for receiving said files safely.

          That means a well-cared for system with decent AV scanning the incoming emails at the server level, so nothing can get through. If LO etc are incompatible with MS's "infect on open" macro, then use them at least to preview a copy of the document (if they have the same or similar flaws you're going to have to rely on incoming scanning), stripping macros (if it can still be done automatically without opening in Word etc), and of course having the receiving machine get lots of backups and able to be killed and restored in a moments notice (like a VM).

          Of course we had it easy. We could safely open any document we wanted to without fear of malware, because we did run email scanning at our end as well as decent spam protection, and any documents we opened were opened by the secretary in Libre Office on her Linux machine. On the off chance that any one tried to send malware it would've simply been unable to work at that stage.

  17. Doctor Syntax Silver badge

    "CVE-2017-11848, a flaw in IE that allows webpages to track users when they leave the website."

    I thought they'd count that as a feature.

  18. Doctor Syntax Silver badge

    "You may think we’ve educated users enough to stop them from opening unknown documents they didn’t expect,"

    There speaks the voice of hope triumphing over experience.

  19. Packet

    I can't help but feel self-satisfied and yet disheartened at the world of software every time I hear/read of a Adobe Flash / Adobe PDF Reader vulnerability.

    Self-satisfied because I ditched that rubbish about 3 odd years ago (Flash is unnecessary and in-browser PDF renderer is perfectly fine when needed)

    Disheartened because it brings into sharp focus the issues of software quality in the world...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like