back to article It's now 2017, and your Windows PC can still be pwned by a Word file

Microsoft has begun its 2017 with the release of four updates to address security holes in Windows and Office, while Adobe has posted fixes for more than three dozen vulnerabilities in Flash and Reader. Microsoft's January patch load includes: MS17-001, a fix for the Edge browser to address a flaw that would let a malicious …

  1. psychonaut

    Meanwhile, Adobe is updating blah de fucking blah

    jesus christ. it never stops. luckily, i dont have to worry about it as of about a year ago. i dont even use flash on the floors here anymore

    1. bombastic bob Silver badge
      Devil

      Re: Meanwhile, Adobe is updating blah de fucking blah

      I stopped doing *anything* flash when gnash wouldn't play with the latest unnecessary change to the file format. I don't need Adobe's spyware running on a BSD or Linux box, after all! Fortunately, HTML5 has taken care of that. Now, why IS anyone using flash these days?

      1. AdamWill

        Re: Meanwhile, Adobe is updating blah de fucking blah

        TicketMaster's 'choose your own seat' thing still, bizarrely, requires Flash.

        But who are we kidding. The real answer is "porn". It's *always* "porn".

      2. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile, Adobe is updating blah de fucking blah

        Because BBC.

        Thats why i have to read the BBC at work as i aint installing flash on my own gear.

        1. Hans 1

          Re: Meanwhile, Adobe is updating blah de fucking blah

          >Because BBC.

          >Thats why i have to read the BBC at work as i aint installing flash on my own gear.

          As has been reported here many times, user agent switcher browser extension, use an iPad user agent, problem solved.

          Ohh, and do contact the BBC on this matter, if we all do, they will get their act together!

      3. Mr Dogshit

        Re: Now, why IS anyone using flash these days?

        Because vSphere console

      4. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile, Adobe is updating blah de fucking blah

        can't speak for everyone but i use flash to spy on your mrs while she's changing out of her bloomers.

        meh meh meh meh

      5. patrickstar

        Re: Meanwhile, Adobe is updating blah de fucking blah

        Somewhat nitpicky, but that "unnecessary change" to the file format was essentially a complete make-over.

        This is what brought it from "scriptable animation (primarily vector) toolkit" to "full-fledged application runtime". Back in the days it was actually really cool compared to the alternatives for cross-platform/in-browser stuff, or even graphical RAD in general (as to the latter, it actually still is to a large extent).

    2. Blue Pumpkin
      Trollface

      Re: Meanwhile, Adobe is updating blah de fucking blah

      I have it on good authority that the number of patches exceeded the number of lines of source code several years ago and now they just release useless patches so that people don't forget who they are ...

    3. PeterM42
      FAIL

      Re: Meanwhile, Adobe is updating blah de fucking blah

      A problem with Flash? - surely not - it's so relia....................."£$%^&*(!!!!!!

      D'oH!

      Actually, I understand Adobe are changing it's name to CRASH next month.

  2. Anonymous Coward
    Anonymous Coward

    It never stops...

    "Adobe has posted fixes for more than three dozen vulnerabilities..."

    Does Adobe have any clue about their own software, or is it just a fly by night situation? Wouldn't you consider a major rewrite at some point? When your only real product depends on graphical performance, you'd think you'd rewrite the software for the best performance, let alone security. Adobe is lost in the 90's.

    In case you're out of the loop on what's going on in "Creative Cloud".

    1. Massive price hikes, volume licensing is a joke now.

    2. Photoshop updates are basically bug fixes just like Flash.

    3. Lightroom updates consist of porting photoshop "fun" features to it.

    4. Everything performs horribly compared to competing products.

    5. Massive price hikes.

    I literally run WinTin just for Photoshop, it's a nightmare.

    1. Wensleydale Cheese

      Re: It never stops...

      In case you're out of the loop on what's going on in "Creative Cloud".

      CC is also an acronym for Cash Cow.

      A Cash Cow in the software world usually means a product which is no longer actively developed, but enough customers are locked in to milk it all the way.

      1. Nunyabiznes

        Re: It never stops...

        Well considering Adobe's biggest expense is Udder Cream (TM) ...

        1. Chika

          Re: It never stops...

          They'll have to stop milking it eventually...

    2. cambsukguy

      Re: It never stops...

      If Photoshop is terrible and it edits pictures, why doesn't someone use Capitalism to replace it with a better program?

      If it is expensive and rubbish, it would seem like a good target.

      I don't use it so I know nothing about alternatives.

      1. joed

        Re: It never stops...

        similarly to "nobody got fired for buying IBM" - Adobe being established vendor is next to impossible to replace in enterprise (even if price/terms of service appeared ridiculous for mortals spending real/own $).

      2. Anonymous Coward
        Anonymous Coward

        Re: It never stops...

        If Photoshop is terrible and it edits pictures, why doesn't someone use Capitalism to replace it with a better program?

        That is already happening, also because not everyone is happy with the whole subscription malarkey. Affinity make damn good software that may not yet be as overfull featured, but it's scary fast, amazingly well supported (via forums where you actually get an answer!), FAR simpler to use and stupidly cheap for what you get. And they make great tutorial videos for it too. I especially like their support for full 360º images where you can change and edit information like on a normal image and it will then integrate it - it's very impressive to see.

        I haven't touched an Adobe product in ages. The only thing I have installed is the Adobe Reader, and that hasn't been used (or upgraded) for about 6 months now - the only reason I keep it is because some (mostly government) organisations send me stuff that requires Reader features and are unreasonable about making it work more universally. I've been "Flash free" for about a year now and in general this works, except for the BBC where my browser has to pretend to be an iPad before they do the right thing..

      3. MacroRodent

        Re: It never stops...

        If Photoshop is terrible and it edits pictures, why doesn't someone use Capitalism to replace it with a better program?

        Because of network effects. Graphics people are trained in Photoshop, and there is an ecosystem of plugins. Same reason Windows hasn't been replaced succesfully on desktops. Capitalism is powerless with this kind of issue.

    3. A Non e-mouse Silver badge

      @MyBackDoor Re: It never stops...

      Wouldn't you consider a major rewrite at some point?

      'Cause Adobe know that the writing is on the wall for Flash and not even they're stupid enough to through money at a re-write for a dying product....

    4. Anonymous Coward
      Anonymous Coward

      Re: It never stops...

      I literally run WinTin just for Photoshop, it's a nightmare.

      Could I point you at Affinity Photo then? Far more resource friendly, better code, easier to use and at a price it makes it basically silly NOT to buy it.

      They tend to have the betas freely available in their forums, so you you can try before you buy.

      Not affiliated, just a happy user (on Mac, but there's also a Windows version).

      1. Anonymous Coward
        Anonymous Coward

        Re: It never stops...

        Adobe knows it has almost no competition in the higher segment of the market, and it's exploiting it. While Serif+ products are good, they can't still replace (nor probably is their target), Adobe ones in that segment, where you may need to add features (i.e. colour separations, IIRC they added spot colours support last year in Affinity Designer) used only by a relatively "smaller" percentage of professional users, but which are critical for some professional tasks, increasing the overall cost of a product with a limited return, especially if you have to catch up with a product already established as the market leader. But eroding the bottom line is a good way to increase customers and revenues.

        For a while company like Corel, Micrografx, Aldus were competitors - but Corel (yet a pale image of the former self) they no longer exist.

  3. Oh Homer
    Coat

    "Specially crafted"

    Sounds like a belated Christmas present.

    T'was the night before Christmas, not a sound could be heard

    Except for some typing, a file writ in Word

    A bug report that had been specially crafted

    To tell us that all our computers were shafted

  4. FozzyBear
    Happy

    Pick a year between 1990 to 2050 and this "news" article would still be relevant. With any luck I'll still be here complaining about it too.

    1. frank ly

      It's highly unlikely that I'll be here in 2050 and I have to say that I find that thought to be strangely comforting.

      1. Steve Davies 3 Silver badge
        Joke

        Posting here in 2050

        Perhaps El Reg will award 'gold' badges to those of us who will be well into our 90's?

        I'll be 97 in 2050 and will look forward to it as an early letter from King William.

        Gome on el Reg, give us oldies something to look forward too....

        1. Anonymous Coward
          Anonymous Coward

          Re: Posting here in 2050 - I'll be 97 in 2050 and will look forward to it

          All very well for you young folk. But the way things are going with spying, DRM and unreasonable protection of the rich and well connected, I expect that by 2050 things will be back to analog landlines and an extremely thin screen on the wall that shows nothing but cat videos and repeats of Top Gear (like WW2 films, so the kids can wonder at what their parents used to get up to.)

  5. Destroy All Monsters Silver badge
    Pint

    Village People!

    Young man, why you look so appalled.

    I said, young man, better get used to it now.

    I said, young man, 'cause you're in a new age

    There's no need to read the EULA.

    Young man, there's naught you can do.

    I said, young man, when you feel so observed.

    Shark the wire , and I'm sure you will find

    Many ways to lose your data.

    It's fun to send te-le-metry.

    It's fun to send te-le-metry.

    etc. etc.

    1. Fred Flintstone Gold badge

      Re: Village People!

      That is *wonderful* :)

      Regarding EULAs, allow me to assist by referring to this comic. Enjoy :).

  6. Anonymous Coward
    Anonymous Coward

    "The flaw, designated CVE-2017-0003, allows a specially crafted Word file to take control of the target system with the current user's access privileges"

    The principle of least privilege, how many times do you have to be told Microsoft, the default profile should be a standard user.

    1. Electron Shepherd

      "the default profile should be a standard user."

      Err... ... it is, and it's been that way for more than 10 years. Ever since Vista.

      1. BristolBachelor Gold badge

        @Electron; yes; but there are still some programs that don't work properly without higher acres permissions.

        @Doc; my account has the privileges to edit my files - that doesn't mean that I want someone pwning my system and stealing/editing/deleting them, even if they still don't have permissions to do admin stuff.

        1. TheVogon

          "but there are still some programs that don't work properly without higher acres permissions"

          Lucky then that short cut properties include a selectable per program "Run as Administrator" option...

      2. Anonymous Coward
        Anonymous Coward

        >Err... ... it is, and it's been that way for more than 10 years. Ever since Vista.

        Really !

        Tell me what profile are you dumped straight into by default on a single PC install ? Don't give me that crap about UAC and admin, go and add up the CVE's that are mitigated by running as a PROPER STANDARD USER.

        https://blogs.microsoft.com/microsoftsecure/2010/03/30/be-safer-run-as-standard-user/

        http://www.zdnet.com/article/admin-rights-key-to-mitigating-vulnerabilities-study-shows/

    2. Paul Crawford Silver badge

      For most people PC = single user, and so such a flaw can still encrypt their own files which is all that matters. The OS, etc, can be hosed and re-installed, but few have backups and most Joe Public find out when its too late.

  7. This post has been deleted by its author

  8. redpawn

    In 500 Years...

    this will all be sorted out and people will laugh about how a Word file could take over their computer. In the mean time I use LibreOffice.

    1. TheVogon

      Re: In 500 Years...

      "In the mean time I use LibreOffice."

      Some of us need a version of Office that actually works...

      Not to mention that full functionality of Libre Office requires Java installed - which is second only to Flash as a security hole...

      1. Anonymous Coward
        Anonymous Coward

        Re: In 500 Years...

        Some of us need a version of Office that actually works...

        If you define "works" as doing what an Office package should do for about 95% of users, LibreOffice can comfortably claim that. You haven't tried using it for more than a week or you'd know that, and it has the added bonus that nobody tries to mess around with the UI to sell a new version so your staff has to relearn again and again where the f*ck Microsoft hid the functions they were using just fine before the update. Oh, and it works on a proper, official, arrived-at-through-real-consensus Open Standard rather than a bribed one that the company itself has trouble supporting, but that's just detail.

        Not to mention that full functionality of Libre Office requires Java installed - which is second only to Flash as a security hole...

        Been using it company wide for about 4 years now without any Java present. Try judging it based on facts, not on Microsoft marketing. Bonus benefit: our staff can use it at home just as well - no license risks - and it renders the same on Linux, macOS and Windows.

        1. TheVogon

          Re: In 500 Years...

          "If you define "works" as doing what an Office package should do for about 95% of users, LibreOffice can comfortably claim that"

          Working 95% of the time isn't good enough for most businesses. Hence presumably why adoption of Libre Office is still close to zero....

          "Oh, and it works on a proper, official, arrived-at-through-real-consensus Open Standard rather than a bribed one that the company itself has trouble supporting"

          Microsoft Office works far better than Libre Office in regards to ODF support. The Libre Office forums are full of issues with it's standards support...

          "Bonus benefit: our staff can use it at home just as well - no license risks "

          But many of your staff will already have MS Office or Office 365, so it then sucks when their files don't work properly, and features they used at home are not supported in the office.....

          1. Anonymous Coward
            Anonymous Coward

            Re: In 500 Years...

            "Microsoft Office works far better than Libre Office in regards to ODF support."

            No it absolutely doesn't - MS Office's support for ODF is still woeful. If you use both products with any regularity (I do) you'd know this well, and be more qualified to comment.

          2. Anonymous Coward
            Anonymous Coward

            Re: In 500 Years...

            Microsoft Office works far better than Libre Office in regards to ODF support. The Libre Office forums are full of issues with it's standards support...

            Oh, here we go again. Repeating an untruth often doesn't make it reality - and I suspect you know full well that that is utter BS.

          3. Anonymous Coward
            Anonymous Coward

            Re: In 500 Years...

            But many of your staff will already have MS Office or Office 365, so it then sucks when their files don't work properly, and features they used at home are not supported in the office.....

            As a matter of fact, none of our staff use it, for a number of reasons. Our company has some of the strictest security and compliance requirements in Europe for a non-governmental setup and we prove again and again that Microsoft's "EU only" cloud isn't as "EU only" as it pretends to be, and our risk management extends to helping staff and family being secure at home and prevent them being abused as backdoors or being forced/leveraged into becoming so.

            We know a lot more about Microsoft than they are comfortable with - and they know...

          4. fruitoftheloon
            FAIL

            @TheVogon: Re: In 500 Years...

            TheVogon,

            may I suggest that you re-read the comment your responded to?

            [Paraphrasing] it meets the needs of 95% of users, NOT that it works for 95% of the time...

            D'oh

  9. TheVogon

    So a quiet month for Microsoft then...

    1. Chika

      So a quiet month for Microsoft then...

      We never say that until the patches are applied and the fallout evaluated.

      1. This post has been deleted by its author

        1. GruntyMcPugh Silver badge

          Re: @Chika re update fallout.

          Odd, because for several years I was responsible for patching large numbers of servers, and never had a post patch issue.

          Only problem recently was caused by a .NET upgrade, and that's really down to the application that relies on it.

          Is it really so bad for everyone else? I've never been responsible for desktop deployments of patches, is it worse out there? Never had a problem on any of my personal machines running scheduled updates, so why the derision?

          1. Anonymous Coward
            Anonymous Coward

            Re: @Chika re update fallout.

            Odd, because for several years I was responsible for patching large numbers of servers, and never had a post patch issue.

            Yes, but servers is typically not where the problems emerge..

      2. TheVogon

        "We never say that until the patches are applied and the fallout evaluated."

        We can as we test before deploying...

  10. chivo243 Silver badge

    Somebody close the screen door

    My submarine is already full....

  11. Anonymous Coward
    WTF?

    MS17-001

    "The update will only be pushed out to Windows 10 and Server 2016."

    Good luck trying to update Edge on any other version of Windows.

    1. Steve the Cynic

      Re: MS17-001

      "Good luck trying to update Edge on any other version of Windows."

      That was my thought when I read that line, although I suppose it's better for Microsoft to be explicit about it.

      Personally, I'd like them to fix Edge so it actually remembers my Favorites / bookmarks for more than a week. (It worked OK, then blew its brains out and reinitialized itself, and ever since then it forgets what I put in the Favorites bar about once a week.)

    2. patrickstar

      Re: MS17-001

      Uhm, yeah, because those are the platforms that Edge supports.

  12. twilkins
    FAIL

    Word?

    People still use Word in 2017. How cute!

    1. TheVogon

      Re: Word?

      "People still use Word in 2017"

      Easier to ask who doesn't. It is pretty much a standard in the enterprise, and Microsoft are beating Google hands down for cloud versions too with Office 365. And It's a standard in most schools....

      1. Anonymous Coward
        Anonymous Coward

        Re: Word?

        And that's why MS has pretty well every business over a barrel and will continue to ... well, you know what they'll do, each and every month. Pay up or else you lose access to your data.

        I'm in the process of shutting down my business as I'm retiring and will take great delight in giving MS the finger next month.

  13. Gis Bun

    Meanwhile 2 Linux OSs topped 2016 with the most CVEs reported. So is Windows that vulnerable?

    1. Anonymous Coward
      Anonymous Coward

      I can't be bothered to point out just how selective you must have been with CVEs to arrive at that conclusion. If I could be bothered you'd be very upset, because undeniable hard facts have that effect on marketeers.

    2. TheVogon

      "Meanwhile 2 Linux OSs topped 2016 with the most CVEs reported"

      It's been like that versus Windows every year for well over a decade now.

      Microsoft might not be the greatest at security but they are certainly not the worst...

    3. YY
      WTF?

      Speed

      Yeah, Windows is still that vulnerable. If it ain't good on the inside, polish on the outside won't help.

      However the next version of Windows will be better, I heard from MS. That is, the bling bling

    4. Anonymous Coward
      Anonymous Coward

      "Meanwhile 2 Linux OSs topped 2016"

      Yep, because they are actually useful and functional out of the box and include a lot of applications, including an office suite and image editors. Windows by itself is largely useless until one installs the apps they need.

      Be interesting to compare CVE count with Windows after it has all of the equivalent apps installed.

      1. Anonymous Coward
        Anonymous Coward

        "Be interesting to compare CVE count with Windows after it has all of the equivalent apps installed."

        Well I haven't seen figures for that, but Windows historically beat both enterprise Linux and OS-X by quite a long way for vulnerability counts when the installs were made equivalent to Windows in terms of what was installed...

        1. This post has been deleted by its author

        2. Anonymous Coward
          Anonymous Coward

          But it's still not apples vs apples. Windows doesn't have repositories of thousands of apps built-in counting towards vuln counts, so there is no way of reliably comparing this without a lot of effort and research. So with no suitable evidence provided, your statement is completely worthless.

  14. YY
    Devil

    It's 2017 and you are still working with Windows?

    Even MS is migrating to Linux

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like