How a Bad UI Decision From Microsoft Helped Macro Malware Make a Comeback (softpedia.com) 129
An anonymous reader writes: Macro malware is a term to describe malware that relies on automatically executed macro scripts inside Office documents. This type of malware was very popular in the '90s, but when Microsoft launched Office 97, it added a popup before opening Office files that warned users about the dangers of enabling macros. Microsoft's decision had a huge impact on macro malware, and by the 2000s, this type of malware went almost extinct. Lo and behold, some smart Microsoft UI designers start thinking that users might get popup fatigue, so in Office 2007, Microsoft makes the monumental mistake of removing the very informative popup, and transforming the warning into a notification bar at the top of the document with only six words warning users about macros. Things get worse in Office 2010, when Microsoft even adds a shiny button that reads "Enable Content," ruining everything it had done in the past 10-15 years, and allowing macro malware to become the dangerous threat it is today. The U.S.-CERT team issued an official threat yesterday warning organizations about the resurging threat of malware that uses macro scripts in Office documents.
Re: Stupid people (Score:1, Insightful)
Nope you need to be retarded to use *any* m$ software...
Re: (Score:1, Insightful)
Kind of hard to give a shit what you think when you get butthurt over such a minor distinction, shill.
Re: (Score:2)
I wondered why I've been hearing about macros malware again! Granted, I haven't used office in a looong time. But I thought, wasn't that solved in like 1993... don't allow macros? Guess history does repeat itself.
Attack and Defense -- Smallpox (Score:2)
I wondered why I've been hearing about macros malware again! Granted, I haven't used office in a looong time. But I thought, wasn't that solved in like 1993... don't allow macros? Guess history does repeat itself.
Defenses to threats that are not exploited become de-prioritized over time, especially when an "almost extinct" vector is the threat and you are asking hundreds of millions of people to click an extra dialog that they don't understand to begin with.
It's like smallpox. It is basically eradicated, but if it comes back we'll have an issue because we're not strict about vaccinating for it, because it's basically extinct.
Re: Stupid people - Mandatory Access Control (Score:2)
Re: Stupid people - Mandatory Access Control (Score:4, Interesting)
Linux has the same problem.
A limited user (even without sudo rights) launches a buggy application and opens an infected document. The virus can then proceed to encrypt all the files that the user can modify.
The system files will stay intact.
The documents of the user will get encrypted.
The user usually cares about being able to access his documents, so the damage is done even without root access. If this happens on a single user desktop, then the damage is the same as if the virus had root access. In both cases you have to restore the PC from backups (if you have them).
Re: Stupid people - Mandatory Access Control (Score:1)
Not if SELinux or AppArmor is enabled
Re: (Score:2, Troll)
Kind of hard to take you seriously since you reference microsoft as m$
M$ or Microsoft, or Redmond, it doesn't matter when the fact is that there are a lot of issues with Microsoft products, and that this is one of the more idiotic ones. Since they have a less than intelligent system that seems custom designed to allow anyone access to the computer, and since they make it so easy to happen. He isn't wrong, whether you automatically discount anyone's statement of fact when you see M$, or not.
Re: (Score:2)
I am not arguing that a lot of microsoft's software has issues, but microsoft of course wants to appeal to the masses, this complaint about not having a pop-up and instead having a bar with an easy to find button isn't less safe, it still prevents the macro from instantly running, it's ju
Re: (Score:2)
You'll probably come across as juvenile, this may be right or wrong and again, this may be your intention.
Fact is, some people are going to switch off when they see you write "M$", or refer to their compan
Re: (Score:3, Insightful)
The stock symbol is a convenient short identifier.
MS deserve the moniker M$ due to patterns of behaviour that indicate they have no integrity. Some people don't understand that organisations have a persistent culture, some are simply stupid, some are going to switch off no matter what you do, and your managers don't bother reading your emails in full.
That's life.
It's also not particularly interesting or informative to keep pointing it out as if you have some kind of special insight, unless you want everyone
Re: (Score:1)
When you write it as 'M$' it tends to give the impression one of the big issues you have with them is they've made a lot of money
That is a completely legitimate issue to take considering how they made a lot of that money.
Think "antitrust".
Re: (Score:2)
When you write it as 'M$' it tends to give the impression one of the big issues you have with them is they've made a lot of money
That is a completely legitimate issue to take considering how they made a lot of that money.
Think "antitrust".
Does you iPad come with a default browser made by Apple, or does your Nexus come with a default browser made by Google? Those are the kind of things that were at the center of the "antitrust" case against Microsoft.
Both Apple and Google have made billions with their proprietary ecosystems but I don't see you calling them Apple$ or Google$.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
That is because when they write "M$" they come off as this guy [penny-arcade.com] and nobody is gonna take this guy seriously.
The neat part is, you can determine that they are lying without reading their post. Just skim it for the lying word, and you have the truth, from God's lips to your ears.
Re: (Score:2)
When you write it as 'M$' it tends to give the impression one of the big issues you have with them is they've made a lot of money, and that you make a point of expressing that whether or not it is necessary or relevant. It may be that you actually want to give that impression, in which case power to you.
Keeping in mind that it wasn't me that typed M$, I wonder, do you give more veracity to pretty people because you think a pretty person is smarter than an ugly person? Because if you automatically reject a person because of a typed dollar sign you are going to be easily manipulable.
I'll read the person's words, and decide the veracity of their statement, not this sort of find one word, and declare what was written was untrue.
You'll probably come across as juvenile, this may be right or wrong and again, this may be your intention.
When I use words like that, it's usually for shock value. It's all just noise o
Re: (Score:1)
I'd wondered if I should've clarified that in my post. In any event, it has been now. I'm really just responding to you because you're not an AC (I'll explain soon). Just looking to have conversation about it, not tell anyone off.
Not to the extent I can be aware of my own biases. Again, I chose to respond to you because you're not an AC. It's not becaus
Re: (Score:1)
Kind of hard to take you seriously since you reference microsoft as m$
Well having installed Microsoft Windows 10 from ISO onto a virtual machine and having looked at the definition of Malware [wikipedia.org] I do think people who install it are taking a huge risk. I actually have my virtual machine off and if I turn it on it is only for testing purposes however I actually switch off my virtual network. For those who want Windows 10 you could liken them to a frog put in lukewarm water then slowly turn up the heat and the frog won't notice until it's too late.
Yes, I am aware that it is pos
Re: (Score:2)
Look at the shape of the $ and you'll figure it out.
Re: (Score:2)
Re: (Score:3)
Yeah Stuxnet sucks. It totally screwed up my nuclear program infrastructure. That's the price I paid for letting the trial McAfee expire on my new cheap Asus laptop.
Re: (Score:3)
Because the average user doesn't know what "Run Content" means. Meanwhile they're being told to never disable scripts, never enable adblock, always accept all defaults, and Microsoft is never wrong.
Re: (Score:1)
You have to be retarded to click on "Run Content" if you don't trust the source..,.
People are, and will be idiots, what is new?.
You have to be retarded to use an operating system and software where shit like this happens to a lot of people, and people like you claim that they are retarded.
The mental retardation happened at purchase, not clicking on the self destruct buttons.
Re: (Score:2)
Geez, I wish I could use one of those magical systems like Linux or Mac OS that don't allow the user to deliberately run software they've deliberately downloaded from the internet, and have it modify user files on the system that they've deliberately given it permission to access.
What on earth are you blathering about? You been drinking the Friends of Microsoft Koolaid again? Can't tell if you are being sarcastic, or baked - in any event, you are wrong.
Go back to "Warning", not "Run". Allow disable (Score:4, Insightful)
> and what do you propose as solution?
> Removing macros? Further dumbing down systems ?
The problem is that Microsoft dumbed it too much. They have one button where they should have two. The ONLY option is the new UI is "Run Content". There should be a "No Thanks" button.
As explained in the fine summary, the recommendation is something like the old warning, which actually worked, or least an option labeled "dismiss", "cancel", or "disable macros". Here's one MS UI that worked:
http://i1-news.softpedia-stati... [softpedia-static.com]
Microsoft traded that for a single button with the instruction "Enable Content". There is no more "disable macros" option anymore. Anyone who isn't sure what they should do will often click the one and only option Microsoft provides: run the macros. There should be a button to dismiss the message without running macros.
Re: (Score:3)
Microsoft traded that for a single button with the instruction "Enable Content". There is no more "disable macros" option anymore. Anyone who isn't sure what they should do will often click the one and only option Microsoft provides: run the macros. There should be a button to dismiss the message without running macros.
I agree, but as a security guy in a government position, one thing I learned is that if you disable *everything* by default and require them to manually click to enable, such that they end up doing so every day for legitimate work tasks, they get used to do so and will click even when they shouldn't. Same deal with barraging them with warning popups full of legalese. They stop reading pop-ups.
As such, and while I understand it might be more complicated to implement, my suggest would be to sandbox everythi
Re: (Score:1)
Re: (Score:2)
I have to say it (Score:2)
Of course, we all know that in Windows, clicking the X on the right now means "go ahead and do it". :)
Somebody had to say it.
Re: (Score:2)
Re: (Score:1)
How about just adding back the fucking warning popup that was so fucking effective.
You still get to use macros, just like before.
Re: (Score:1)
How about just adding back the fucking warning popup that was so fucking effective.
You still get to use macros, just like before.
^^^ THIS.
Re: (Score:2)
You have to be retarded to click on "Run Content" if you don't trust the source..,.
People are, and will be idiots, what is new?... ...and what do you propose as solution?
Removing macros? Further dumbing down systems ala Apple?
Fuck. That. Shit.
The dumb part was attempting to "enrich" our documents with this bullshit when 99% need a damn word processor and that's it.
Adobe Reader v5.x was less than 10MB in size. That program has now grown to obscene proportions, and for what justified reason? I still use Adobe Reader for the same fucking reason TODAY that I did 15 years ago, as do 99.999% of users. To read PDFs.
Perhaps you think the stupidity light needs to shine both ways to enlighten us of this problem, but since I tend to favor root cause a
Re: (Score:2)
Re: (Score:2)
People *Think* they trust the source too, when they actually have no actual proof of who the source is, for instance a spoofed email, or an email which actually came from the computer of someone they know (but that user had previously been infected with malware)...
Re: (Score:2)
------------------^
Click to view document
That's it, no more content.
Now, I wouldn't click on it, you might not either. But there's enough people out there who will follow instructions, or will click on the most obvious button to make an annoying alert go away.
Re: (Score:3)
allowing a pipe as in:
Format C: | Y
Re: (Score:2)
And what are the good UI decisions Microsoft ever made? Remember the "Start" button debacle?
I'm nominating the ribbon.
Re: (Score:2)
Re: (Score:2)
And what are the good UI decisions Microsoft ever made? Remember the "Start" button debacle?
Autorun, default is still enabled.
I have an old version of Heirn's bootdisk that the autorun.ini installs malware, I keep it as an example of autorun's bad side, and as a not so bright attempt at an attack - it's a boot disk (yet if placed in a drive when running Windows...).
Car Anology (Score:5, Insightful)
This is rooted in Microsoft culture. Security is never a primary concern. Imagine someone with a whiny voice saying "It's too hard, I don't wanna do it, it makes things no fun" etc, etc. From the outside that seems like how they behave.
And there is the little matter of loss of institutional memory, which is the senility part. That is because they consciously exclude people of long experience. They don't hire them, and if anyone is too long on the job they get flushed out. It's cheaper and keeps the workforce docile. But the long term result is making the same mistake over and over again. Not that Microsoft is a whole lot worse then any other big software organization, but they appear to do it even more then other big outfits.
Expect them to resurrect the BSOD any day now...
Re:Car Anology (Score:5, Informative)
Expect them to resurrect the BSOD any day now...
It never went away - still an integral part of the Windows experience. http://answers.microsoft.com/e... [microsoft.com]
http://answers.microsoft.com/e... [microsoft.com]
http://www.computerworld.com/a... [computerworld.com]
W10, 8.1, and 7. BSOD - suposedly long gone.
I've had zealots declare me a liar while cleaning "There is no BSOD any more!" with great conviction. It stil happens, even as documented on Microsoft pages.
Watch me get marked as a troll for pointing out the truth.
Re: (Score:1)
Re: (Score:2)
Of course it's still there.
I have had many people telling me that I was lying, that the BSOD did not happen any more - from Vista on. Even in here, IIRC
Re: (Score:2)
I've had zealots declare me a liar while cleaning "There is no BSOD any more!" with great conviction.
This is a good thing. I would really like it if we lived in a world where total system crashes were so rare that people actually believe that the BSOD doesn't exist anymore. We're getting there. BSOD is now very rare compared to the past. I haven't seen one in Windows 8, 8.1 or 10, don't even know what it looks like. I used to see them in Windows 7 but then I was running on flaky hardware for a while.
It's certainly not like Windows 95, 98, Mistake Edition, or 2000 where they were an integral part of the exp
Re: (Score:2)
Re: (Score:2)
It's certainly not like Windows 95, 98, Mistake Edition, or 2000 where they were an integral part of the experience.
Win2k does not belong in that list.
Re: (Score:2)
Yes it does, as does NT4 and XP. While they were a large step up from 95/98 they are still a long way from the stability that is offered by Windows 7 and 2008 Server. A lot of this has to do with the change of the driver model over the years. It's not significantly harder for a misbehaving driver or a hardware fault to bring down the entire system (remember BSOD and Kernel Panics are self protection mechanisms).
Re: (Score:2)
Watch me get marked as a troll for pointing out the truth.
If you do get marked as a troll it will be for this obvious trollish and idiotic end to your post.
DIdn't get marked as troll, but someone that calls me an idiot when calling me a troll, is.....well Bless you, thegarbz, have a fine weekend.
My point is that you should see my moderation email. I can send cited and well documented arguments to validate my assertions, and if they are not positive about Windows, I'm descended upon like a wildebeest by crocodiles with troll mods.
Re: (Score:1)
I've had zealots declare me a liar while cleaning "There is no BSOD any more!" with great conviction. It stil happens, even as documented on Microsoft pages.
Oh, but the BSoD went away with Windows XP.
The default behaviour in the case of a BSoD for XP was to automatically reboot the computer, you see. People no longer saw any BSoDs, so Microsoft obviously must've fixed them.
Tutorial = off (Score:2)
Well, that's one way of looking at it. The other is that Microsoft had to cater to the lowest common denominator with big scary warning dialogs when you did something potentially stupid. And that they did that because it was new and people were ignorant, but that as a computer literate generation grew up they thought they could start taking off the training wheels. I mean, it's not like Linux gives you much warning when you break shit, yeah you might have to invoke sudo but that is the universal "trust me,
Re: (Score:1)
Decisions? (Score:1)
MS makes UI decisions? I thought they just delegated UI coding to the new hires, saying "Here's a project for you to learn coding on."
Really? (Score:2)
Re: (Score:2)
and they will get sued and face anti trust issues with that idea.
Re: (Score:2)
> You can only warn but you can't prevent stupid. It's not like the code gets executed right away. You have to PURPOSELY enable it.
Read it again. If you don't get it, here's the gist: a shiny "Enable Content" button does not make people think "Gotta be careful, this might be a virus". Instead, it makes people, who are indeed not very knowledgeable in such matters, think: Doesn't look harmful. I want the content enabled, right? I'll click it to make it go away. That is driven by automatism and sometimes m
Re: (Score:2)
Does this mean you can blame the creator of javascript for creating pop-ups that allow you to inst
Re: (Score:2)
The problem is that they were, and still can be, embedded in documents in reputable sources. Consider it a form of social engineering. If you manage to infect one person's Excel document in an organization, chances are that it'll spread quickly throughout the organization, because you've got no reason to distrust the source. And UI has great influence on how people treat warnings.
Re: (Score:2)
I am not arguing that it's easy to enable but it still warns you regardless if it is a "shiny button" to enable, but you'd think because it's a bad file you download from the net or a questionable email they would be smarter than to enable it. If you decide to enable it that's your fault. It's like going to some random questionable website "Oh I need a new codec to stream this video? sure i'll install it!"
The problem is the warning is "Macros have been disabled" next to a button labeled "Enable Content" A reasonable interpretation is that if I click on Enable Content the macros will be disabled and I get to see the file's contents; not that it will enable macros to run. That button would say Enable Macros.
Not every file with a malicious macro needs to come from a shady source directly; when I was doing some publishing we'd get files from writers that had been infected even though they were from a trusted so
Re: (Score:2)
Re:Really? (Score:5, Insightful)
Yes - but this appears even on files without any Macro content - just because the file came by e-mail. So files from internal recipients in a DOMAIN without Macros's have the SAME warning as an internet file with a Macro virus.
This is the stupidity.
Jason.
Re: (Score:2)
Right, that's what I was going to bring up. Microsoft changed the popup to a banner, but I don't think that's really the problem. The problem is that they also have a nearly identical banner that pops up unnecessarily under different circumstances. So they spend a few years training people to just hit "Enable" whenever the banner pops up, meanwhile making that "Enable" button the only security against malicious macros.
It's a perfect example of "what not to do". You'd think Microsoft would have learned
Re: (Score:2)
You can only warn but you can't prevent stupid. It's not like the code gets executed right away. You have to PURPOSELY enable it. This is no different when people install whatever off the internet because they don't know better, while running an expired virus scanner that came with their computer when they bought it back in 2011. While I understand that Microsoft is a very user friendly OS compared to something like Linux, you can really only do so much without making it TOO user friendly where you can't do anything.
Very true, you can't fix stupid; to steal a line from Ron White. However, constantly canning how you present information in a UI is problematic and thus not a good idea. Users get used to seeing certain warnings and when they go away they assume whatever causes the warning is no longer occurring. Changing the wording of the warning can produce the same effect. Enable Content could be reasonably assumed to allow opening the file and seeing the content, not allowing it to Run Macros.
As for your internet and v
Enable by default (Score:1)
The worst offense... (Score:5, Insightful)
...was when they decided that hiding the extension was a great idea and made it default in XP.
trojan.jpg.zip anyone?
Re: (Score:2)
I think you mean 2003, but in all other ways yes. 2003 was the last version before they decided to ditch the menu bar for their precious "ribbon". I think it's because OpenOffice was reaching a point of being a reasonable replacement, almost indistinguishable on the surface, so Microsoft felt like they had to make Office... different.
The sad thing is they took away some really useful advanced features from 2003... like being able to create your own custom buttons with a little pixel editor and assign them
News? (Score:1)
Why can a macro even become malware? (Score:2)
The real issue here is that macros and scripts should always run in a very well designed and hardened sandbox. No matter what your script does, it won't be able to do more than screwing up the spreadsheet it came embedded with. It really is insane that a macro could harm your computer, except in Microsoft's world.
The culprit is simply bad design. Nobody in their right mind would allow arbitrary scripts from unknown sources to be run freely in an environment where they can affect things outside that envir
What kind of head injury do they have?? (Score:2)
Seriously, what kind of head injuries do the people at Microsoft have?? This is an enormously STUPID decision made by enormously STUPID people.
Ask technically-savvy people about this and 99.99999% would say, "Don't do this", but the wizards at MS in their infinite wisdom do it anyway?
WTF, Microsoft?? Do you want your users to be fucked over?
Re: (Score:2)
Seriously, what kind of head injuries do the people at Microsoft have??
It's called "product management." It results in diminished quality everywhere it is used, because it relieves the developers from the responsibility of thinking about the quality of what they are building.
Here's an example of the special Microsoft version of this disease [blogspot.com]:
So just on my team, these are the people who came to every single planning meeting about this feature:
1 program manager
1 developer
1 developer lead
2 testers
1 test lead
1 UI designer
1 user experience expert
--
8 people total
These planning meetings happened every week, for the entire year I worked on Windows.
The advantages of this system are: better top-down control, and you can hire less competent developers (who have not the skillset of thinking about what they are building).
Re: (Score:2)
So just on my team, these are the people who came to every single planning meeting about this feature:
Yep. I've worked (as a contractor) at Microsoft, and yes, the meetings are constant, unproductive, and often litle more than dick-waving contests.
I rarely left a meeting feeling like we'd accomplished anything useful. Most of the decisions made were done in such a way so that no one could/would be blamed for anything that happened as a result of the meeting. Half the people there had no input and no stake in the subject at hand, but they had to come so they could "show the flag" and rack up meeting points.
T
Re: (Score:2)
So it got to be this reporting-fuckfest done mainly to plump up the work logs to make it appear we were doing something. And we were doing something: we were filling out shitloads of "what I did" reports, which took away from the time we needed to actually accomplish our goals. Fucking insane.
Did anyone read them?
Re: (Score:2)
Did anyone read them?
Theoretically the higher-higher managers did, but who knows.
They probably got a stack of these combined reports every week and said, "Not another load of this shit again!" and tossed them in the shredder.
Re: (Score:2)
Re: (Score:2)
It's actually kind of amazing Microsoft held together at all, considering how bad their management style is.
Yep. I'm surprised the company survived the decade-long "stack ranking" clusterfuck, which was an egregious, self-inflicted wound perpetrated by clueless management retards.
It just goes to show that inertia in a large company can keep them rolling along, even when the treads are coming off and smoke is pouring from the turret.
Enable Button (Score:2)
Often times at work, one co-worker e-mails an Office document to another. The recipient opens the document from their e-mail, clicks the Enable button on that yellow notification bar to switch from read-only mode to editing mode, and then views the document without making any changes. Whenever I see this, I point out to the person that they should not click that button unless they're read what the notification says (click to enable editing), and they should only click it if they need (and know they need)
Microsoft DLL Hijacking Vulnerabilities (Score:1)