Of course, some on work computers can't do that.

or retire and let someone with a clue take over.

-Can't install any third-party software for supposed security reasons.
-Standardize on the most proven-exploitable software out there.
-Problem?

Often, we can only make suggestions that the owners/managers can chose not to invest time or money in.

If a company has 10's or 100's of thousands of dollars in software, training, licensing, customized add-ons, etc., they're very, very unlikely to change course.

Blaming the IT folks for things like this is like blaming a supply sergeant for decisions made at the Pentagon.

Microsoft is often in charge of large corporate software decisions.

Not an IT professional, just someone who USED to like to use LotusNotes when I worked for a large computer company, only to have to yanked off our desktops due to an agreement with....Microsoft. Monopoly much?

By a lot. And the default format for Notes mail is RTF. It is legacy technology that IBM and Apple have saddled us with.

Notes/Domino is excellent as a database (or application as they call it in newer versions) server, but for mail and calendar use, it is lacking.

On a side note - it took me all of 15 minutes to create a new group policy in my domain which made it so RTF files can only be opened in "protected mode" which would prevent any potential problems.

Like I said, I'm not IT, just a user. We had LotusNotes as our first e-mail software back at the beginning. Then we were forced to go totally Microsoft and we got Outlook (or whatever it was back then, this was early '90's). It was a total clunker compared to Notes. No calendar software has ever convinced me it is better than...an actual calendar, so I don't know about that. And I figured out how to a bunch of stuff with the database it couldn't do, so a nonITer could actually make it work the way she wanted it to work. That was gold.

Little tip - If you need to coordinate calendars between lots of people, a paper calendar doesn't really cut it, if your entire organization has their calendars in a system like Outlook (or even Notes), you can tell at a glance who is available at what time if you need to schedule a meeting with lots of people.

In some cases, they have invited Microsoft in to manage their software and worse yet network security.

customers, parent companies, etc. use.

For instance, I work for a small Pharmaceutical company. In order to be compatible with suppliers, customers, the FDA, other regulatory agencies, etc. and in order to use industry standard document templates, Microsoft is almost a necessity, it would be almost impossible for us to function without MS products.

Just curious, considering 90 some odd percent of the computers out in the corporate world use Microsoft Office.

i use firefox and wordperfect but have to use outlook in the office. i hate outlook. i don't understand why people don't know to send text attachments as pdfs. i am constantly telling people to convert the word document they send me to pdf format and re-send. i'm 64 years old and i know how to do that!

this alert is only for rtf documents that you might open in word? is that what i'm hearing here?

tia

And Chrome just works better

i disagree with your characterization of mozilla as being last. i think internet exploder is last. do you have confirmation of that? i would like to know my risks. haven't had a problem with firefox since i started using it many years ago.

Just searched and found only old "readme" and, ironically, EULA files that are in RTF

Also, looks like this is ONLY if you use Word to view emails (?!):

http://it.slashdot.org/story/14/03/25/0156203/microsoft-word-zero-day-used-in-targeted-attacks

http://www.securityweek.com/new-microsoft-word-zero-day-used-targeted-attacks

hard to keep up with all the idiots and their schemes out there.


I believe it is a word/outlook express/ microsoft issue exclusively.

If you use Outlook, which uses Word to view .rtf files by default, the preview feature cold also lead to infection.

I'm not going to be downloading anything for awhile. The last thing I need is a virus.

A format that was largely made obsolete by advances in storage. Designed to fit somewhere between text files and full blown word processing documents, they allowed the use of different font sizes and some formatting. As hard drive space made the size overhead for a word processing document negligible, the purpose for rtf files went the way of the dinosaur.

Better advice would be don't open anything from a source you don't trust or know exactly what it is you are opening. My company is currently without web access to our email because some idiot clicked a link that was obviously a phishing attack. Well that and the fact that the email team screwed up and left some gaping holes...

but as an online college professor I get them fairly frequently from students,

I put in my syllabus that I require everything in doc docx or PDF. Still get them though - never read them. You don't submit in the correct format - you get a zero.

As I recall, the issue was that, in the old days, if you wanted to send a document to someone else, and they didn't use the same word processing program you did, the only thing you could do was convert to plain text and lose all formatting. You couldn't open a Word doc unless you owned Word, etc. So for example, RTF would allow a Word user to send their document to any Mac or Windows user who didn't have Word, and they could still see a reasonably well formatted version of the document.

The RTF was basically made obsolete by three things: the ability of numerous apps to read native Word files; the fact that Word itself has become so much more ubiquitous; and the rise of PDF. Sending Word docs to people and worrying about whether or not they will be readable is not as big an issue as it used to be. The bigger issue is probably one of whether it will necessarily appear as expected, and PDF addresses that issue much better than RTF ever did.

I set up the first PCs in the company I was working at (by then, it was Windows 3.0) The two dominant word processors were Word Perfect and Word and they could read and write in each others formats, if you knew how to install them properly.

If you are talking other OSes, then yeah, there might have been some fringe word processors out there that couldn't talk to anything else. We didn't bother with no name $5 floppy disk software with a dot matrix printed label.

It's useful when you are using a computer with a newer Word version and you need to send it to a computer with an older Word version.

Might want to use them, at least until they get this patched.

Go here and follow the "Fix it for me" instructions to disable opening of RTF content in Word.

Or existing ones you already have on your computer? Seems like it has to be only new files.

Can anyone confirm just to be safe?

Also, is it only for pc or also for Macs?

but I will kick as someone may know

Not sure if it affects non-windows systems or Word for Mac

The baddies in the RTF cause a Visual Basic script to be installed and run.

much appreciated! I copied the article and sent it out to my mailing list. Thanks again!

I just wonder why we didn't learn of this when they issued the alert on Monday. better late than never, though!

have a great one DonViejo

Geez. I don't even know what rtf is.

seems like some writing I sent somewhere recently had to be formatted that way for some reason or other, but it isn't very popular for the most part

I guess hackers are using that format to... well, hack, so if you see an attachment ending in .rtf, just don't open it. I have a great graymail program on my tele co-op e-mail. they catch everything and quarantine. You have to forward an e-mail to regular inbox to open suspicious stuff.

In practice, it lacks the tools for serious work, but it can be convenient for casual use, and I've seen it at times in academic situations, like for students with different computing platforms.

And it's old, been around since forever. One thing hackers will do is root around in the detritus of past operating systems looking for cool things you could do before the the internet became The Internet.

A crappy word processor combined with an even crappier email program, both from the people with the least security conscious OS.
I'm surprised that Word will even open a .rtf considering that it won't even open old versions of it's own documents.
An email program where the default used to be "Automatically open attachments". Change the settings and along comes an M$ update that resets to default without asking or telling you.

And that was older versions of it. It's not exactly swiss cheese.

And auto-open, good grief, are you pissed about Outlook 97 still? Do you even own a car that old?

It's paid for, has 136K miles on it and gets 31 mpg on the highway.

And I stand by my statements about Orifice and Outhouse.
And if it's not swiss cheese, why are there literally hundreds of patches and fixes for it?
Of course, I've made a fair amount of money straightening out people's fucked up computers.

And it is used worldwide, so it is constantly under assault. Sure, there have been some vulns. the JPG filter, PNG filter, now the RTF import filter. Some macro viruses (largely nuked in '97 SR1).

It's been pretty solid though. Most of the fixes for it, have nothing to do with security. Some are as innocuous as adding new currencies, or deprecating old ones.

Sorry about the car joke though, that was a cheap shot. High-five, older, somehow more efficient pickup buddy.

it would be nice to have a car with a cd player in it however. do they still make those? i have avoided buying new cars because of all the new gadgets. i wish i could find a fully-manual car but that's impossible nowadays.

i DO love my camry . . . especially with the v6 booster.

I have always commuted by bike or motorcycle during rideable weather. Mainly though, we're just home-bodies.

The only virus I ever got was from a disk from someone I trusted so I didn't scan it first.

But I have cleaned out 1000's of computers.

Was on an unsafe site, with what I suppose was a cross-site scripting attack, and distractedly clicked on something I shouldn't. Completely did in the windows OS on that hard drive, couldn't boot up. But I was able to simply mount the drive under a linux partition and grab off all the rest of my data on the drive, thankfully.

You get careless on the net, you get a virus. Simple.

People have been getting desperate. It's been about 15 minutes since they had a chance to squawk about Microsoft.

Your system may be owned as we speak

http://m.infoworld.com/t/cringely/the-linux-security-spell-broken-238717

Infected computers would send it to contacts in the address book, so people would receive these messages from people they knew. Brilliant!

Security is always too much trouble.

Personally, my prescription is either:

a.) Build a secure web for secure interactions, with industrial encryption built right in (and make the banks pay for it),

or

b.) Stop putting anything not intended for EVERYONE to see on the web.

You are always communicating with EVERYBODY on the Internet.

I predicted in the 90s that putting all that financial stuff on the web would be a security disaster. The internet assumes trust. Security is an added feature.

In the 90s, before Y2K and security consciousness, you could do amazing things on the net, FTP or TELNET just about anywhere, for example.

Properly designed systems assume the Internet is un-trustworthy.

The real locus of security always did reside in the endpoints (e.g. in the PCs and in-house servers, but not the cloud or the routing infrastructure). There's really no other way to do security without rank authoritarianism.

OTOH, most PCs run Windows therefore security is sh!t. Cyber criminals became rich, resourceful and established on the back of Microsoft's penny-pinching attitude toward security (up to Vista at least).

The most interesting and practical thing to come along in security for a long time may be Qubes OS, the first desktop OS to have virtual machines (and advanced VM hardware features) ingrained into its architecture.

Centralized architectures don't scale well. Even DNS is really too centralized, but the centralized part is as small as possible, and there are local caches, so it works as long as most traffic is "local", where "local" means you don't have to look to far up in the server hierarchy. Web traffic generates lots of lookups, Point to point generates few or none.

...of the last-mile stuff.

They used to say that pervasive electronic surveillance was impractical, too.

Anyway, my point is that the IT community should not forget the importance of personal computers. We won't make anything more trustworthy until we make PCs more trustworthy.

In more limited domains, you don't get the same performance issues. How often have you been left hanging there on the web waiting for DU to respond? How much worse would it have to be to make the web unusable for converstation?

You can collect it all, but you can't process it in real time. They are running around like striped-ass apes as we speak trying to build out enough storage to collect it, let alone do something with it.

I quite agree with your point, I'm saying it's the only way you can do it (security), per machine. That's why they want us to pay for it, it's going to be expensive, in time, and in inconvenience, and in money.

Maybe the sarcasm tag failed to load in your post or something. One primitive trojan in the wild makes Linux less secure than Windows? lol

If that was even remotely true, a trojan wouldn't have even been news.

So this is really only a hypothetical threat to me since I'm not vulnerable to this particular attack... and even if I was terrified by this sign-of-the-endtimes, I may find salvation by inputting one simple command in the terminal to determine whether I'm compromised:

ie, the attack is specifically geared at the windows operating system? Or is it something that spans platforms?

I would assume, if you are not root and on Linux, that you can't do that much damage, and the operating system stuff would not work at all.

No problems with Word or Outlook for us.

But I hear Libre Office is a good alternative.

I have both a pc and a Mac and I use Word on the Mac and OpenOffice on the pc.

I tend to use .rtf files more on the Mac than pc.

Did you read somewhere that it's only for pc version of Word?

first someone would have to write a custom hack to get into the Mac.
One of the reasons there are no Mac viruses is because it is very difficult to do and there aren't enough Macs in the world to make it worthwhile, compared to the the relatively easy methods to break into a PC and the huge volume of machines available.

Also the hack must exploit admin privileges which can't be done on OS X without the user explicitly giving the code permission by typing in the admin password. If you try to open a text file and then get a message asking to be given admin privileges instead of opening the file, it's pretty unlikely most people would do it.

text files I like them to open in Mac's Simple Text (or whatever it's called now, not on my Mac right now).
Also, some online job applications want your resume in non-formated text, so I have some resumes lying about in RTF for quick copy and paste.

through email? Are they saying don't open .rtf files that someone sends you? Confused, thanks!

files, too. Are they subject to attack?

But I joined the Cult of Mac years ago and have not gone back, as Mac does what I want it to do, despite the limitations. I know Microsoft runs many great applications Mac cannot.

I don't send RTFs, only pdf's and inline messages. I never thought Microsoft accepted them. So this is news to me. I've thouught of purchasing a Microsoft laptop simply to run Rosetta Stone, as I have not found a version that works with my Mac.

My computer can't work with Microsoft OS files, which can be a hassle, not being able to work with or exchange any Microsoft Word files. I had a program called Open Office to do so, but it tried to make itself the default, which ruined my existing RTFs, so I deleted it.

I use Mac OSX and convert and create ALL my files to RTF. They won't save as RTF files after editing to add images, so I save them as RFTD files.

Thanks for this bit of news, as it shows Microsoft is more open to other files. I haven't used it for over ten years, and I know I've missed a gteat deal. Very good of you to post this.

I don't recall if Word 2.0 could or not. I think it could. (Last Windows version of word before switching to the Office/date versioning name scheme)

Haven't seen word for dos since the Word for dos 5.5 patch for Y2K.

But I'm pretty sure RTF was around, they used it for documentation and had a free editor for it, so people without Word could still read the documents. "Microsoft Write" maybe it was. They always liked to adopt vague words for product names, like "Windows". Word was the bells-and-whistles word processor you paid money for. At that time I was using mostly text editors, so I didn't care about Word, and graphics monitors were expensive too, but I used Write a lot, it ran fine on a text console.

Rich Text Format is an absurdly simplistic Microsoft rip-off of TeX. Which demented Word "feature" is allowing RTF documents to generate executable objects?

who insists that all assignments be submitted as .rtf files. Via email. I suppose I should give him a heads up.