
PSA: Don’t Open Random PowerPoint Presentations from Strangers - elon_musk
http://techcrunch.com/2014/10/24/psa-dont-open-random-powerpoint-presentations-from-strangers-right-now/
======
userbinator
More generally, "don't open files in random proprietary formats from
strangers".

People are surprised and think it's strange when I request they send me files
in .txt instead of .doc(x), .csv instead of .xls(x), .pdf instead of .ppt(x),
reject HTML emails, etc. Some of these people are the same ones who manage to
somehow get infected with tons of malware, even when they're running an AV.

The best alternative to a .ppt(x) is .pdf, and even that has had its share of
exploits in the official implementation.

~~~
dragonwriter
> More generally, "don't open files in random proprietary formats from
> strangers".

Disclosure and licensing of the format doesn't actually prevent any of the
security issues, so I'm not sure that "proprietary" is meaningful here.

"Don't use software whose security profile you aren't confident in to open
files" might be a better rule -- but then you could drop the "to open files"
part off without any loss of validity.

~~~
kazinator
Remember when, years ago, there was an exploitable flaw in WinAmp's loading of
.m3u playlists! That format is neither proprietary nor complicated.

The 1989 Morris Worm exploited the loading of a character string into a C
buffer (by means of the gets function). The data format there is "line of text
(which may only be yay long)".

I think the main point here is "don't forward me documents that can only be
viewed with large, complicated, closed-source programs, if you did not write
those documents". This is reasonable.

As consumers we basically trust these proprietary programs not to be malicious
in and of themselves. Let's put it this way: if Microsoft wanted to do
something bad to your Windows PC, they could do it in so many ways _not_
involving the loading of a specially crafted Office document.

We also trust documents created in these programs by people that we trust. If
my friend created a PPT he wants me to view, it probably doesn't contain an
exploitable hole. (Probably: because there could be some virus that spreads
from malicious documents to good documents via exploit code running inside the
document application.)

Taking random PPT's, DOC's and XLS's from some unknown sources on the Internet
and circulating them to people in your address list: totally bad,
unacceptable.

There is no reason that some circulating joke has to be a Word file! Even if
the author thinks it requires colorful fonts: use HTML, damn it.

------
anonymfus
>If you’re on a build of Windows that has User Account Control as an option,
enable it (it should be on by default, in most cases.) This won’t fix the bug
outright, but it’ll throw up a big permissions prompt that’ll remind you not
to open mystery files.

Default UAC option in Windows 7 and later is "Notify me only when applications
try to make changes to my computer". That option is problematic because of
various ways to exploit built-in apps to bypass UAC. "Always notify" is
slightly less convenient but much more secure option.

------
Animats
It's a Microsoft Office OLE bug. If you're running OpenOffice or LibreOffice,
you should be OK.

(The last Microsoft Office product I bought was Word 97. The free stuff has
been good enough for years now.)

~~~
wfjackson
OpenOffice and LibreOffice aren't magically free of security holes.

[https://www.openoffice.org/security/bulletin.html](https://www.openoffice.org/security/bulletin.html)

~~~
zxcdw
Nobody never said they would be. However, their market share is notably
smaller (and the operating systems they run on is vastly more diverse), and
thus there's little sense in writing bulk malware targeting them. Targeted
attacks definitely, though in that situation one would be screwed almost
certainly anyway if the adversary is capable enough.

~~~
yuhong
And pretty much most of these exploits are targeted attacks already.

------
barsonme
I think, in general, it's prudent to not open any files from strangers unless
you're expecting said files.

~~~
ryanburk
exactly. the lesson could even be "don't open * from anyone, especially
strangers."

you can get code to execute in all sorts of presumably innocuous file types.

~~~
userbinator
Plaintext is likely to be OK, however; that is, if you're using a "dumb and
simple" true text editor and not one that tries to do fancy things like parse
the text and perform syntax highlighting.

~~~
_RPM
Would the UNIX utility `cat` fall into that category?

~~~
gizmo686
cat is probably safe. I would be concerned about the terminal you are running
it in though.

~~~
a1369209993
`cat -A` works for terminal-safety

------
maximumoverload
Unfortunately, opening and forwarding random PowerPoint presentations is all
some of my relatives do on their computers.

~~~
userbinator
This is even more problematic, as all it takes is for someone to be enticed
into opening one which silently installs malware, and then they'll think it's
"perfectly fine" and forward it to someone else who trusts them.

------
anonymfus
>4\. If you have Window’s User Account Control feature enabled, it’ll throw up
a prompt asking if the file is okay to execute. If you aren’t 100% sure that
the file is legit, avoid doing so.

If opening PowerPoint file throws up UAC promt, that is so good evidence for
that file to not be legit that your prior estimation for it to be legit
realistically can not be close enough to 100% to override this evidence.

So, if opening PowerPoint file or other office document throws up UAC promt:

1\. Say No.

2\. Warn person who send you that file and other people who could receive it.
If you created this file or if you opened it before and it did not throw UAC
promt, that means that your system is probably infected and may be all your
other documents are infected, warn other people about it.

3\. Send this file to VirusTotal.

4\. Run antimalware check on your machine with free tool from legitimate
antivirus vendor (such as Dr.Web CureIt, Kaspersky Virus Removal Tool,
Microsoft Windows Malicious Software Removal Tool). If VirusTotal said you
that some vendors already detect that file as malicious, use tool from one of
such vendors you trust more. Otherwise, prefer vendor which is not vendor of
your currently installed antivirus, then wait until VirusTotal will detect
malware in your file, and repeat this step.

~~~
danielweber
I think I was a minority who loved UAC as it existed on Vista. I didn't mind
the OS saying "hey, something is happening, pay attention."

~~~
ams6110
You were a minority. 95% of users had no idea what they were being asked to
confirm and just clicked OK to make the box go away.

------
mfkp
Important for anybody running powerpoint conversion servers to apply this
patch (myself included, looking into it now).

[https://support.microsoft.com/kb/3010060](https://support.microsoft.com/kb/3010060)

------
SiVal
This is yet another argument for using HTML5 as much as possible instead of
proprietary formats for public document interchange of formats fancier than
plain text. Although you might have to give up some fancier features, you can
get a near-equivalent of PowerPoint, Word, and Excel from HTML5 with a lot
less risk and a lot more cross-platform availability for the people you send
it to.

~~~
jxf
I give a lot of talks, and would move to HTML5 presentations in a second --
but the editing tools just aren't there yet. Sometimes I really just want to
draw some shapes and show the relationships between them without having to go
to a separate editor for that.

The best tool out there right now is [http://slid.es](http://slid.es) but it
doesn't come close to letting you represent things visually.

~~~
panzi
There are tools that let you draw on the screen, no matter what other
applications are running. At least there are such tools for Linux, but I'd
guess there also would be one for Windows. Heck, I'd guess there is such a
tool as a browser bockmarklet. If not, tell me and I write you one (would
support Chrome and Firefox and maybe, just maybe, IE11 (canvas+pointer-
events:none)).

------
erehweb
Embedding xls in ppt sounds like a good idea. At the moment, though, the only
two use cases I can think of are: (1) Inadvertently generating Powerpoints
that are far too large, or (2) Making it easier for attackers to take over
your system.

~~~
tracker1
OLE/COM allowed me to use some flash animations as part of a powerpoint about
a decade ago... Also, being able to chart live graphs from excel isn't a bad
thing. All of that said, I don't regularly use PowerPoint, and MS has at least
been forthcoming with the issue (far better than in the past)

~~~
yuhong
Interestingly, the use of Flash exploits eventually became common enough (it
was used to hack RSA for example I think) that Adobe go out of the way to
detect older versions of Office and throw up a warning message.

~~~
tracker1
Yeah, I worked in a company that had a legitimate reason to be able to save
state (the local file system) from flash before storage solutions inside of
flash (around 4 to 6 iirc) a COM injection bug was used to access the
filesystem... after I saw what could be done (COM injection), I promptly
disabled flash on my own computers.

------
joezydeco
Would opening them in Google Drive sanitize them?

~~~
riking
Their converter probably has its own share of vulnerabilities, but the most it
could probably do is start executing JS.

~~~
panzi
But probably in the context of your Google account: can access and maybe
manipulate all your Goole Drive files. Maybe access mails in your GMail
account? Probably not (other domain).

------
nodata
Random?

------
onedev
Just wow.

------
netsurfer912
PSA: Don't use Microsoft products.

~~~
eddieroger
That's an unrealistic PSA at this point in time. Too many people are invested
in Microsoft products to just walk away. Instead, a constructive and helpful
PSA would be "Don't open attachments unless you both expect them and know who
sent them, and even then, probably don't open them."

------
netsurfer912
PSA: Don't use Microsoft products

