More generally, "don't open files in random proprietary formats from strangers".

People are surprised and think it's strange when I request they send me files in .txt instead of .doc(x), .csv instead of .xls(x), .pdf instead of .ppt(x), reject HTML emails, etc. Some of these people are the same ones who manage to somehow get infected with tons of malware, even when they're running an AV.

The best alternative to a .ppt(x) is .pdf, and even that has had its share of exploits in the official implementation.

> More generally, "don't open files in random proprietary formats from strangers".

Disclosure and licensing of the format doesn't actually prevent any of the security issues, so I'm not sure that "proprietary" is meaningful here.

"Don't use software whose security profile you aren't confident in to open files" might be a better rule -- but then you could drop the "to open files" part off without any loss of validity.

Remember when, years ago, there was an exploitable flaw in WinAmp's loading of .m3u playlists! That format is neither proprietary nor complicated.

The 1989 Morris Worm exploited the loading of a character string into a C buffer (by means of the gets function). The data format there is "line of text (which may only be yay long)".

I think the main point here is "don't forward me documents that can only be viewed with large, complicated, closed-source programs, if you did not write those documents". This is reasonable.

As consumers we basically trust these proprietary programs not to be malicious in and of themselves. Let's put it this way: if Microsoft wanted to do something bad to your Windows PC, they could do it in so many ways not involving the loading of a specially crafted Office document.

We also trust documents created in these programs by people that we trust. If my friend created a PPT he wants me to view, it probably doesn't contain an exploitable hole. (Probably: because there could be some virus that spreads from malicious documents to good documents via exploit code running inside the document application.)

Taking random PPT's, DOC's and XLS's from some unknown sources on the Internet and circulating them to people in your address list: totally bad, unacceptable.

There is no reason that some circulating joke has to be a Word file! Even if the author thinks it requires colorful fonts: use HTML, damn it.

Proprietary formats (and software) has a tendency to be more overfeatured than open formats.

They're also standardized and have a rather large installed base, much of which is inconsistently updated. As attack surfaces go, they're large.

Relying on specific misfeatures to be present, exploitable, and useful on a diverse set of platforms is more chancy for the attacker.

PDF is much scarier than PPT.

'dragonwriter is exactly right: the provenance of the format has nothing to do with its security. What matters is its complexity, and even that is just a threshold matter --- past a certain (very common) point you're just screwed no matter what.

More generally, "don't open files". Unofficial PDF readers have also had their share of exploits, not to mention file formats like jpg, png, and gzip.

There might be a -slight- difference in odds though.

Getting exploited through complex badly documented file formats with a large attack surface using software with unknown source code,

versus

Simple compact well documented formats with a small attack surface using a reader with inspectable source code.

(even better if said source is actually regularly inspected, of course :-p)

Couldn't agree with you more - the general rule of thumb, is that if I can't view it as text or inline image, and you are a stranger - I will never, ever open it.

I'm even a tad nervous about opening things like unsolicited/unexpected PDF files from people that I know.

It is unlikely they were actually infected using an exploit though. These tends to be very targeted attacks. That being said, for those that do tend to be targeted, I am thinking that getting people to authenticate emails using S/MIME would be a good idea.

Pretty good plan, but then there is this: http://www.contextis.co.uk/resources/blog/comma-separated-vu...

ODP and LaTeX beamers are both pretty good for presentations.

or: don't open proprietary formats from strangers in proprietary operating systems, especially outside of virtual machines/containers

>If you’re on a build of Windows that has User Account Control as an option, enable it (it should be on by default, in most cases.) This won’t fix the bug outright, but it’ll throw up a big permissions prompt that’ll remind you not to open mystery files.

Default UAC option in Windows 7 and later is "Notify me only when applications try to make changes to my computer". That option is problematic because of various ways to exploit built-in apps to bypass UAC. "Always notify" is slightly less convenient but much more secure option.

It's a Microsoft Office OLE bug. If you're running OpenOffice or LibreOffice, you should be OK.

(The last Microsoft Office product I bought was Word 97. The free stuff has been good enough for years now.)

I think OpenOffice/LibreOffice also have some support for OLE.

I've found that 'strings' can be surprisingly effective at rendering the textual content of PPT files.

OpenOffice and LibreOffice aren't magically free of security holes.

https://www.openoffice.org/security/bulletin.html

Nobody never said they would be. However, their market share is notably smaller (and the operating systems they run on is vastly more diverse), and thus there's little sense in writing bulk malware targeting them. Targeted attacks definitely, though in that situation one would be screwed almost certainly anyway if the adversary is capable enough.

And pretty much most of these exploits are targeted attacks already.

The better they get at emulating quirks of Office the more open to this kind of stuff they get.

I think, in general, it's prudent to not open any files from strangers unless you're expecting said files.

exactly. the lesson could even be "don't open * from anyone, especially strangers."

you can get code to execute in all sorts of presumably innocuous file types.

Plaintext is likely to be OK, however; that is, if you're using a "dumb and simple" true text editor and not one that tries to do fancy things like parse the text and perform syntax highlighting.

Has anyone audited "less" on Unix recently? These days it does a whole bunch of magic stuff under the hood to show special formats "correctly."

I have been known to use Python's IDLE with suspect text documents, not because it's bullet proof just because the user base has to be super low. (as a text reader) f.open('suspect.txt', 'r') print f.read()

Would the UNIX utility `cat` fall into that category?

cat is probably safe. I would be concerned about the terminal you are running it in though.

`cat -A` works for terminal-safety

Unfortunately, opening and forwarding random PowerPoint presentations is all some of my relatives do on their computers.

This is even more problematic, as all it takes is for someone to be enticed into opening one which silently installs malware, and then they'll think it's "perfectly fine" and forward it to someone else who trusts them.

Get them to use OpenOffice or LibreOffice instead of MS Office, as most attacks will be directed towards vulnerabilities in MS Office.

>4. If you have Window’s User Account Control feature enabled, it’ll throw up a prompt asking if the file is okay to execute. If you aren’t 100% sure that the file is legit, avoid doing so.

If opening PowerPoint file throws up UAC promt, that is so good evidence for that file to not be legit that your prior estimation for it to be legit realistically can not be close enough to 100% to override this evidence.

So, if opening PowerPoint file or other office document throws up UAC promt:

1. Say No.

2. Warn person who send you that file and other people who could receive it. If you created this file or if you opened it before and it did not throw UAC promt, that means that your system is probably infected and may be all your other documents are infected, warn other people about it.

3. Send this file to VirusTotal.

4. Run antimalware check on your machine with free tool from legitimate antivirus vendor (such as Dr.Web CureIt, Kaspersky Virus Removal Tool, Microsoft Windows Malicious Software Removal Tool). If VirusTotal said you that some vendors already detect that file as malicious, use tool from one of such vendors you trust more. Otherwise, prefer vendor which is not vendor of your currently installed antivirus, then wait until VirusTotal will detect malware in your file, and repeat this step.

I think I was a minority who loved UAC as it existed on Vista. I didn't mind the OS saying "hey, something is happening, pay attention."

You were a minority. 95% of users had no idea what they were being asked to confirm and just clicked OK to make the box go away.

Important for anybody running powerpoint conversion servers to apply this patch (myself included, looking into it now).

https://support.microsoft.com/kb/3010060

This is yet another argument for using HTML5 as much as possible instead of proprietary formats for public document interchange of formats fancier than plain text. Although you might have to give up some fancier features, you can get a near-equivalent of PowerPoint, Word, and Excel from HTML5 with a lot less risk and a lot more cross-platform availability for the people you send it to.

I give a lot of talks, and would move to HTML5 presentations in a second -- but the editing tools just aren't there yet. Sometimes I really just want to draw some shapes and show the relationships between them without having to go to a separate editor for that.

The best tool out there right now is http://slid.es but it doesn't come close to letting you represent things visually.

There are tools that let you draw on the screen, no matter what other applications are running. At least there are such tools for Linux, but I'd guess there also would be one for Windows. Heck, I'd guess there is such a tool as a browser bockmarklet. If not, tell me and I write you one (would support Chrome and Firefox and maybe, just maybe, IE11 (canvas+pointer-events:none)).

Right about the editing tools. I'm hoping that security exploits such as this will cause governments and big corporations to start demanding safer document formats (especially for public or other widespread data interchange), which will drive the market for better editing tools. I certainly agree that ease of creation is a major limiting factor right now.

This reminds me that MS used to have an export to HTML feature in PowerPoint, but it was very IE specific and they removed it in PowerPoint 2010 I think instead of fixing it. This is also true for Word/Excel, to the point that even in the 2013 release you can set it so that it generates HTML that even MS's own IE10 won't render properly.

You expect office workers who get confused when an icon is moved to understand and use CSS for layout? Probably even Latex is easier for this.

And how can HTML5 do anything that Excel can do?

1) I don't expect office workers to directly edit CSS any more than I expect them to directly edit the PPT file format. In both cases, they need GUI editors. PPT already has a good one; we need something similar for HTML5 presentations.

2) HMTL5 can't do "anything Excel can do", which is why I didn't say it could. But a Google Drive spreadsheet can cover the needs of the great majority of people who need to publicly distribute spreadsheet documents.

There are definitely quantitative analyses that I would much rather do with Excel than with Google's HTML5 spreadsheet, but it's very uncommon to publicly distribute complex spreadsheets, and I'm talking about document interchange formats. The kind of spreadsheet you might embed on half of a page of a presentation is the kind of spreadsheet that HTML5 could easily handle.

Embedding xls in ppt sounds like a good idea. At the moment, though, the only two use cases I can think of are: (1) Inadvertently generating Powerpoints that are far too large, or (2) Making it easier for attackers to take over your system.

OLE/COM allowed me to use some flash animations as part of a powerpoint about a decade ago... Also, being able to chart live graphs from excel isn't a bad thing. All of that said, I don't regularly use PowerPoint, and MS has at least been forthcoming with the issue (far better than in the past)

Interestingly, the use of Flash exploits eventually became common enough (it was used to hack RSA for example I think) that Adobe go out of the way to detect older versions of Office and throw up a warning message.

Yeah, I worked in a company that had a legitimate reason to be able to save state (the local file system) from flash before storage solutions inside of flash (around 4 to 6 iirc) a COM injection bug was used to access the filesystem... after I saw what could be done (COM injection), I promptly disabled flash on my own computers.

Would opening them in Google Drive sanitize them?

Their converter probably has its own share of vulnerabilities, but the most it could probably do is start executing JS.

But probably in the context of your Google account: can access and maybe manipulate all your Goole Drive files. Maybe access mails in your GMail account? Probably not (other domain).

Random?

PSA: Don't use Microsoft products.

That's an unrealistic PSA at this point in time. Too many people are invested in Microsoft products to just walk away. Instead, a constructive and helpful PSA would be "Don't open attachments unless you both expect them and know who sent them, and even then, probably don't open them."