Office

In the last few days, I upgraded my work laptop to Office 2008, the latest version of Microsoft’s office suite for Mac OS X. I was looking forward to the Universal binaries (no more sluggish performance due to Rosetta) and Office 2007 file format compatibility. I did get those, but what I also got were some really ugly icons.

So, I did what any enterprising Mac user would do. I replaced them with a new set.

Here’s what the new icons look like:

I found the replacement icons here; look for the set titled “HLD V2 by Henri Liriani”. The icons are well designed and come in a variety of sizes. Upon unpacking the downloaded file, I simply took the .ICNS files in the package and replaced the original files in the application bundles.

For example, right-clicking on Microsoft Entourage and selecting “Show Package Contents,” opening the Contents folder, then opening the Resources folder will show where the new icon needs to be copied. The original icon is in a file named Entourage.icns. Rename this file (just in case you need the old one) and replace it with the downloaded version, making sure that you name the downloaded version with the same original name. Poof—Entourage now has a new icon.

For the other applications, the files to replace are:

Microsoft Word/Contents/Resources/MSWD.icns
Microsoft Excel/Contents/Resources/XCEL.icns
Microsoft PowerPoint/Contents/Resources/PPT3.icns

Replace each of these files, keeping the filename intact, with the new versions.

Once that’s done, you too can enjoy much more pleasant Office 2008 icons!

This past Friday, the Microsoft Security Response Center blog posted a notification about Microsoft Security Advisory 932553, which describes the specific issue and the attacks around that issue.

More information on the issue is also available from this Secunia advisory and from US-CERT.

There are two interesting things to note (interesting to me, at least):

• First, this is an Office vulnerability, not a Windows vulnerability.  Therefore, as correctly pointed out in the security advisories, Office 2004 for the Mac is also affected.
• Second, although the current attacks are targeted against Excel, this vulnerability extends to all Office documents.  This means that other forms of attack could be forthcoming in the near future until the underlying flaw is addressed.

As with some of the other zero-day attacks I’ve discussed here, it looks like the only workaround available at this time is to not open Office documents from untrusted sources.  In fact, it would probably be best not to open any unexpected and/or unsolicited Office document from any source, trusted or otherwise.

Other related links:
MS warns of Excel ‘zero-day’ attack - MacNN
New Zero-Day Threat Excels - eWeek

I spent the entire day trying to create a professional looking network diagram for a customer who recently installed an iSCSI-based SAN (a Network Appliance storage system, by the way).  I didn’t want generic rectangles and boxes; I wanted nice icons.  Preferably vendor-specific icons.  Is that so much to ask?

I visited Graffletopia, which is to OmniGraffle (I use OmniGraffle Professional) what Visio Cafe is to Visio.  Unfortunately, I wasn’t able to find very many helpful stencils.

Realizing that OmniGraffle Pro (OGP) reads/writes Visio XML files, I thought then that I might be able to export Visio stencils into a form that I could use on my Mac.  Alas, no; OGP wouldn’t read them.  Finally, I settled into manually creating my own OGP stencils from selected items in the Visio stencils, and was finally able to piece together a diagram that was decent.  At some point I may post the OGP stencils I’m creating for my own use out on Graffletopia for others as well, provided the original author is amenable to the idea.

In the meantime, I’ll continue plugging away at laboriously converting Visio stencil items to OGP stencil items.  Here’s the process I’m using:

1. Place a single item from a Visio stencil onto a blank Visio diagram and save that diagram as a PNG image.
2. Move the PNG image to my Mac and copy the contents of the PNG to the clipboard.
3. Paste the image into a stencil in OGP.  Tweak the size, connection points, etc., until I’m satisfied.
4. Repeat as needed.

Given that VMware Fusion’s ability to drag-and-drop from the guest back to the host isn’t working (Did it ever work?  Or am I imagining things?), step 2 above is more laborious than it should be.  Oh well, it could be worse.

Is there a faster process for this?  Anyone know?

More information on the various zero-day exploits can be found at the following web sites:

New Report of A Word Zero Day
<http://blogs.technet.com/msrc/archive/2006/12/10/
new-report-of-a-word-zero-day.aspx>

Double Trouble: Microsoft Confirms Another Word Zero-Day Flaw
<http://www.eweek.com/article2/0,1759,2071558,00.asp>

Third MS Word Code Execution Exploit Posted
<http://www.eweek.com/article2/0,1759,2072969,00.asp>

Exploit Code Targets Third Microsoft Zero-Day Word Bug
<http://www.darkreading.com/document.asp?doc_id=112974
&f_src=darkreading_section_318>

As before, the advice on protecting yourself is don’t open Word documents from any source, trusted or untrusted.  Kind of puts the kibosh on the whole sharing-documents-via-email thing, doesn’t it?

Microsoft has started alerting customers of the new Word zero-day attack via a posting on the MSRC blog and by posting Microsoft Security Advisory 929433, which describes the attack, the vulnerability, and suggested actions.

Unfortunately, at this time, there are no workarounds for the attack other than “don’t open untrusted Word documents.”

There is no indication currently if Microsoft will release a patch for the vulnerability being exploited in this attack in next week’s scheduled monthly patch release.

A couple of more “mainstream” technology sites have picked up the notification of the attack as well; both eWeek and MacNN have posted brief articles on the zero-day attack.

News of the unpatched PowerPoint vulnerability (via eWeek) comes after a summer-long struggle to contain vulnerabilities in Microsoft Office, the office suite that maintains a venerable monopoly in the market.  As with previous PowerPoint exploits, this one uses a rigged PowerPoint file to install a backdoor application.  I found some additional information available from Symantec; read that here.

Similarly, another exploit has surfaced for Internet Explorer.  This exploit takes advantage of a flaw that was supposedly brought to Microsoft’s attention back in July and apparently still remains unpatched.  Fortunately, additional information on the IE vulnerability is available; here are some relevant links:

SecurityFocus:  Microsoft Internet Explorer WebViewFolderIcon Buffer Overflow Vulnerability
osvdb:  Microsoft IE WebViewFolderIcon setSlice Overflow

No word yet on any workarounds for this vulnerability or the published exploit.

Finally, in slightly related news…a couple of days ago Microsoft released an out-of-band patch (MS06-055) for the VML vulnerability I mentioned last week.  As usual, it’s available via Windows Update, WSUS, and various other distribution mechanisms.

My rudimentary “document management system” is comprised of a variety of technologies, some built into Mac OS X and some added on via separate third-party applications.  At the core of the system is Spotlight, the search engine that is the object of a love-hate relationship with many Mac users.  Despite Spotlight’s shortcomings, it is still a very useful tool to have.  (I will have to admit that I am sure I am still not taking full advantage of Spotlight’s abilities.)

On top of Spotlight I’ve added a number of pieces:

• Spotlight comments in Finder:  I place relevant information in the Spotlight comments in Finder so that the Spotlight engine can find and index these comments.  Keywords/tags are separated by spaces and surrounded by brackets (i.e., “[Macintosh Security]”) and additional comments—such as a brief description of the document—follow immediately thereafter.
• Project-specific keywords/tags:  I have project-specific keywords/tags for the major customer projects in which I am involved.  For example, if I were handling an Exchange migration for XYZ Widgets, my project-specific keyword would be “Proj:XYZ-ExMig”.  This makes it incredibly easy to locate documents relating to a specific document.
• MailTags:  MailTags, a handy add-on for Mail, lets me apply some of the same metadata to my e-mail messages as to my file system.  Then, when I assign a particular message to a project (using the same naming convention as my project-specific keywords mentioned above), I can search for both project-related documents and project-related messages with a single Spotlight search.
• Keywords/Tags in Address Book and iCal:  While not specifically related to document management per se, using the same keywords/tags on Address Book contacts and iCal appointments further unifies the structure and makes it easier to see all related resources.  In addition, it also makes it easy to use the Spotlight system service to find related documents when viewing a contact or an appointment.
• Automator workflow for adding Spotlight comments:  To help streamline the process of adding these comments to files in Finder, I’ve added an Automator workflow that prompts me for the text to add to the Spotlight comments and then either appends that text to the existing comments or replaces the existing comments with what I specify.  This makes it easy to tag large numbers of documents at the same time.
• Microsoft Office metadata:  I also fill out the metadata for all Office documents (via File > Properties).  This is something I’ve been doing for years (since the introduction of the “Find Files” command in Word for Windows 2.0, circa 1994-1995), so it’s very natural for me.  All of the Office applications are configured to automatically prompt me for document properties when I save a new document.  In the document properties, I specify the same keywords/tags as in the Spotlight comments as well as author, manager, title, description, etc.
• Saved searches:  To help group together documents, I use a small selection of saved searches—aka Smart Folders—based on raw Spotlight queries.  Using raw Spotlight queries allows a finer level of control over what items are returned by the search.  For example, the following Spotlight query shows me only active project-related documents:

  (kMDItemFinderComment =*Proj*) && (kMDItemFinderComment != *Inactive*)

  I’m still fine-tuning my use of raw Spotlight queries, trying to make sure that I stick to indexed metadata so that Spotlight doesn’t have to perform a real-time search everytime I open the Smart Folder.  I’d appreciate anyone who has some tips there to share them in the comments.

So, based on my own personal workflow and these additional tools, it’s easy for me to create a new project-related document (say, a migration plan or a network diagram), attach the associated metadata (either manually or via the Automator workflow), and have easy and quick access to the document afterward, without really having to pay too much attention to where I saved the document.

I do still use regular old folders (directories) in Finder as well; I’m not sure if that’s a holdout of the “old school” way of doing things, but I’m just not ready to completely give up traditional folders just yet.

Changes and/or additions that I’m considering adding include:

• Using Quicksilver’s “File Tags” plug-in:  As my use of Quicksilver has continued to increase (I’m hoping to now start using it to track and access my del.icio.us bookmarks, since Cocoalicious went belly up), I’ve also explored the use of Quicksilver for tagging.  My main concern with Quicksilver’s tagging module is the need for a prefix that is added to every tag.  Right now I don’t use any sort of prefix, and you can’t (unfortunately) tell it not to use a prefix.  Perhaps I’ll use Quicksilver to create a trigger for my Automator workflow…
• Changing keyword/tag format:  Partially because of Quicksilver (see previous bullet), I’m thinking of adding some sort of prefix to denote keywords/tags as such, instead of just part of the Spotlight comments or the document’s content.  The idea is that searching for “@Proj:XYZ-ExMig” would get only files tagged as such, not all items that may have that content inside them.  I still haven’t quite decided on this one.  Anyone have any thoughts?  Would it really be worth the effort?

So, there you have it…my homegrown document management system.  I’m open to suggestions for improvement or additional tools to make it more effective.  What am I missing that could make this better?

This new zero-day vulnerability has only been confirmed on Word 2000, but may also work on newer versions of Word as well.  Security firm Secunia has issued an advisory with more information.  eWeek is also providing information on the newly discovered vulnerability.

Fortunately, anti-virus vendors are on top of this one; Symantec already has information on the malicious software that is being installed by the exploit of this vulnerability.  The threat factor posed by this malware is fairly low, but could rise if this vulnerability continues to be exploited actively.

To protect yourself, there are only a few things you can do:

• Don’t open untrusted documents.  If you weren’t expecting the Word document from a known colleague, it may be best to not open that attachment.
• Keep anti-virus signatures up to date.
• Switch to OpenOffice.org.  (Hey, don’t laugh.)

Education is important in larger organizations, so spread the word.  Somehow I doubt that your organization is interested in having its proprietary and confidential data compromised because someone wanted to open a Word document from unknown sender.

This MSRC blog posting outlines the patches that were released last Tuesday, and provides links to the security bulletins for each patch.

<aside>An interesting statistic:  according to this article, Microsoft has released more patches in the first 8 months of 2006 than in all of 2004 and 2005 combined.  I don’t know if that makes me feel more secure—in that they are patching more vulnerabilities instead of not patching them—or less secure.</aside>

The MS06-040 bulletin is the one critical patch that is really getting everyone’s attention; this is the one that is deemed to be “wormable,” capable of creating a self-replicating worm such as Blaster or Slammer.  In fact, there were reports of limited attacks using the exploit patched by MS06-040.  According to a follow-up posting on the MSRC blog, these attacks were limited in nature and only affected Windows 2000 (see this MSRC posting as well).

Fortunately, the MS06-040–based attacks are fairly straightforward to defeat, especially for traffic coming from the Internet.  By blocking TCP ports 139 and 445 at the perimeter, these attacks are defeated.  Of course, that does nothing for the kind of internal infections that were so common with Blaster (which was often carried in by a laptop and then spread behind the firewall).  This article has more information on protecting against the MS06-040 attack.

One other patch (examined in more detail here) fixes the zero-day PowerPoint exploit that garnered attention back around the middle of July.

Because exploit code already exists for both of these vulnerabilities, many security experts are recommending that organizations give priority to getting these patches rolled out to affected systems.

The zero-day exploit takes advantage of a previous unknown vulnerability in PowerPoint to install a Trojan Horse application.  The vulnerability affects PowerPoint 2000, 2002, and 2003 running on various flavors of Microsoft Windows; it is unclear at this time whether Macintosh versions of Office are affected.  Based on what is known of exploit, it seems unlikely that Macs could be affected by the exploit, but that is not to say that the vulnerability doesn’t exist in the Mac versions of Office.  (Keep in mind that a vulnerability isn’t the same as an exploit.)

More information is available at the following links:

• http://blogs.technet.com/msrc/archive/2006/07/14/441893.aspx
• http://www.microsoft.com/technet/security/advisory/922970.mspx
• http://www.securityfocus.com/bid/18957
• http://securityresponse.symantec.com/avcenter/venc/data/trojan.ppdropper.b.html
• http://secunia.com/advisories/21040/
• http://isc.sans.org/diary.php?storyid=1484
• http://securitytracker.com/alerts/2006/Jul/1016496.html
• http://blogs.securiteam.com/?p=508
• http://www.kb.cert.org/vuls/id/936945

Simple filtering for PowerPoint files at the perimeter based on file extension is insufficient; Windows will open files in PowerPoint if they have a correct PowerPoint file header but an incorrect extension.  If your anti-virus vendor has released updates to check for infected/affected PowerPoint documents, be sure to install that update and vigorously check all incoming PowerPoint documents.

Now that Word, Excel, and PowerPoint have all had their zero-day exploits, which Office application is next?