Office Assistant Security Threat? (OfficeXP)

Topic

New Reply

Is it true that the Office Assistant in OfficeXP or Office97 can be a security threat? I heard the code it uses can be used by viruses or a hacker. Was there any mention of this in any Woody’s newsletters?

I read the securtiy memo from MS about the Office 2000 (not 97) UA Control being mistakenly labeled as safe for all scripts. This allowed it to play malicious scripts as well that could be planted from a web site or HTML document sent to the user. Ok, they put a patch out for it.

So, what about version XP of Office. Is the threat still real?

LennyJohn

Reply | Quote

Replies

In Office 2000, for sure, there was a security patch for the Help files. It wasn’t office assistant per se. You know those “show me” hyperlinks in the help file. Apparently, someone might hack in & use it to run malicious code. The patch disables this. I’m not sure about Office XP, but I’m sure it was covered, if not by the original version, then by the service release.

Reply | Quote

Thanks for the info, Phil. I also understood the security patch to be for the help files and not the OA itself. I have not read of any specific security threat from using the OA specifically.

I have a feeling this IT person is simply predjudiced against the OA for the nusiance it was in 97, and is looking for reasons to not load it in XP. I’ll try to find out more information from him, however, and let you know.

Thanks,
Lenny

Reply | Quote

Two questions…

1) Does Office XP have “show me” feature at all in the help files? I can’t find any. That alone would tell me the old security issue is not relevant any longer.

2) Do you think past articles about the UA security problem might have mislead some into thinking the OA itself is a security threat? It seemed some journalists tended to specifically cite the OA as the problem. I’m sure it sounded more interesting than the truth. Later in the articles, they vaguely disclose the problem is in the help files’ “show me” feature. But by that time, they had sensationalized the OA being the problem so much, readers may not catch the truth – or even care because people love bashing the Office Assistant.

For example, check out this article…
http://zdnet.com.com/2100-11-520809.html?legacy=zdnn

-Lenny

Reply | Quote

Hi Lenny:
Sorry, I don’t know; I don’t have Office XP (or is it 2002).
Cheers,

Reply | Quote

It’s Office XP, but the individual apps are Word 2002, Excel 2002, etc. Go figure.

Reply | Quote

Or, to split hairs, Office 10.0, Access 10.0, etc….

Reply | Quote

Well, yeah. And it’s only been since Office 95/7.0 that the app versions agreed with the Office versions!

Reply | Quote

… and how version numbers suddenly matched is a whole ‘nother story!

-Lenny

Reply | Quote

Oh yeah! Can you say “brute force”? Sure you can. Access was about the worst, jumping from 2.0 to 7.0 in one swell foop.

Reply | Quote

Right. It’s a kick hearing a person brag he’s used Access since version 3.

Reply | Quote

He’s probably getting Office and Windows mixed up. Access 2.0 came out during the reign of Windows 3.x. It happens even now with Windows 98, where people will insist they’re using Office 98 … on a PC.

Reply | Quote

As noted, you can help confuse matters further by trying to correlate each version of Office with which version or versions of Windows were current at time that version was released. Far as I know only direct correlations are Office XP/Windows XP and Office 95/Windows 95, dedicated “Office 98” users (non-Mac) notwithstanding. The less than logical way MS changed Windows naming conventions (ie, 95 > 98 > ME while NT 4 > 2000 then XP) helps to clarify matters.

Reply | Quote

Especially when you consider that NT was Windows version 5.0 and Win2000 is version … 5.0 … and XP is … they ran out of numbers?

Reply | Quote

Guess not:

Reply | Quote

Aaah! I see, Windows NT is 5.0.x and Windows 2000 is 5.0.x, but Windows XP is 5.1.x! They only ran out of *version* numbers, not major and minor build numbers.

Reply | Quote

Don

Reply | Quote

Not Office.Net. Somebody else owns that name.

Reply | Quote

[indent]

---

Somebody else owns that name

---

[/indent]
I find that hard to believe. Well then MS will just have to buy them out…

Reply | Quote

[indent]

---

I find that hard to believe. Well then MS will just have to buy them out…

---

[/indent]
‘Tis the truth according to Woody.

Have a gander at http://www.woodyswatch.com/office/archtemplate.asp?v7-n05%5B/url%5D

Reply | Quote

Thanx for clarification. If this is indeed the case then MS will simply have to buy the US Patent & Trademark Office.

Reply | Quote

[indent]

---

MS will simply have to buy the US Patent & Trademark Office.

---

[/indent]
Wouldn’t surprise me in the least if they tried

Reply | Quote

Bryan. Thought I recognized you …

Reply | Quote

Can’t say I regognize you McGinty.

Where from?

Reply | Quote

Hey Bryan:
Nice to see you here.

Reply | Quote

Thanks Phil.

Hopefully life doesn’t become to crazy and I can stay.

Reply | Quote

1) I think most users would agree that the help files have gone downhill considerably from 97 to 2000 to 2002/XP – I have yet to run across a show me page in XP.

2) that article is old (office 2000), and a fix for the problem was released over 2 years ago. The bigger issue with help is that it is essentially a HTML structure, which means you are viewing it with IE (or at least pieces of it), which is full of security issues.

Reply | Quote

Thanks for the info. Even if the help files pose security issues, NOT installing the OA won’t help matters any, will it? It seems the issue is with the help files, not the OA.

Unfortunately, that old security bulletin that only had to do with version 2000 still has some IT people alarmed and confused about the security of the Office Assistant. What they fail to realize is that the problem back then was not in the OA but in some scripted features of the help files like the Show Me links.

That could be because the OA got the blame in many articles, like the one I noted. It sounded funny to bash the OA (Clippy) in print, but that mislead many people to think they should never install the OA in the future.

So, now I have the job of convincing an IT person that it is NOT a security threat to install the OA in Office 2002. But, it’s like talking to a brick wall because he’s so conviced it is a threat. He keeps citing that old security problem that had nothing to do with the OA.

-Lenny

Reply | Quote

Can you put ’em on the defensive by saying that if the problem hasn’t been solved, there must be either (1) a Security Bulletin or (2) Knowledge Base article specific to Office XP, and challenging him/her to find it?

Reply | Quote