Too good to be true?

Olinda99

There may be a race to the bottom but there is also a lot of scaremongering

Office 2007 is perfectly safe to use, as is Photoshop CS3 or Adobe Audition V1 or whatever.

Yes it has vulnerabilities (as do most versions) but to exploit these you need to do silly things eg open a malware loaded word file emailed to you by a hacker.

Indeed your link to CVE-2017-.11882 et al refers to remote code execution on Windows 7 and 8.1 and requires you to open a specially crafted office file sent to.you. The vulnerability is not present in W10 or W11 and does not occur at any time if you use Office 2017 to write your own documents, spreadsheets etc.


And there is no way anyone can access your W10 or W11 PC while you are asleep and connected to the internet unless, of course, you have malware on that PC or hsve set it up to enable it to be accessed.

Grandad2b

CaptainWales said:

Hi 

I've seen this Microsfot Office on Wowcher Microsoft Office Home & Student 2019 Voucher - Wowcher which seems to be heavily discounted from normal RRP. Does this seem too good to be true? 

Nothing from Microsoft is worth the cost. Except maybe their mice. 
If you need office software take a look at OpenOffice or LibreOffice. Both are free. I've been using LibreOffice for at least 10 years.
If your work needs you to use Microsoft they should pay for your licence.

Grandad2b

Neil_Jones said:

CaptainWales said:

Why would I need the latest office software? 

As software (particularly high profile software made by the likes of Microsoft and other big companies) becomes older and drops out of support security holes become exposed in it which (the theory goes) can ultimately be used to compromise the system.

Of course the bulk of these usually involve the user having to be proactive (or do something stupid) to make them possible in the first place (and may be wider issues in Windows, which is more the case when a hole affects a few versions of the same software).

Plus of course more recent versions of Office do things that older versions don't.  You're sort of committed in one regard especially to Publisher, because once you save something in the latest version of it, you can't open it in anything older.

Ahhh, yes. Publisher. That's the crack cocaine application. I'd forgotten.
Never understood why anyone ever uses it but there you go.

onomatopoeia99

k_man said:

[Deleted User] said:

movilogo said:

Majority of people's need is still perfectly served by Office 2007, which does not even require activation.

It's like a race to the bottom sometimes on these forums to see who has got the most outdated software.

How can you say the majority of people's needs are still perfectly served by Office 2007? Mine aren't and 800 people I know that work at my company definitely aren't.

Olinda99 said:

400ixl said:

So you are quite happy if someone exploits one of the hundreds of unpatched and known exploits to empty your bank account? Not even close to best describes using software that old if the device is ever connected to the internet.

Just use online Microsoft Office which is free, up to date and a lot more secure if cost is your primary driver.

Tell you what - I'll write a letter to me mum using Word 2007 and you empty my bank account....

I don't mind drivel on here - it's par for the course on fora but I draw the line at absolute total drivel.

That bit in bold really shows the general naivety about security exploits.

In one sample in Germany in 2019, 73% of the malware attacks were exploiting one particular Office 2007 vulnerability that allowed a hacker to run any code whatsoever on the target machine:

https://www.mimecast.com/blog/ms-office-2007-exploit/

In the top 10 most exploited vulnerabilities from 2016-2019 - yes you've guessed, Office 2007 is number 1 ...and numbers 2, 4, and 9.

https://fossbytes.com/top-10-most-exploited-vulnerabilities-past-3-years/

Think it doesn't happen to you? People of this forum have lost all their data due to hacking and they didn't click anything or download anything dodgy, they were asleep when it happened, all that was needed was a switched-on device connected to the internet.

I left my front door unlocked once when I went on holiday for 2 weeks, and not a single thing was stolen, is ok to do that all the time?

@[Deleted User], can you clarify the bit in bold and how it relates to out of date Office etc?
Wouldn't something need to be clicked/opened to enable the hacking?

I would also be interested in this to understand the vector used to propagate this attack.

If my desktop PC is switched on at home and I'm asleep, the only way I can conceive that malware could arrive and get installed is if it was something that came by email and targeted an exploit in the MUA I'm using so it gained control immediately the email was received, and it was zero day so the malware detection on both the MTA and the PC didn't have a signature.

[Deleted User]

onomatopoeia99 said:

k_man said:

[Deleted User] said:

movilogo said:

Majority of people's need is still perfectly served by Office 2007, which does not even require activation.

It's like a race to the bottom sometimes on these forums to see who has got the most outdated software.

How can you say the majority of people's needs are still perfectly served by Office 2007? Mine aren't and 800 people I know that work at my company definitely aren't.

Olinda99 said:

400ixl said:

So you are quite happy if someone exploits one of the hundreds of unpatched and known exploits to empty your bank account? Not even close to best describes using software that old if the device is ever connected to the internet.

Just use online Microsoft Office which is free, up to date and a lot more secure if cost is your primary driver.

Tell you what - I'll write a letter to me mum using Word 2007 and you empty my bank account....

I don't mind drivel on here - it's par for the course on fora but I draw the line at absolute total drivel.

That bit in bold really shows the general naivety about security exploits.

In one sample in Germany in 2019, 73% of the malware attacks were exploiting one particular Office 2007 vulnerability that allowed a hacker to run any code whatsoever on the target machine:

https://www.mimecast.com/blog/ms-office-2007-exploit/

In the top 10 most exploited vulnerabilities from 2016-2019 - yes you've guessed, Office 2007 is number 1 ...and numbers 2, 4, and 9.

https://fossbytes.com/top-10-most-exploited-vulnerabilities-past-3-years/

Think it doesn't happen to you? People of this forum have lost all their data due to hacking and they didn't click anything or download anything dodgy, they were asleep when it happened, all that was needed was a switched-on device connected to the internet.

I left my front door unlocked once when I went on holiday for 2 weeks, and not a single thing was stolen, is ok to do that all the time?

@[Deleted User], can you clarify the bit in bold and how it relates to out of date Office etc?
Wouldn't something need to be clicked/opened to enable the hacking?

I would also be interested in this to understand the vector used to propagate this attack.

If my desktop PC is switched on at home and I'm asleep, the only way I can conceive that malware could arrive and get installed is if it was something that came by email and targeted an exploit in the MUA I'm using so it gained control immediately the email was received, and it was zero day so the malware detection on both the MTA and the PC didn't have a signature.

Lots of malware can propagate without user interaction, typically those classified as "worms" can infect, replicate and propagate without any user interaction.

WannaCrypt in 2017 was a famous example of this, NHS was badly affected due to using supported but unpatched operating systems. Nobody clicked on anything, it didn't propagate via email.

It used the EternalBlue vulnerability along with the DoublePulsar tool to exploit the SMB protocol on network-attached computers - didn't even need internet access to spread on internal networks.

The first infection was identified in Asia and just 6 hours later it hit the NHS. Worldwide, many high-tech companies were affected too, not just outdated NHS systems.

This Microsoft article discusses how it didn't spread via people clicking on things on emails or downloading.

k_man said:

[Deleted User] said:

Think it doesn't happen to you? People of this forum have lost all their data due to hacking and they didn't click anything or download anything dodgy, they were asleep when it happened, all that was needed was a switched-on device connected to the internet.

@[Deleted User], can you clarify the bit in bold and how it relates to out of date Office etc?
Wouldn't something need to be clicked/opened to enable the hacking?

This explains the bit in bold, nobody clicked anything - the devices have no keyboard or mouse!

https://www.bleepingcomputer.com/news/security/wd-my-book-nas-devices-are-being-remotely-wiped-clean-worldwide/