“Common knowledge” was that CSV files were safe - just plain text, right?
Wrong. Not even safe with Google Docs.
Hunh, having dealt with enough stupid data in CSV files I actually knew some of this without knowing it was something not everyone knew.
OTOH, in my prior jobs accepting crappy files from unknown sources was part of the job description. I should have had my own firewall along with the salesdroids.
I trade in CSV files all the time, but I’m usually the one creating them from a database, or importing them into a DB without Excel in the mix, so I’ve never really considered it. I do have to watch out for SQL injection, and Excel being stupid about auto-converting column formats though.
Hah, most of mine weren’t created so much as spawned. Spit out by a database at location X, zipped, and password protected, then opened in excel, sent to someone using only notepad on their phone, sent to someone who opened it in google docs, who printed it and then scanned it and zipped password protected everything again. Then opened up as a PDF, converted to a word file and then stripped by some over zealous IT dude down to a CSV and sent to me… without headers or a data dictionary.
This sounds familiar.
“I’ve got it! Browser Helper Objects! They’ll make Internet Explorer more functional and useful. Oh, BHOs are allowing too much access to the system. Better shut them down.”
“Here’s another idea. Let’s leave all the ports wide open on the computer. Oops. Something got in. Shut that port. Another thing got in. Shut that one, too. Ugh. Another one. Better shut all of them off.”
1 Like
I feel like it’s more, “Better have a separate process that acts as a firewall.”
I guess it’s trivial to have a (well-written, integrated) firewall running as a service/daemon/tsr/whatever nowadays, but I do sometimes wonder if the Classic MacOS did something “right” in that it basically didn’t have ports open unless you specifically asked for them to be open, and ran a very minimal OS by modern standards.
OTOH, macOS does a lot of cool stuff, and I don’t miss troubleshooting extension conflicts.
That’s it. I’ll use this attack vector the next time some alien bigwig drops by and decides to exterminate all of us. 
But seriously, it is scary as I frequently use CSV files… Meh.
Fortunately it doesn’t work at all with Numbers (hey, what does work?) but yeah, if that exploit happens with both MSOrifice and Googleshits then this could be… interesting.
I don’t know? What does work with Numbers??