March 5th, 2002, 09:10 PM
Protecting Yourself From Macro Exploits
the idea for this tut came to me thusly....
i had an xls file in one of my users attachment file directories. had no idea what it was...and didn't want to delete it without checking it out...it scans fine with NAV...but i was extremely uncomfortable opening it without knowing the source...(as in...no way not gonna do it...)..so i thought i'd see if there were some 'viewer' progs out there...and there are...they are at M$
so how do these viewers, which are basically written to allow users without copies of word, excel and powerpoint to view documents, help us with macro security?
macro exploits are bits of code attached to word excel and powerpoint presentations. in the old days a macro was something like a simple script or batch file, and they were dangerous enough, but now they are written in VBA (visual basic for applications) VBA is a very powerful language, in the sense that you can pretty much do anything with your computer using VBA. a sufficiently skilled coder can modify registry settings, rename and delete files, send out information from your computer and even format your harddrive.
most often, but not always, these macros are set to run when the file is opened for the first time. The macros can modify the default templates (eg. normal.dot) for the program so that the exploit is loaded everytime the program is run or perhaps, keep track of the number of times it has run, or the date, in order to run another bit of code.
what to do
ok...first....stop using outlook...really...but if you must...or have no choice (corporate of edu rules) make sure it's patched. we've seen studies showing something like 90% of outlook and OE users are running unpatched software.
have AV software which is up to date and set to scan documents when they are opened. Office 2000 & XP have good integration with norton and i expect other AV progs as well.
either turn off macro execution altogether or at minimum "ask before running macros" Office 2000 & XP also have the ability to "run only signed macros". this is a good option if you are in a corporation that does require complex macros and where you can set up a trusted source
if your email client allows it (and if it doesn't either get it patched or throw it out), set up "warn before MAPI Send" MAPI (Messaging Application Programming Interface) is the protocol used to send mail messages from programs and can be used to secretly send out information if this warning is not enabled. i believe that unpatched versions of outlook do not have any warning features...so patch it ok...really
now what do the viewers have to do with security?
simply put, the viewers do not run macro code so you can be safe looking at most file types. for me i was able to look at the excel file and find out that it was in fact something that a supplier had sent. of course i still called them to find out what it was and why they had sent it as it could have been sent to me without their knowledge from an infected document.
for a sysadmin charged with the responsibility of making sure their idiots...err...i mean users...don't open attachments, these viewers can be of great use. you can set up most if not all email clients and specify what to use when viewing attachments. if you specify the viewers rather than the progs themselves, users who "accidently" click open an attachment don't risk infecting your network. if your email client doesn't offer this ability, you can always change the file associations for xls, doc etc to point to the viewer rather than the program itself. i think i'd recommend this anyways. users will not be able to double click in explorer to edit a file, which is somewhat inconvenient, but convenience is the plague of security. they will still be able to open the files using file/open dialog, but you can rest a bit easier knowing that they'll have to work a bit harder to ruin your day...
hope this has been of some use...oh...and did i mention...stop using outlook...and update your av defs...now...really...
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson