Protecting Yourself From Macro Exploits
Results 1 to 4 of 4

Thread: Protecting Yourself From Macro Exploits

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    682

    Protecting Yourself From Macro Exploits

    the idea for this tut came to me thusly....

    i had an xls file in one of my users attachment file directories. had no idea what it was...and didn't want to delete it without checking it out...it scans fine with NAV...but i was extremely uncomfortable opening it without knowing the source...(as in...no way not gonna do it...)..so i thought i'd see if there were some 'viewer' progs out there...and there are...they are at M$

    Excel Viewer
    http://office.microsoft.com/download.../xlviewer.aspx

    Word Viewer
    http://office.microsoft.com/download...wd97vwr32.aspx

    PowerPoint
    http://office.microsoft.com/download.../Ppview97.aspx

    so how do these viewers, which are basically written to allow users without copies of word, excel and powerpoint to view documents, help us with macro security?

    background
    macro exploits are bits of code attached to word excel and powerpoint presentations. in the old days a macro was something like a simple script or batch file, and they were dangerous enough, but now they are written in VBA (visual basic for applications) VBA is a very powerful language, in the sense that you can pretty much do anything with your computer using VBA. a sufficiently skilled coder can modify registry settings, rename and delete files, send out information from your computer and even format your harddrive.

    most often, but not always, these macros are set to run when the file is opened for the first time. The macros can modify the default templates (eg. normal.dot) for the program so that the exploit is loaded everytime the program is run or perhaps, keep track of the number of times it has run, or the date, in order to run another bit of code.


    what to do
    ok...first....stop using outlook...really...but if you must...or have no choice (corporate of edu rules) make sure it's patched. we've seen studies showing something like 90% of outlook and OE users are running unpatched software.

    have AV software which is up to date and set to scan documents when they are opened. Office 2000 & XP have good integration with norton and i expect other AV progs as well.

    either turn off macro execution altogether or at minimum "ask before running macros" Office 2000 & XP also have the ability to "run only signed macros". this is a good option if you are in a corporation that does require complex macros and where you can set up a trusted source

    if your email client allows it (and if it doesn't either get it patched or throw it out), set up "warn before MAPI Send" MAPI (Messaging Application Programming Interface) is the protocol used to send mail messages from programs and can be used to secretly send out information if this warning is not enabled. i believe that unpatched versions of outlook do not have any warning features...so patch it ok...really

    now what do the viewers have to do with security?
    simply put, the viewers do not run macro code so you can be safe looking at most file types. for me i was able to look at the excel file and find out that it was in fact something that a supplier had sent. of course i still called them to find out what it was and why they had sent it as it could have been sent to me without their knowledge from an infected document.

    for a sysadmin charged with the responsibility of making sure their idiots...err...i mean users...don't open attachments, these viewers can be of great use. you can set up most if not all email clients and specify what to use when viewing attachments. if you specify the viewers rather than the progs themselves, users who "accidently" click open an attachment don't risk infecting your network. if your email client doesn't offer this ability, you can always change the file associations for xls, doc etc to point to the viewer rather than the program itself. i think i'd recommend this anyways. users will not be able to double click in explorer to edit a file, which is somewhat inconvenient, but convenience is the plague of security. they will still be able to open the files using file/open dialog, but you can rest a bit easier knowing that they'll have to work a bit harder to ruin your day...

    hope this has been of some use...oh...and did i mention...stop using outlook...and update your av defs...now...really...
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    i've been telling colleagues and friends for years not to use outlook.. or at least not use the addr book.. you think they listen ???
    then they call me.. " oh.. i have a virus.. can you help me ?"

    "sure".. i say.. "you get the beer and the loose women and i'll be right over"


    and if they have AOHELL installed.. that's the second thing i get rid of for them

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    btw...

    either turn off macro execution altogether or at minimum "ask before running macros" Office 2000 & XP also have the ability to "run only signed macros". this is a good option if you are in a corporation that does require complex macros and where you can set up a trusted source
    is broke unless you patch it....

    "The security measure was put in place because macros can be engineered to perform malicious actions. But a deliberately malformed macro can be inserted into a document, so that it bypasses the macro check and executes automatically."

    story is here


    patch is HERE
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  4. #4
    Thanx for the great post, I was just looking for information, dealing with macros and voila!
    [glowpurple]Terrible end is better than endless terror! [/glowpurple]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •