Word macros and security.



  • Recent versions of Word won't run macros until you click "enable macros". This is good.

    However, I have so far found no way to edit them in VBA until "enable macros" is clicked. This means either I really am that bad at looking for things (which wouldn't surprise me), or you can't check what the macros do before enabling them.

    In the latter case, do I need to point out how ridiculously inane that is?



  • Not really. Its like saying you should be able to replace the brakes without taking the wheels off.

    what does alt-f11 do?


  • ♿ (Parody)

    @zipfruder said:

    Not really. Its like saying you should be able to replace the brakes without taking the wheels off.

    More like saying you have to allow the car to roll before you can replace the breaks. Having to allow them to run to be able to examine them (assuming that's true) is terrible, since the main reason they get disabled is for security.



  •  Catch-VBA



  • @boomzilla said:

    @zipfruder said:
    Not really. Its like saying you should be able to replace the brakes without taking the wheels off.

    More like saying you have to allow the car to roll before you can replace the breaks.

    This reminds me of a good joke. Do you know who invented breakdancing? A guy in Harlem* who was trying to steal the wheels from cars as they drove by on MLK boulevard.

    * I never said what kind of guy.



  • Boomzilla got my point right.

    I'll also point out this help page, according to which the procedure to edit macros includes enabling them.



  • @Medinoc said:

    Boomzilla got my point right.

    I'll also point out this help page, according to which the procedure to edit macros includes enabling them.

    The problem is that it is possible to put a macro into a document that runs automatically when the document is opened. So you have disable macros to prevent this. However, enabling macros is not the same as actually running a macro. The procedure outlined in the link you posted is overly complicated (TRWTF) but makes sense:

    Open a document containing macros (with macros disabled)

    Enable macros (as described in the help page)

    Edit macro

    Disable macros when done editing

     

     


  • Considered Harmful

    It's a like a gun you can only clean by loading it with live ammunition and disengaging the safety.



  • @joe.edwards said:

    It's a like a gun you can only clean by loading it with live ammunition and disengaging the safety.

    • Open a document containing macros (with macros disabled)
    • Enable macros (as described in the help page)

     

    When you enable macros, do macros in the document automatically run without any action by you?  If the answer is yes, then there is a huge WTF.  If the answer is no, then there is no problem and your analogy is worng.



  • I tested it and made a MsgBox triggered by Document_Open() and here's what happened:

    Pressing Alt+F11 with macros disabled brought me to a blank VBA editor as if there was no code at all

    As soon as I enabled macros it triggered that MsgBox and then the code showed up in the VBA editor.



  • @El_Heffe said:

    @joe.edwards said:

    It's a like a gun you can only clean by loading it with live ammunition and disengaging the safety.

    • Open a document containing macros (with macros disabled)
    • Enable macros (as described in the help page)

     

    When you enable macros, do macros in the document automatically run without any action by you?  If the answer is yes, then there is a huge WTF.  If the answer is no, then there is no problem and your analogy is worng.


    For that matter, are there events such as "key is pressed" and "mouse is moved over the document", and would those become active when macros are enabled after opening the document? While it's possible to avoid triggering those, for a lot of people they're going to be triggered almost immediately.



  •  @lolwtf said:

    For that matter, are there events such as "key is pressed" and "mouse is moved over the document", and would those become active when macros are enabled after opening the document? While it's possible to avoid triggering those, for a lot of people they're going to be triggered almost immediately.

    Document_Open() get's triggered as soon as macros are enabled, no need to worry about any sort of input.

     



  • What can macros actually do? If it's anything more than "change some text in this document and make it bright pink" that's TRWTF right there.


  • Considered Harmful

    @Ben L. said:

    What can macros actually do? If it's anything more than "change some text in this document and make it bright pink" that's TRWTF right there.

    [quote user="TRWTF"]

    A well-known example of a macro virus is the Melissa Virus from 1999. Anyone who opened a document with the virus in Microsoft Office would 'catch' the virus. The virus would then send itself by email to the first 50 people in the person’s address book. This made the virus replicate at a fast rate.

    Since a macro virus depends on the application rather than the operating system, it can infect a computer running any operating system to which the targeted application has been ported. In particular, since Microsoft Word is available on Macintosh computers, word macro viruses can attack these as well as Windows platforms.

    The macro virus can be avoided by exercising caution when opening email attachments and other documents. Not all macro viruses can be detected by antivirus software.

    [/quote]


  • @Medinoc said:

    Recent versions of Word won't run macros until you click "enable macros". This is good.

    However, I have so far found no way to edit them in VBA until "enable macros" is clicked. This means either I really am that bad at looking for things (which wouldn't surprise me), or you can't check what the macros do before enabling them.

    In the latter case, do I need to point out how ridiculously inane that is?

    You're supposed to run the file through a virus scanner if it has macros of dubious provenance, not attempt to read the code and work out what they do. Or if you don't need the macro functionality, you could disable macros and not worry about what they were.


    That said, I'm pretty sure there must be some convoluted way to get teh codez if you really wanted. You could always open the file as a zip archive and pick it out that way.



  • @TDWTF123 said:

    You're supposed to run the file through a virus scanner if it has macros of dubious provenance, not attempt to read the code and work out what they do.

    Assuming you aren't trolling: TRWTF is that a valid word processing document file can contain viruses.



  • @joe.edwards said:

    @Ben L. said:
    What can macros actually do? If it's anything more than "change some text in this document and make it bright pink" that's TRWTF right there.

    [quote user="TRWTF"]

    A well-known example of a macro virus is the Melissa Virus from 1999. Anyone who opened a document with the virus in Microsoft Office would 'catch' the virus. The virus would then send itself by email to the first 50 people in the person’s address book. This made the virus replicate at a fast rate.

    Since a macro virus depends on the application rather than the operating system, it can infect a computer running any operating system to which the targeted application has been ported. In particular, since Microsoft Word is available on Macintosh computers, word macro viruses can attack these as well as Windows platforms.

    The macro virus can be avoided by exercising caution when opening email attachments and other documents. Not all macro viruses can be detected by antivirus software.

    [/quote]

    So it's a file that, when opened, sends itself to 50 people, and then does nothing else?

    That's not a virus, that's a more user-friendly chain mail!


  • Considered Harmful

    Simple replication can be enough to cripple many servers. My favorite (though not a macro virus) is the Slammer.
    [quote user="The Spread of the Sapphire/Slammer Worm"]

    Propagation speed was Sapphire's novel feature: in the first minute, the infected population doubled in size every 8.5 (±1) seconds. The worm achieved its full scanning rate (over 55 million scans per second) after approximately three minutes, after which the rate of growth slowed down somewhat because significant portions of the network did not have enough bandwidth to allow it to operate unhindered. Most vulnerable machines were infected within 10-minutes of the worm's release. Although worms with this rapid propagation had been predicted on theoretical grounds [5], the spread of Sapphire provides the first real incident demonstrating the capabilities of a high-speed worm. By comparison, it was two orders magnitude faster than the Code Red worm, which infected over 359,000 hosts on July 19th, 2001 [3]. In comparison, the Code Red worm population had a leisurely doubling time of about 37 minutes.

    While Sapphire did not contain a malicious payload, it caused considerable harm simply by overloading networks and taking database servers out of operation. Many individual sites lost connectivity as their access bandwidth was saturated by local copies of the worm and there were several reports of Internet backbone disruption [4] (although most backbone providers appear to have remained stable throughout the epidemic). It is important to realize that if the worm had carried a malicious payload, had attacked a more widespread vulnerability, or had targeted a more popular service, the effects would likely have been far more severe.

    ...

    By passively monitoring traffic (either by sniffing or sampling packets or monitoring firewall logs) on a set of links providing connectivity to multiple networks, each responsible for about 65,000 IP addresses, we were able to infer the worms overall scanning behavior over time. Sapphire reached its peak scanning rate of over 55 million scans per second across the Internet in under 3 minutes. At this rate, the worm would effectively scan over 90 percent of the entire Internet in a little more than 10 minutes. This aggregate scanning rate is confirmed by all datasets with known address space coverage.

    [/quote]



  • @joe.edwards said:

    Simple replication can be enough to cripple many servers.

    Still not a virus. Gonna keep my description as "chain mail".



  • @Ben L. said:

    So it's a file that, when opened, sends itself to 50 people, and then does nothing else?

    Some versions of the Melissa Virus would delete files on various drives.



  • @Ben L. said:

    @joe.edwards said:
    Simple replication can be enough to cripple many servers.

    Still not a virus. Gonna keep my description as "chain mail".

    You don't understand the term "virus". A program that does something bad (or unwanted) but doesn't replicate is just a shitty program.  Replication is the definition of a virus, regardless of what it actually does.



  • @Ben L. said:

    TRWTF is that a valid word processing document file can contain viruses executable computer code



  • @Ben L. said:

    @TDWTF123 said:
    You're supposed to run the file through a virus scanner if it has macros of dubious provenance, not attempt to read the code and work out what they do.

    Assuming you aren't trolling: TRWTF is that a valid word processing document file can contain viruses.

    It's not a WTF at all. It's pretty obvious when you think about the things a word processor has to do apart from write text - opening files and so-on. Pretty much as soon as you add any form of scripting capability - which is an obvious necessity - you end up with quite a dangerous vector for information leaks.


    I think it's actually underappreciated as a danger, when you think about what a tailored macro could do in the right place. Get an Excel macro into a big bank which searches the hard disk for any documents with the word 'bid' in them, maybe. If you know what you're searching for, it's easier. It's not really the kind of thing virus scanners check for at the moment, either, as far as I know.

    In general, the system works just fine. 99% of Office users have a very basic use-case, and rarely if ever run across macros. If they do, the message is scary enough that they normally click 'disable' and everyone's happy. For people who use macros, either they have properly signed code that runs without a warning, or they mostly use the same workbooks and are used to clicking enable.



  • @Ben L. said:

    What can macros actually do? If it's anything more than "change some text in this document and make it bright pink" that's TRWTF right there.
     

    They can read, write and execute any file (subjected to the user permissions). They can also access the network, with the automatic authentication provided by Windows.

    But you won't be able to print a ponny with macros untill we get some very good 3D printers.



  • @Mcoder said:

    @Ben L. said:

    What can macros actually do? If it's anything more than "change some text in this document and make it bright pink" that's TRWTF right there.
     

    They can read, write and execute any file (subjected to the user permissions). They can also access the network, with the automatic authentication provided by Windows.

    But you won't be able to print a ponny with macros untill we get some very good 3D printers.

    And what exactly is the BENEFIT of having a virus-friendly system like that IN A WORD PROCESSOR?



  • @Ben L. said:

    And what exactly is the BENEFIT of having a virus-friendly system like that IN A WORD PROCESSOR?

    You can write a SCRIPT that will AUTOMATICALLY LOWERCASE your INAPPROPRIATE CAPITALS.



  • @joe.edwards said:

    By passively monitoring traffic (either by sniffing or sampling packets or monitoring firewall logs) on a set of links providing connectivity to multiple networks, each responsible for about 65,000 IP addresses, we were able to infer the worms overall scanning behavior over time. Sapphire reached its peak scanning rate of over 55 million scans per second across the Internet in under 3 minutes. At this rate, the worm would effectively scan over 90 percent of the entire Internet in a little more than 10 minutes. This aggregate scanning rate is confirmed by all datasets with known address space coverage.


    Wait, who's this monitoring these mega switches?



  • @Ben L. said:

    And what exactly is the BENEFIT of having a virus-friendly system like that IN A WORD PROCESSOR?
     

    Customization. For example, you could use a macro to replace all instances of Programming language names with "Google Go" the minute you open any document.

     

     

     

     



  • @El_Heffe said:

    @Ben L. said:

    TRWTF is that a valid word processing document file can contain viruses executable computer code

    I see that not everyone is likely to get on the executable specifications bandwagon.



  • @BC_Programmer said:

    @Ben L. said:

    And what exactly is the BENEFIT of having a virus-friendly system like that IN A WORD PROCESSOR?
     

    Customization. For example, you could use a macro to replace all instances of Programming language names with "Oracle J#±" the minute you open any document.


    I can also do that using find and replace. That doesn't require arbitrary shell commands to be run with full administrator privileges.

    Let me put it this way: Community Server lets you log in to TDWTF forums. Do you have to give it your car keys and your credit card details in order for it to do that?

    No, because THAT ALSO MAKES ZERO SENSE.



  • @Ben L. said:

    Community Server lets you log in to TDWTF forums. Do you have to give it your car keys and your credit card details in order for it to do that?
    In the newest version, yes.**

    Fortunately this is an older version of CS.

     

     

    **Not really, but the price of the newest version of CS starts at $25,000 per year.  So, almost the same thing.


  • Discourse touched me in a no-no place

    @El_Heffe said:

    the newest version of CS starts at $25,000 per year
    At least that's not per-seat. (Some chip design toolchains are eyewateringly expensive. You only use them if you're planning to make an awful lot of money in return. Or if you're a nitwit who haven't — yet — reduced your cash levels to your sense levels, but that's unlikely among the denizens here.)



  • @Ben L. said:

    I can also do that using find and replace.
     

     

    You can make it instantly replace text the minute you open the document? Pretty sure you cannot.

    That was only a tiny example because I don't use it myself. I think the primary idea is that you can add domain-specific features to the Application and have them exist seemingly as part of the application itself. Or even more general capabilities, like forcibly changing all linked Objects into images; or changing a set of linked Excel documents into a Word Table. Merging documents in some specific way; importing data from some special format, etc.

    It seems like the main purpose it's used for is being used to deal with Business Logic. Some Applications are Word, Excel, or Access Documents/Spreadsheets/Databases. Rather than hiring programmers they get one of their spunky employees to create something that works using VBA.

    @Ben L. said:
    Let me put it this way: Community Server lets you log in to TDWTF forums. Do you have to give it your car keys and your credit card details in order for it to do that?

    That's a false comparison. Microsoft Word let's you edit Word Documents; it also has a Macro-programming and recording capability. Do you have to run macros? No.

     



  • @El_Heffe said:

    The problem is that it is possible to put a macro into a document that runs automatically when the document is opened. So you have disable macros to prevent this.
     

    You can just hold down the shift key when opening the document: http://support.microsoft.com/kb/211800



  • @ochrist said:

    @El_Heffe said:

    The problem is that it is possible to put a macro into a document that runs automatically when the document is opened. So you have disable macros to prevent this.
     

    You can just hold down the shift key when opening the document: http://support.microsoft.com/kb/211800

    Or you use OpenOffice and it does not matter if macros are enabled, like anything in OpenOffice all you will get is something that looks like a high school homework written using Amipro in 1998.


  • Discourse touched me in a no-no place

    @Ronald said:

    Or you use OpenOffice and it does not matter if macros are enabled, like anything in OpenOffice all you will get is something that looks like a high school homework written using Amipro in 1998.
    According to the majority of users I've known, if it's got the actual content, they don't care if it renders a bit wrong. They only care about the formatting when they feel secure in their ability to access the data in the first place.



  • @El_Heffe said:

    @joe.edwards said:

    It's a like a gun you can only clean by loading it with live ammunition and disengaging the safety.

    • Open a document containing macros (with macros disabled)
    • Enable macros (as described in the help page)

     

    When you enable macros, do macros in the document automatically run without any action by you?  If the answer is yes, then there is a huge WTF.  If the answer is no, then there is no problem and your analogy is worng.

    FWIW I think the analogy is correct. He didn't say the trigger was pulled.

     



  • @dkf said:

    @Ronald said:
    Or you use OpenOffice and it does not matter if macros are enabled, like anything in OpenOffice all you will get is something that looks like a high school homework written using Amipro in 1998.
    According to the majority of users I've known, if it's got the actual content, they don't care if it renders a bit wrong. They only care about the formatting when they feel secure in their ability to access the data in the first place.

    GOOd

    pOint.


  • @Ben L. said:

    And what exactly is the BENEFIT of having a virus-friendly system like that IN A WORD PROCESSOR?
     

    It lets people program wiothout IT giving them a proper programming environment. Since IT will never either give people a programming environemnt, buy or create the programs that they need, it's a huge gain to any big entity.


  • Discourse touched me in a no-no place

    @BC_Programmer said:

    @Ben L. said:

    I can also do that using find and replace.
     

     

    You can make it instantly replace text the minute you open the document? Pretty sure you cannot.

    That was only a tiny example because I don't use it myself. I think the primary idea is that you can add domain-specific features to the Application and have them exist seemingly as part of the application itself. Or even more general capabilities, like forcibly changing all linked Objects into images; or changing a set of linked Excel documents into a Word Table. Merging documents in some specific way; importing data from some special format, etc.

    It seems like the main purpose it's used for is being used to deal with Business Logic. Some Applications are Word, Excel, or Access Documents/Spreadsheets/Databases. Rather than hiring programmers they get one of their spunky employees to create something that works using VBA.

    @Ben L. said:
    Let me put it this way: Community Server lets you log in to TDWTF forums. Do you have to give it your car keys and your credit card details in order for it to do that?

    That's a false comparison. Microsoft Word let's you edit Word Documents; it also has a Macro-programming and recording capability. Do you have to run macros? No.

     

     

     

    <p>I think business logic is probably the most used feature.  I've seen an Excel spreadsheet--in the 1990s--that functioned as a factory floor scheduler, including producing paper orders for replacement parts.  Another example is an insurance company census form that uses macros to sanity-check the document, verifying things like "hire date isn't after eligibility date" and "didn't forget SSN or put in an invalid SSN" and the like.



  • @Ben L. said:

    @joe.edwards said:
    Simple replication can be enough to cripple many servers.

    Still not a virus. Gonna keep my description as "chain mail".


    Do you know what a non-computer virus does? Hint: it does nothing.



  • @FrostCat said:

    I think business logic is probably the most used feature.  I've seen an Excel spreadsheet--in the 1990s--that functioned as a factory floor scheduler, including producing paper orders for replacement parts.  Another example is an insurance company census form that uses macros to sanity-check the document, verifying things like "hire date isn't after eligibility date" and "didn't forget SSN or put in an invalid SSN" and the like.
    Macro (ab)use I've encountered:

    At a previous employer – probably also in the 1990s – chips were designed in Word. The documents were intended to be detailed specifications that included the actual implementation; the logic was specified in specially formatted tables, which were then processed by macros to generate the actual chip design in VHDL. (Of course, hardly anybody bothered writing the specification verbiage.)

    At my current employer, chip design data is stored in multiple Excel spreadsheets. After setting option values in a bunch of cells, there are several form buttons that export it in various forms for use in testing the chip (and other purposes that are not relevant to me).



  • @Mcoder said:

    @Ben L. said:

    And what exactly is the BENEFIT of having a virus-friendly system like that IN A WORD PROCESSOR?
     

    It lets people program wiothout IT giving them a proper programming environment. Since IT will never either give people a programming environemnt, buy or create the programs that they need, it's a huge gain to any big entity.

     

    Do you work in the same company I do? I agree about the fact that IT Departments suck. Still VBA riddled office docs are a major pain in the ass. The company I work for bought another one and they had their VBA-Guy which it turns out basically sucked not at VBA but even understanding other office Applictions. So forms for MS Access "Databases" were all Excel forms with VBA code. Also every user had a slightly different version each having it's own perks. Anway it's not a solution for incompetent IT departments just a extremly painful workaround.

     


  • Discourse touched me in a no-no place

    @HardwareGeek said:

    chips were designed in Word
    That's wrong on so many different levels.


Log in to reply