[1476] in WWW Security List Archive
Re: Winword Macro Viruses: unsafe to use Word as a viewer?
daemon@ATHENA.MIT.EDU (David M. Chess)
Tue Feb 13 14:28:04 1996
Date: Tue, 13 Feb 96 10:43:39 EST
From: "David M. Chess" <chess@watson.ibm.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> I assume that this problem makes it inadvisable to configure Word or
> Excel as an external viewer in conjunction with a web browser (i.e.,
> don't configure Netscape to automatically fire up Word or Excel when
> you download a Word or Excel file).
It's generally not very safe to use any program that has a
powerful macro interpreter without any access control, as
a Web viewer. The Microsoft detection tool will warn you
if it finds macros in documents that wouldn't normally
be expected to contain macros, but it only works if a
document is opened in certain ways, so you should understand
the issues very clearly before relying on it in this case.
You could also use a script that first runs a virus-checker
on the document, and then opens it if it passes, but if
someone puts up a cleverly-disguised macro that doesn't
look like any existing virus, but does erase your hard
disk when the document is opened, it wouldn't help. It'd
be better to use something that just doesn't include the
macro interpreter at all; I believe Microsoft's Word Viewer
is like that.
Postscript itself has this worry, too, in that there are
options in GhostScript that allow Postscript documents
to do things you wouldn't want random strangers doing.
Those options are off by default in recent GhostScript,
but on in older versions.
Caution is called for in general. I'm rather paranoid, and
don't include any viewers for anything more powerful than
text/HTML/GIF/JPEG/MPEG by default, myself...
- -- -
David M. Chess / Invest for the Nanotech Era:
High Integrity Computing Lab / Buy Atoms!
IBM Watson Research
