[2691] in WWW Security List Archive
Re: ActiveX security hole reported.
daemon@ATHENA.MIT.EDU (David M. Chess)
Mon Aug 19 13:32:41 1996
Date: Mon, 19 Aug 96 11:20:06 EDT
From: "David M. Chess" <CHESS@watson.ibm.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
In a message I didn't actually see,
Todd Merritt <tmerritt@u.arizona.edu> wrote:
>Kinda off topic, but you can disable the autoload and autosave macros and
>effectively prevent infection from any type of macro "virus".
That's not actually true; a macro-virus doesn't have to infect
via autoload/autosave any more than a program-virus has to
infect via COMMAND.COM. There are lots of ways to put code
into a Word document such that it's reasonably likely to get
executed by a normal user reading the document; AUTOOPEN is
just the most obvious. To guard against macro viruses and
Trojan horses by disabling macros, you'd pretty much have to
turn off the system's willingness to execute any macro that
the user didn't intentionally invoke by name. But that would
make macros much less useful!
In general this is a very hard problem; you can't prevent
viruses by just getting rid of a few of the most obvious
macros in Word, nor can you IMHO get rid of threats from
automatically-downloaded binaries just by requiring signatures.
More work on security models needs to be done, and it needs
to be principled rather than ad-hoc.
- -- -
David M. Chess For Best Results,
High Integrity Computing Lab Consume Before Above Date
IBM Watson Research
