[2721] in WWW Security List Archive
Re: ActiveX security hole reported.
daemon@ATHENA.MIT.EDU (Jerry Hinek)
Tue Aug 20 13:41:05 1996
Date: Tue, 20 Aug 1996 08:38:44 -0700
To: www-security@ns2.rutgers.edu
From: gjhinek@PacBell.com (Jerry Hinek)
Errors-To: owner-www-security@ns2.rutgers.edu
David Chess wrote:
>In a message I didn't actually see,
>Todd Merritt <tmerritt@u.arizona.edu> wrote:
>
>>Kinda off topic, but you can disable the autoload and autosave macros and
>>effectively prevent infection from any type of macro "virus".
>
>That's not actually true; a macro-virus doesn't have to infect
>via autoload/autosave any more than a program-virus has to
>infect via COMMAND.COM. There are lots of ways to put code
>into a Word document such that it's reasonably likely to get
>executed by a normal user reading the document; AUTOOPEN is
>just the most obvious. To guard against macro viruses and
>Trojan horses by disabling macros, you'd pretty much have to
>turn off the system's willingness to execute any macro that
>the user didn't intentionally invoke by name. But that would
>make macros much less useful!
>
>In general this is a very hard problem; you can't prevent
>viruses by just getting rid of a few of the most obvious
>macros in Word, nor can you IMHO get rid of threats from
>automatically-downloaded binaries just by requiring signatures.
>More work on security models needs to be done, and it needs
>to be principled rather than ad-hoc.
>
>- -- -
>David M. Chess For Best Results,
>High Integrity Computing Lab Consume Before Above Date
>IBM Watson Research
>
Macro viruses are a big pain, and are a legitimate www security concern,
especially since some of them now threaten to wipe out files on your hard
drive. Macro viruses are spreading all over the place as attachments to
e-mail. People can send an infected document to a mailing list, and expose
hundreds of people to the virus. These viruses propagate very quickly,
mostly because of e-mail attachments and intranet downloads.
Besides keeping current with the latest anti-virus software, several av
vendors suggest making the normal.dot file in the templates directory a read
only file. Macro viruses spread by infecting this normal template, which in
turn infects any document that is subsequently opened or created. Some users
want to make occasional changes to normal, but many of them aren't even
aware that it exists. It's easy and safe protection from spreading macro
viruses. Doing that won't remove macro viruses from infected documents, and
you want ot make sure that normal.dot is infection free before you make it
read only, but it is easy, relatively cheap insurance. Use a current version
of an anti-virus product, then protect normal.dot.
=======================================
Jerry Hinek, Senior Security Specialist
(510) 823-2246
gjhinek@pacbell.com
PB1(GJHINEK) from PROFS
