5.5 Office 2000 Security

Office 2000 introduced a new security feature, built around digital signatures, to diminish the threat of macro viruses. Office 2000 automatically trusts macros (written in VBA6) that were digitally signed from authors who have been previously designated as trusted . Not all Office 2000 applications have the new feature, but Word, Excel, Outlook, and PowerPoint, do. Access, FrontPage, Publisher, and PhotoDraw, do not (although Access does have its own security mechanisms). Users must have Internet Explorer 4.0 or higher for the security to work. When opening a document containing macros, depending on security settings, Office may notify you, as shown in Figure 5-7, that untrusted macros are present.

Figure 5-7. Office 2000 macro warning dialog box

Office cannot ascertain whether the macro is dangerous or not, only that document contains macro code. You can choose to disable (the default option) the macros while opening the document, or enable them. Interestingly, the document path and name Office displays in the warning dialog box is not always the current location of the item. Don't let the bug confuse you.

5.5.1 Security Levels

In Office 2000, you can set macro security as High , Medium , or Low , within each supported application. Figure 5-8 shows the different options. High, the default, will disable all unsigned or untrusted macros, and accept all signed trusted macros. Medium, will prompt the user to accept or deny the macro if it is not trusted. And Low will let all macros execute automatically without prompting the user . You get to macro security by choosing Tools Macro Security.

Figure 5-8. Office 2000 macro security menu

5.5.2 Signed Macros

Macros written in VBA6 can be digitally signed to prevent tampering. Digital signing and certification are covered in detail in Chapter 11. When someone signs code, she must also include a certificate of authenticity. If accepted by Office, it means the code has arrived from the signer to your Office application without modification. It does not mean the code is safe (the signer could have been infected and not known it) or that the signer is the original author (it could be re-used and signed by another author). Signing in Office does not verify document content, which is good because you need to be able to change text and data without invalidating the module code. However, a digital signature does mean that between the signer and you, the code did not change. Signed code should garner more trust than unsigned code if you trust the signer.

If a macro virus modifies a legitimate macro, the signature will become invalid, and Word will treat it like an unsigned macro. Theoretically, you should treat all untrusted macros as virus code. This security validation process only helps before you accept the macro as trusted. If you accept a macro, or a particular signer as trusted, the macro code will always run without warning you.

When you first open a document containing signed macros, you may receive a warning that the signed project's certificate has not been authenticated, as displayed in Figure 5-9. This means the project is signed, but that the signer has not been authenticated by an outside entity (covered in Chapter 11). For most purposes, you should consider unauthenticated projects to be unsigned, unless you explicitly trust the signer. Word treats unauthenticated projects with a skeptical eye, but in some cases will allow you to accept them.

Figure 5-9. Warning from document containing an unauthenticated, signed macro

Whenever you receive a signed macro, Office will look to see if the signer is trusted. If not, Office will allow you to see the source's digital certificate of authenticity. The certificate attests that the signer is who she says she is. If you accept the certificate and signer as trusted, Office will prompt you about whether to Trust all macros from this source . If you do, Office will run all macros from the same source without any warnings. You have made the signer a trusted source . You can see your list of trusted sources by choosing Tools Macro Security Trusted Sources from your application. When you install a brand new copy of Office, no sources are trusted (unless your network administrator has forced some through during a network install).

You can remove a trusted source in the same screen, but normally you can only accept a new source by opening a document with its signed project while security is set to Medium or High. The trusted sources list is kept in the registry and is not shared with Internet Explorer's trusted author list, although they share the same mechanism for verifying certificates. Table 5-3 shows the default security levels and trust treatments in Office 2000.

Table 5-3. Microsoft Office 2000's security levels and treatments

5.5.3 Trusting Add-ins and Templates

Office 2000 allows you to designate template directories and add-ins as automatically trusted -- otherwise they will be treated like other types of documents. You can enable or disable (the default) automatic trust by choosing Tools Macros Security and checking Trust all installed add-ins and templates. I don't recommend enabling this setting as it is simply too much trust to give any document and opens up the doors for macro virus infections.

5.5.4 Office 2000 Security Peculiarities

Office 2000 is a great attempt to decrease the amount of macro viruses. However, because of the complexity of Office, holes are bound to be found. Here are a few peculiarities:

Resigning is automatic

Once a macro developer signs their macro (project) in VBA6, it is automatically resigned by VBA6 every time it is resaved by the same developer. Microsoft does this to encourage the use of digital signing, but this goes against the grain of the normal industry-accepted process. Particularly, if a virus infects a macro developer's Office 2000 project, it can infect his signed projects without his knowledge and Office 2000 will automatically resign them before they are distributed. If the end user has previously accepted the publisher as a trusted source, infected macros could pour into their system unnoticed. Infected developer code has always been around, but the automatic distribution without the user's awareness is new.

Excel exceptions

Excel 2000 does not consider Excel templates to be trusted sources even if you choose the Trust all installed add-ins and templates checkbox on the Trusted Sources tab. This is the exact opposite of the previous Excel version's policy of accepting all templates to be trusted.

Excel version 4.0 macros cannot be digitally signed and Excel's macro security only works against VBA macros. So, by default, workbooks with XLM macros are not automatically opened in Excel 2000 when security is set to high or medium. You will be warned and prompted most of the time when Excel 2000 encounters a 4.0 macro. In order to force Excel 2000 to automatically open workbooks with XLM macros a registry entry must be made:

HKLM\Software\Microsoft\Office\9.0\Excel\Security\XLM=1

Note: with this registry setting, Excel will automatically load unsigned XLM macros even if they contain viruses.

Both items can be particularly bothersome because Excel comes with installed templates and 4.0 macros. There is a known exploit where XLM macro commands contained in an external text file and linked to the spreadsheet will not be detected by Excel as macro commands, and will run without a warning. Microsoft released a patch in April 2000 to close this exploit.

Signed projects in Office 97

Office 97 does not support signed macros, but can usually run VBA6 macros. If Office 97 opens a document with a signed macro, the macro warning is presented as it normally would. However, to prevent Office 97 from inadvertently tampering with signed macros and accidentally making them unsigned, signed macros cannot be modified in Office 97. Unfortunately, this means a signed macro cannot be viewed in Office 97.