5.11 Risk Assessment -- High

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes
	Table of Contents
	Chapter 5.  Macro Viruses

This should come as no surprise with the popularity of macro viruses. Not only are they widespread, but they can do almost anything to a PC with their payload routines. The inclusion of signed digital macros and the ever-increasing security in Office 2000 will help, but the use of those new features will be slow in coming in most environments. Because history has proven that end users do not know how to treat macro virus warning messages appropriately, you should set security to high wherever possible. The risk to any environment from macro viruses is high, not only from their sheer numbers , but from what they have yet to try. The world is their oyster.

5.11.1 The Future of Macro Viruses

There are lots of exploits that virus writers are just starting to explore, and antivirus researchers are just waiting. Some methods deal with what a macro virus can do on the local machine, others work with the ways they could exploit the Windows infrastructure. Microsoft Office applications are becoming more and more Internet-friendly all the time. Office documents now have the ability to host web scripts. Web scripts allow developers to use Office documents to provide dynamic content to web pages. The Microsoft Office 2000 Developer Kit even contains WebBot components to use Dynamic HTML to create interactive web pages in Office without advanced coding. Web scripts, which can be written in VBScript, JavaScript, etc., are represented in documents by a visual icon called a script anchor .

Instead of using a macro module in documents that are going to be published on the web, programmers will use Microsoft's Script Editor and web scripts. The Script Editor can be accessed in Word by choosing Tools Macros Microsoft Script Editor. Microsoft's default install of Windows Scripting Host is proving hard for malicious hackers to resist. Potentially, every exploit that can be done with an Internet scripting language can be embedded in Office web-enabled documents. Office documents can be saved as web page documents, and yes, associated macros are saved too (in a file called EDITDATA.MSO ). Office 2000 saves the document, the macro coding, and other identifying information with the web document. Internet Explorer 5.x and above understands these new document types and will automatically start the associated Office application when you come across a Office document on a web site. Luckily, Office macro security settings still apply. For this reason, macro viruses are and will continue to be viable attack mechanisms with a high risk. The fact that a macro virus hasn't done more damage to our world's PC infrastructure is only because the majority of hacker's haven't meant to cause real damage.

5.11.1.1 Getting rid of Microsoft Office isn't the answer

Whenever I give a presentation and I finish the section on macro viruses, inevitably someone asks why can't everyone just use a safer program type, as if changing the world's default word processor will solve everything. Although macro viruses are almost strictly an Office problem, macro viruses do exist on non-Microsoft applications. But computer users, who don't let Microsoft off the hook for their slow and poor response to the macro virus problem, must understand that Pandora's box has been opened and we will never be able to close it. You can be assured that Microsoft Office's popularity won't last forever, and something else will come along to replace it. And that tool will be exploited. It isn't completely the tool's problem; it's the hacker's perception of what can infect people the fastest .

In my speech at the 1999 System Administration, Networking, and Security Institute (SANS) conference in Baltimore, a participant asked why doesn't everyone just use the .PDF document type. It doesn't have macros and everyone can use Adobe's Acrobat Reader for free. I told the audience that if PDF became even more popular, Adobe would add more functionality to it to appease its customer base, and that additional functionality would be exploited. A few months later, Adobe's latest version of Acrobat Reader, using ActiveX technology, was found to be vulnerable to buffer overflows and hacker web sites around the world were demonstrating how easy it was to take complete control of a user 's PC with Adobe Reader.