Addressing Security-related Programming Mistakes


The administration of Microsoft Office 2003 does not typically involve programming. However, many administrators use programming languages such as Visual Basic for Applications (VBA) to create custom solutions. Some administrators are also responsible for coding efforts and managing programmers who build programs for use within their organization.

This part of the chapter covers the core programming issues associated with using the Microsoft Office programming objects to create and run custom programs that interact with Office applications.

For more information on how to use these objects, see the MSDN Web site at http://msdn.microsoft.com/ or the VBA Help for each application.

Security issues posed by Visual Basic for Applications

Over the past few years, security-related issues have caused several changes to Microsoft Office programming objects and how these objects are accessed by applications created in Visual Basic for Applications (VBA) and other programming languages. Since VBA is usually used to gain access to the core object of each Office application, it can also be used by attackers when VBA programmers make simple programming mistakes.

When an entry point into an Office application’s core dynamic-link library (DLL) is exploited through VBA, nothing can stop an attacker from accessing every aspect of information stored in any file for any application. Therefore, careful attention should be taken to evaluate code written for any Office application object.

The following information presents some of the properties, methods, and functions used by many of the Office application programming objects which are most susceptible to incorrect usage. The most important of all objects is the Application object itself. This core object is the heart and soul of each Office application; if a programmer does not take proper precautions when writing code that uses this object, inadvertent mistakes can be made that will jeopardize the content of files or provide an entry point for attackers to exploit corporate systems.

Application object

The focus of the following material is centered on the Microsoft Office Word 2003 Application object, with references to related Application objects for other Office applications as needed. In many cases, the following material applies to other Office applications and their respective core object.

You can help to protect against external programs gaining access to the Visual Basic Project where all macros for a given application are stored (for example, Word stores macros in templates). By leaving the default setting of Trust access to Visual Basic Project unchecked, access to the core object that allows programs to modify or add macros to a macro repository is restricted and cannot be written to.

A policy is available to manage this setting. It is recommended that prior to setting this policy, an in-depth review of all custom and internal tools and utilities be performed to determine if the need exists to open access to the VBProject object of each application. If none of the programs needs to exploit the VBProject object, an administrator can safely leave access disabled.

For instances where access to the VBProject object of an application is required, a few precautions can be taken to reduce the possibility of attack. Beyond the recommended macro security setting of High, it is also recommended that internal applications (macros or compiled code from C or Visual Basic) should be given special attention and checked to see if the use of the AutomationSecurity property of the Application object is set at the beginning of each program and that a certificate of trust, issued from a certificate authority, was also compiled into the custom application.

By design, an Application object exists for each Office application that can use VBA. In the case of Microsoft Word, this object represents the Microsoft Word application. It includes properties and methods used to return other objects (child or parent objects, depending on the position in the object hierarchy). For example, the ActiveDocument property of the Application object can be used to return the Document object.

Example:

Set CurrentDocument as Application CurrentDocument = Application.ActiveDocument

The UserName property can now be used to return an important piece of information from the Application object. The following example displays the user name for Word in a standard message box.

MsgBox CurrentDocument.UserName

AutomationSecurity property of the Application object

An existing issue with VBA causes several security concerns for administrators. When a trusted macro makes a call to start another application or to run another macro, it does not check the security of the called program unless the AutomationSecurity property is specifically instructed to do so.

Therefore, it is now recommended that programmers set the following statement at the beginning of each macro to circumvent this issue.

Application.AutomationSecurity = msoAutomationSecurityByUI

The AutomationSecurity property is automatically set to msoAutomationSecurityLow when Word, Microsoft Office Excel 2003, Microsoft Office PowerPoint 2003, Microsoft Office Outlook 2003, or another Office application runs a trusted macro. For security-minded administrators and programmers, this should be changed explicitly at the first line of every macro. To avoid breaking solutions that rely on the default setting, you should be careful to reset this property to msoAutomationSecurityByUI after programmatically opening a file or another macro or program from within a trusted macro. Also, this property should be considered for use immediately before and after starting a program if the Shell or Execute statements are used.

The AutomationSecurity property can be set to one of the following constants:

  • msoAutomationSecurityByUI Uses the security setting specified in the Security dialog box.

  • msoAutomationSecurityForceDisable Disables all macros in all files opened programmatically without showing any security alerts.

  • msoAutomationSecurityLow Enables all macros. This is the default value after a macro is started and is not recommended.

Application object method to avoid

Some code, when invoked, can cause actions an administrator would prefer not to see. One such property that should not be used in most user-based macros is ShowVisualBasicEditor.

This property can be used to turn on the Visual Basic Editor if it is currently not enabled. Example:

Application.ShowVisualBasicEditor = True

The problem with this is it allows a user to view information about the computer system that an administrator might not want users to see. Also, it is probably not a good idea for most user applications to start the Visual Basic Editor when most users do not write macros.

Common programming mistakes

One of the common problems programmers tend to fall into is embedding a password or UserID into a program. As a rule of thumb, passwords and UserIDs should never be stored in a program. A user should always be prompted for his UserID and password by using a dialog. The UserID and password should never be cached to the system permanently. Only after examining the UserID and password for correct formatting should they then be passed to the method or property they will be used by. In the following example, a dialog was created to prompt the user for his UserID and password. This dialog has two variables named UserID and Password.

Example:

UserIDPasswordDlg.Show Set appOffice = Application.OfficeDataSourceObject    appOffice.Open &    bstrConnect:="DRIVER=SQL Server;SERVER=ServerName" &    ";U;PWD=" & UserIDPasswordDlg.Password &    ";DATABASE=Northwind", bstrTable:="Employees" UserIDPasswordDlg.Close

This method of string use limits the exposure of the UserID and password to only the time between the user entering the information and submitting it to the bstrConnect parameter.

Password-enabled or UserID-enabled objects, methods, or properties

The following objects and their related methods or properties are known to cause issues related to programmers possibly embedding passwords and UserIDs into macros. A search and review of all these objects and the listed methods or properties is suggested for all macros and related executable programs that can access the parent object of any Office application.

  • System.Connect

  • Document.Protect

  • Document.SaveAs

  • Document.VBASigned

  • Document.WritePassword

  • Document.MailMerge.DataSource.ConnectString

  • Document.OpenDataSource

  • Document.OpenHeaderSource

System object

If an attacker can gain access to the Application object of each application, he can easily take advantage of the System property to return the System object. If the operating system is Microsoft Windows , the following example could make a network connection to a shared resource through a UNC name of \\Project\Info.

If System.OperatingSystem = "Windows" Then       System.Connect Path:="\\Project\Info" End If 

The following example displays the current screen resolution (for example, "Resolution = 1024 x 768").

MsgBox "Resolution = " & System.HorizontalResolution& " x " & _ System.VerticalResolution

The System object can also access the environment variables that are automatically generated by the operating system. Critical environment variables are UserName, UserProfile, UserDomain, and so forth.

Connect method of the System object

The Connect method establishes a connection to a network drive through a System object. It can be used by attackers to gain access to content on hard drives the logged-on user may have access to.

System.Connect(…, Password)

Password—If the network drive requires permissions for access, provide the password here. This is the problem parameter. If saved as part of a program, security can be compromised. The following example should never be used. Instead, a dialog should ask the user for the password.

Example of Path and Password parameters of the Connect method.

System.Connect Path:="\\Project\Info", Password:="A82jbkdeiJ8"

Note

Embedding a password or UserID in a program is not recommended.

Document object

The Document object represents a document in Word.

Like other objects, it has methods or properties that can be used to compromise security if improperly used by programmers.

Protect method of the Document object

The Protect method sets protection options for sections of a document. When set, a user of a document with these settings enabled can only edit those sections they have permissions to, such as adding comments, making revisions, or completing a form. This setting is only secure if the document uses a password to open it (encrypted). Documents are not considered protected until the entire file is encrypted in some form. Since the document is not protected or encrypted by just setting the Protect method, the contents are not actually protected; access is only restricted if encryption is used.

Document.Protect(…, Password)

Password—The password required to decrypt the specified document.

Note

Embedding a password or UserID in a program is not recommended.

SaveAs method of the Document object

The SaveAs method saves the specified document with a new name or format. The arguments for this method correspond to the options in the Save As dialog box (File menu).

Document.SaveAs(…, Password, …, WritePassword, …)

Password—A password string for opening the document for reading.

WritePassword—A password string for saving changes to the document.

Instead of hard-coding these entries into a program, it is suggested the user be prompted for the passwords.

VBASigned property of the Document object

The VBASigned property might be useful to administrators who are concerned about documents not being safe to open. By attaching digital signatures to documents, it is possible to increase the safety of the document since you have a good idea who created it. To do so, you can use the document object ActiveDocument along with its VBASigned property. If it returns a “True”, it was digitally signed by someone. If your company uses digital signatures for documents, then you might want to intercept the SaveAs method and force the use of the ActiveDocument.Signatures.Add method to display a dialog of the digital signatures the user can apply to the current document prior to saving it. Use of the Signatures.Add method requires the use of digital signatures supplied by a certificate authority.

To identify a digital signature attached to a document, use the SignatureSet.Item method, assign the returned item to a signature object and then test the properties of that object, specifically the IsCertificateExpired property. Use the Signatures.Delete method to remove a digital signature from a Signature collection.

This example loads a document called “Temp.doc” and tests to see whether or not it has a digital signature. If no digital signature is found, the example displays a warning message.

Documents.Open FileName:="C:\My Documents\Temp.doc" If ActiveDocument.VBASigned = False Then    MsgBox "This document has no digital signature.", _    vbCritical, "Digital Signature Warning" End If 

WritePassword property of the Document object

The WritePassword property sets a password for saving changes to the specified document.

This example sets the WritePassword property to the password provided by the user in the PSWDDlg dialog. The ActiveDocument.WriteReserved conditional test is used to determine if a WritePassword has already been applied to the document (adding another password would change the existing password and in this case is not recommended).

PSWDDlg.Show If ActiveDocument.WriteReserved = False Then ActiveDocument.WritePassword = PSWDDlg.PSWDVar1 End If PSWDDlg.Close

MailMerge object

The MailMerge object represents the mail merge functionality in Word.

Use the MailMerge property to return the MailMerge object. The MailMerge object is always available regardless of whether the mail merge operation has begun. Use the State property to determine the status of the mail merge operation. The following example executes a mail merge if the active document is a main document with an attached data source. This object has a password or connection property that can be compromised by storing a password or UserID as part of the program.

If ActiveDocument.MailMerge.State = wdMainAndDataSource Then    ActiveDocument.MailMerge.Execute End If

MailMerge DataSource object

The MailMerge.DataSource object represents the mail merge data source in a mail merge operation. This object has a potential password issue.

Use the DataSource property of the Document object to return the MailMerge.DataSource object. The following example displays the name of the data source associated with the active document.

If ActiveDocument.MailMerge.DataSource.Name <> "" Then _       MsgBox ActiveDocument.MailMerge.DataSource.Name

The following example displays all the field names in the data source associated with the active document.

For Each aField In ActiveDocument.MailMerge.DataSource.FieldNames       MsgBox aField.Name Next aField 

ConnectString property of the MailMerge DataSource object

The ConnectString property of the MailMerge DataSource object sets or returns the connection string for the specified mail merge data source.

This example creates a new main document and attaches the Customers table from a Microsoft Office Access 2003 database named “Northwind.mdb.” The connection string is displayed in a message box. The problem here is that the password and UserID could potentially be stored in this program and that is not a recommended method. It is suggested that the user of the program that accesses the data source be prompted for his UserID and password through a dialog and the resulting variables be submitted to the connection parameter of the OpenDataSource method.

Dim docNew As Document Set docNew = Documents.Add docNew.MailMerge.OpenDataSource & _       Name:="C:\Program Files\Microsoft Office\Office" & _       "\Samples\Northwind.mdb", _       LinkToSource:=True, AddToRecentFiles:=False, _       Connection:="TABLE Customers" MsgBox docNew.DataSource.ConnectString

OpenDataSource method

The OpenDataSource method attaches a data source to the specified document, which becomes a main document if it isn’t one already.

 expression.OpenDataSource(…, PasswordDocument, PasswordTemplate, …, WritePasswordDocument, WritePasswordTemplate, Connection, …)

PasswordDocument—The password used to open the data source.

PasswordTemplate—The password used to open the template.

WritePasswordDocument—The password used to save changes to the document.

WritePasswordTemplate—The password used to save changes to the template.

Connection—A range within which the query specified by an SQLStatement is to be performed. How you specify the range depends on how data is retrieved. For example:

  • When retrieving data through ODBC, you specify a connection string.

  • When retrieving data from Microsoft Excel using dynamic data exchange (DDE), you specify a named range.

  • When retrieving data from Microsoft Access, you specify the word “Table” or “Query” followed by the name of a table or query.

OpenHeaderSource method

The OpenHeaderSource method attaches a mail merge header source to the specified document.

 expression.OpenHeaderSource(…, PasswordDocument, PasswordTemplate, …, WritePasswordDocument, WritePasswordTemplate, …)

PasswordDocument—The password required to open the header source document.

PasswordTemplate—The password required to open the header source template.

WritePasswordDocument—The password required to save changes to the document data source.

WritePasswordTemplate—The password required to save changes to the template data source.

When a header source is attached, the first record in the header source is used in place of the header record in the data source.

Signature object

Security-enhanced digital signatures are only available from certificate authorities.

A signature object corresponds to a digital signature that can be attached to a document. Signature objects are contained in the SignatureSet collection of the Document object.

You can add a Signature object to a SignatureSet collection using the Add method, and you can return an existing member using the Item method. To remove a Signature from a SignatureSet collection, use the Delete method of the Signature object.

AttachCertificate property

True if the digital certificate that corresponds to the specified Signature object is attached to the document.

IsCertificateRevoked property

True if the digital certificate that corresponds to the Signature object was revoked by the issuer of the certificate (certificate authority). Read-only Boolean.

The following example prompts the user to select a digital signature to sign the currently active document in Word. To use this example, open a document in Word and pass this function the name of a certificate issuer and the name of a certificate signer that match the Issued By and Issued To fields of a digital certificate in the Digital Certificates dialog box. This example tests to make sure the digital signature the user selects meets certain criteria, such as not having expired, before the new signature is committed to the disk.

Function AddSignature(ByVal strIssuer As String, strSigner As String) As Boolean     On Error GoTo Error_Handler     Dim sig As Signature     'Display a dialog to the user with a list of digital signatures.     'If the user selects a signature, then add it to the Signatures      'collection. If a selection is not made an error is returned.     Set sig = ActiveDocument.Signatures.Add     'Test the following properties before committing a Signature object     'to disk.     If sig.Issuer = strIssuer And sig.Signer = strSigner And _         sig.IsCertificateExpired = False And _         sig.IsCertificateRevoked = False And sig.IsValid = True Then         MsgBox "Signed"         AddSignature = True     Else     'Remove the Signature object from the SignatureSet collection.         sig.Delete         MsgBox "Not signed"         AddSignature = False     End If     'Commit all signatures in the SignatureSet collection      'to the disk.     ActiveDocument.Signatures.Commit     Exit Function Error_Handler:     AddSignature = False     MsgBox "Action cancelled." End Function




Microsoft Office 2003 Resource Kit 2003
Microsoft Office 2003 Editions Resource Kit (Pro-Resource Kit)
ISBN: 0735618801
EAN: 2147483647
Year: 2004
Pages: 196

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net