LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Interview: Kristen Carlson Accardi

LWN.net Weekly Edition for July 24, 2008

Tracing: no shortage of options

Interview: Wind River's John Bruggeman

LWN.net Weekly Edition for July 17, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

security issues with macros

security issues with macros

Posted Mar 17, 2006 10:17 UTC (Fri) by kingdon (subscriber, #4526)
In reply to: Novell goes for the desktop by paulmfoster
Parent article: Novell goes for the desktop

My thoughts too. This is probably fixable, though.
There needs to be some distinction between "installing
software" and "opening a document", with the former
needed to run the macros (no, I haven't thought hard
about how this should be done, but the concept is
something we've seen before on the Linux desktop -
for example in terms of whether to autorun a program
on a CD when it is inserted). Even a dialog box
saying "this document contains macros? do you want
to run them?", which might not be the ideal user
interface, would still be better than nothing.

In addition, or instead, there might be an issue
of sandboxing the macros somehow (I don't know
enough about how they work to comment intelligently
on how feasible that is).

(Log in to post comments)

security issues with macros

Posted Mar 17, 2006 13:38 UTC (Fri) by eru (subscriber, #2753) [Link]

Even a dialog box saying "this document contains macros? do you want to run them?", which might not be the ideal user interface, would still be better than nothing.

I guess you have not looked at the real MS Office recently... It has precisely this kind of dialog. (I am not entirely sure if it is enable by default, or comes from local default settings used in the company I work at). Anyway, it does not seem to help security much. So many spreadsheets flying around in the company (I suspect in most other companies as well) have macros that people click OK at the "execute the macros" dialog automatically. So it is totally useless.

What is really required is having the macros execute only within a tight securiy sandbox, where they cannot modify anything except the document they are part of. This would be OK for most uses of the MS Office macros. I don't know if Novell plans to do so, but anything else will import the MS Office macro virus nighmare to Linux.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.