Office suite security is hard
Posted Jun 14, 2007 10:24 UTC (Thu) by eru
In reply to: Office suite security is hard
Parent article: BadBunny? Only if you invite it in
Making effective macro control polices is hard. Imagine a technical writer at a software firm who has to do a fact sheet for the company website, referring to some (confidential) design documents. One would want to remove the ability to connect to outside websites from the confidential documents (to prevent information leaks) while allowing an upload of the HTML code to the company external website.
Sorry, but I don't see what this example has to do with macros, unless
you assume everything the technical writer does has to be mediated
by the document macros, which would be just silly. The updating
of the web sites are probably managed by some content management systems,
having their own more or less friendly web interfaces (so it is no
sweat for the writer to enter the document there when done), and enforcing
their own security rules. I don't think anyone would trust information
leak prevention based just on the document macros!
What I have mostly seen macroes being used (in the bowels of a large corporation) is in Excel-based apps, for example for creating a travel
expenses invoice or a request for a new PC. These applets typically do not
need external access. When they do, it would not harm usability if they
asked. Something like a box saying "Macro send_travel_invoice requests to
upload emp1234.odf to travels.mycompany.com. Allow? [Yes] [No] [Abort]". The box should come from the core of the application and
be visually formatted in a way that no macro can replicate.
to post comments)