Office suite security is hard
Posted Jun 15, 2007 12:21 UTC (Fri) by hummassa
In reply to: Office suite security is hard
Parent article: BadBunny? Only if you invite it in
"if the macro in question is in a template, the macro may need to
automatically create new documents based on the template" -- Ok, that I
think I have already said it would be permitted.
"It's not unimaginable that a generated document might itself contain
macros, for the same reason that any document already contains macros" --
From the point of view of security, yes it is unimaginable that
non-template documents contain macros.
"Finally the macro language needs the ability to write these files to disk
somehow" -- I suggest opening the 'save as' dialog, WITHOUT file name, and
disalowing overwriting entirely.
"As for limiting the number of files created, this reduces the utility of
the macro for users with larger needs than yours. You might be generating
a mailing to thousands of customers and using a macro to do that" -- and
what is the problem of accumulating all the output (if it has to be saved
at all) in one single file?
"Personally I think the bigger question is why the macro permissions are
not more fine-grained [...] Considering that Sun owns OO.o and Java, I'm
surprised they haven't figured this out already." -- because Office suite
security is still not widely studied. That's exactly the point of my post:
things like overwriting files and creating documents should be HARD to do
in an Office suite macro environment (unless some hard,
non-easily-automated configuration is required for that exact document by
the user -- and this should come after)
The operations/limitations I described (*) blanketed every single system
implemented in macros I have knowledge (and I work with a very complex
workflow system made 60% in Word macros) and would make close to
impossible to make macro worms/viruses.
(*) trying again:
templates creating a limited number of new documents,
templates creating at most one new template -- and even this I deem
fairly dangerous and not really necessary,
documents cannot have macros,
no automated writes (every time a new file is created, Save As dialog is
shown without a default name),
no overwrites at all.
Mind you, this means a template can create a mailing list, print it,
export the whole mailing list to PDF, or e-mailing each of the recipients
in a database -- all operations that do NOT require it to save/overwrite
anything. This means if you have to have a form to be filled and some
processing/result of that form (even if you have to access the web/ a
database/ another document in the LAN for it), it's OK -- as long as your
macros are in the form template. Said processed form can be then printed,
exported, e-mailed, posted to the web, anything -- but not written over
another (existing) file.
to post comments)