Re: Features versus Security versus User Education

• To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
• Subject: Re: Features versus Security versus User Education
• From: David Foster <dfosterPANIX.COM>
• Date: Tue, 30 Mar 1999 08:41:44 -0500
• Approved-By: Russ.CooperRC.ON.CA
• In-Reply-To: <00e201be7a63$2b710250$2a78d6d1methos>
• Reply-To: David Foster <dfosterPANIX.COM>
• Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

Responding to a few things at once, to try to keep the number of posts down

>If I want a user to fill out a form assisted by some dialogs, buttons,
>etc., so they fill it out properly (you know, good old fashioned data
>integrity checks, like "don't allow this field to be left blank" or
>"zero is not a valid salary/purchase order/payment amount"), and you
>don't have a good way of distributing macros or NORMAL.DOT files to
>all users (corporate use policy, geographically disparate locations,
>lack of communications except for e-mail, etc.), you have to transport
>the possibly one-time use macros with the document. We're trying to
>make office automation automated. We already have simple and tedious.

Distrubuting templates is not that much tougher.  And, apart from the
security concerns, is a much better idea anyway (no duplication of code,
easily updatable, etc.)  More importantly though, you should have the
choice to turn this "feature" off.  If you choose to distribute code in a
format that makes users more susceptible to viruses (it's just like
distributing .exe files via e-mail), that's fine, and may be appropriate
for your environment, but I'd like the ability to disallow it for my users.

And such a thing would be trivial to implement.  Some of the suggestions
here consist of major changes to the VBA and Office systems.  While some
are good ideas, the fact is that you could protect the average corporate
environment to a very large degree with a just a few small changes to
Office.  But the holes are left wide open, for no good reason.

At 11:18 PM 3/29/99 , Steve Sheldon wrote:
>>For instance, every Word macro virus I have encountered contains this line:
>Options.Virusprotection = Disable

I don't think this really matters that much.  Yes, I'd like to ability to
lock this setting, but once rogue code has run you're in big trouble
already.  The Melissa virus is a good example of a virus that doesn't
really need this setting in order to spread.  And Melissa's fairly trivial,
eventually someone's going to get serious about writing a virus.

Last point, I think MS gets away with this kind of behavior simply because
they can.  Office isn't sexy, and obscure DoS attacks consisting of hand
crafted network packets get a lot more attention.  But Office is the most
likely point of entry for viruses these days, and they hit *behind* the
firewall.  Melissa may be changing this, but they deserve a lot more
attention from the security community than they've received.

• References:
  • Features versus Security versus User Education
    • From: "R. Michael Williams, MCSE" <RMW_MCSEBellSouth.net>

• Prev by Date: Re: Features versus Security versus User Education
• Next by Date: No Subject
• Prev by thread: Features versus Security versus User Education
• Next by thread: Features versus Security versus User Education
• Index(es):
  • Date
  • Thread