By default, Word won't run macros that aren't digital signed. This feature has been around since Word 2000. In Word 2007, macros can be disabled completely as I have set on my computer:
To deal with .js, .vbs, and .hta files, I set their file associations to Notepad. Richard -----Original Message----- From: Drsolly [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2008 6:07 PM To: Richard M. Smith Cc: 'funsec' Subject: Re: [funsec] Texas Bank Dumps Antivirus for Whitelisting That's great for EXE files. But how would you handle DOC files (and similar things that include executable macros)? On Wed, 16 Jul 2008, Richard M. Smith wrote: > Another option is to have .EXE files digitally signed and the whitelist work > off vendor names in digital certs and not .EXE MD5 file hashes. This > stratergy would cut down a great deal keeping a whitelist up to date for > software updates. > > Richard > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of David Harley > Sent: Wednesday, July 16, 2008 8:15 AM > To: 'Drsolly'; 'Nick FitzGerald' > Cc: 'funsec' > Subject: Re: [funsec] Texas Bank Dumps Antivirus for Whitelisting > > > > > You're showing your age. ;-) Word macro viruses haven't > > been much > > > > of a problem for 6 or 7 years ever since Microsoft went to signed > > > > VBA code in Office. > > To be fair, the issue isn't really Word macro viruses: it's the fact that > they represent a class of objects where executable code is found in places > less obvious than a .EXE. A whitelisting solution that doesn't take them > into account is obviously less effective. > > > > Breaking down the hoary old mindset that has allowed the patently > > > stupid blacklisting approach to initially thrive, then survive for > > > so long, will be whitelisting's biggest challenge to broader > > > acceptability (and likely prevent it ever becoming > > widely used > > > in the least IT-literate parts of the market such as the > > SOHO and individual user segment). > > Stop me if you've heard this before. Irrespective of the prejudices of the > AV industry, the real problem is the sizeable market sector that thinks we > should be able to detect every malicious program by name, and is enraged > when we fail to do so. A sizeable subset of that group mistrusts any form of > behaviour analysis because they believe in the magic power of names (which > is why the industry continues to use reassuring names that sound specific > but are actually generic...) Whitelisting doesn't have to be technically > better: it just needs to be presented as a superior form of sympathetic > magic. > > > The main problem with whitelisting, is the high cost of maintenance. > > As opposed to blacklisting, which is... oh, wait a minute. ;-) > > -- > David Harley, ESET Research Author > AVIEN COO: http://www.avien.org > http://www.smallblue-greenworld.co.uk > > > > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. >
<<image001.png>>
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
