Russ Allbery <[EMAIL PROTECTED]> writes on 30 March 1999 at 01:04:26 -0800
> I'd like to back this up, and point out here that too much Microsoft
> bashing on this one is misplaced. This particular attack is not
> Microsoft-specific in any way other than having happened to be written
> against a widely used Microsoft applciation; the property that it needs to
> be effective is a document viewer with an embedded macro language in which
> macros are executed by default.
Yes, but...who except Microsoft markets such an application?
> Now, I'm not a Word user, so I don't know for sure, but I've at least
> heard that automatic execution of macros in Word documents is *off* by
> default. Extrapolating from that, however, I would imagine that Word
> probably pops up a warning dialog box, and users get tired of saying "yes,
> it's okay."
In Word 97, under tools/options/general, there's a checkbox "macro
virus protection", which is checked by default. This prevents
automatic running of macros when you open a document -- EXCEPT when
the document comes from a trusted source, which includes any document
you had to specify a password to open.
> In other words, to be blunt, this isn't a Windows problem. This is a user
> stupidity problem. The *only* effective long-term solution to these sorts
> of problems is to bludgeon people about the head with the idea that they
> should NEVER, EVER, *EVER* run *ANYTHING* that they get via e-mail, *even
> if it's from someone that they know*, without explicit confirmation of
> what it is and what it does, and that all of their programs need to be
> configured the same way. And that as annoying as warning boxes might be,
> they're there for a *reason*, and if they can't stand them, the answer is
> to disable all macros always, not turn them on.
If document macros ran in a limited environment analagous to the Java
sandbox, things would be a lot safer. Software-based protection isn't
the most solid approach, but as its refined and tuned it gets pretty
good, and it offers significant protection for this sort of application.
--
David Dyer-Bennet [EMAIL PROTECTED]
http://www.ddb.com/~ddb (photos, sf) Minicon: http://www.mnstf.org/minicon
http://ouroboros.demesne.com/ The Ouroboros Bookworms
Join the 20th century before it's too late!
