RE: Annoying pop-ups

["Bill Royds" <broyds () rogers com>]

I have an original copy of Word (1985 for the Macintosh) and it had macros.  Most common use was to check validity of 
data entered on forms, a reasonable task for word processors. But the macros only had access to aspects of the 
document, nothing outside.

That is the real problem. If a Word Processor (or Spreadsheet etc.) is going to have programmable capabilities, they 
need to be sandboxes so they only act within that document, not give them full reign over the system.

This is also the problem with JavaScript. Allowing a scriptable formatter (dependent on browser, resolution, time of 
year, whatever) is one thing. Allowing an external bit of code to be able to write files is another.

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Paul D.
Robertson
Sent: Fri November 01 2002 22:30
To: Christopher Hicks
Cc: firewall-wizards () honor icsalabs com; Gregory Austin; R. DuFresne
Subject: RE: [fw-wiz] Annoying pop-ups


On Fri, 1 Nov 2002, Christopher Hicks wrote:

> Macros aren't inherently evil and lots of people do need them.

They're an attack vector turned on for *everyone* when a small percentage 
of people actually use them.  I doubt that (before they were incorporated 
into Word itself so that decoupling was neigh on impossible) for the 
period of time that macro viruses were prevalent/disasterous, I doubt that 
2% of Word users had ever run a legitimate macro.

100% vulnerability prevalence for 2% functionality is a bad risk/reward 
ratio.

> We deal with folks in several companies that must use Word documents that
> require macros.  For instance, we have a small local phone systems company
> that has half a dozen users using a set of documents laden with macros
> from Samsung so they can build quotes and orders.  We've asked Samsung to
> provide the same functionality with less dangerous technology, but that
> seems unlikely to happen before the heat-death of the universe.  It's
> ugly, but there's not enough competition in the phone system market to
> weed out this sort of BS, so our client is stuck with it regardless of how
> much it irritates us from a security perspective.

That doesn't mean they can't turn it on for their "need."  Please note the 
discussion is centered around "default behaviour," not "included 
functionality."

> Macro-laden documents don't bother me per se, but the level of
> functionality provided by Office Basic is far too broad to be appropriate
> for general consumption.  I'm sure some people write macros that pull in

That was the exact point, so I think we're in agreement.

> We do see a steady growth in OpenOffice usage since the released 1.0 so
> hopefully these problems won't be with us in ten years.  Hope, hope, hope.

I dunno, I had to switch to cxoffice and Word/Powerpoint because 
StarOffice wasn't quite there.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards