Full Disclosure mailing list archives

Re: Macro threats

From: "matthew wollenweber" <mwollenweber () gmail com>
Date: Tue, 5 Jun 2007 14:01:25 -0400

When I do penetration tests I think macros are a useful tool. Most
organizations now have strong perimeter defenses. So the initial foothold
onto the network is a substantial challenge. For larger networks you can
anticipate stupid (unknowning) users that will launch a macro. Everyone has
their favorite set of excel macros after all. It's not a clever attack, but
it gets the job done. The challenge of getting a foothold may increase the
pressure to use macro attacks. However, overall I think there will be a
slight decline

In favor of not using macros is Web 2.0. Via web "defacement", XSS, DNS
attacks, and social networking sites that I can fairly confidently find a
secondary target that I know my primary target will visit. I can then attack
IE/Firefox. I think it's a fair bet to say there's always an exploit for
IE/Firefox/Flash/libjpeg/libpng/wmv/mpeg/etc that's standard content for web
pages. Further, Office 2007 is now on the scene. While I have no expertise
on Office software is generally more prone to bugs (and thus attacks)
earlier in it's life cycle. Therefore, Office attacks might focus more on
direct exploitation rather than using a macro.

The above is just my opinion. I have no hard data supporting it one way or
another, so take it as you will.

-Matt


On 6/5/07, Muscarella, Sebastian (IT) <
Sebastian.I.Muscarella () morganstanley com> wrote:


 Wanted to ask this forum's opinion on the state of macro threats.  While
we have not seen too many this past year which were actively exploited, we
wanted to know if there are any indications on whether this threat would
increase, decrease, become more sophisticated in the next year or two.

Any information would be very helpful.  We're currently looking at
enhancing some security features in-house around Microsoft Office, and want
as much intelligence on the topic as possible.

Thanks,

Sebastian Muscarella

 ------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender
does not intend to waive confidentiality or privilege. Use of this email is
prohibited when received in error.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
Matthew  Wollenweber
mwollenweber () gmail com | mjw () cyberwart com
www.cyberwart.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Macro threats Muscarella, Sebastian (IT) (Jun 05)
- Re: Macro threats Valdis . Kletnieks (Jun 05)
- Re: Macro threats matthew wollenweber (Jun 05)
- Re: Macro threats Jay Sulzberger (Jun 05)
- Re: Macro threats Randal T. Rioux (Jun 05)