Firewall Wizards mailing list archives

RE: Annoying pop-ups

From: "Paul D. Robertson" <proberts () patriot net>
Date: Fri, 1 Nov 2002 22:29:31 -0500 (EST)

On Fri, 1 Nov 2002, Christopher Hicks wrote:

Macros aren't inherently evil and lots of people do need them.


They're an attack vector turned on for *everyone* when a small percentage 
of people actually use them.  I doubt that (before they were incorporated 
into Word itself so that decoupling was neigh on impossible) for the 
period of time that macro viruses were prevalent/disasterous, I doubt that 
2% of Word users had ever run a legitimate macro.

100% vulnerability prevalence for 2% functionality is a bad risk/reward 
ratio.

We deal with folks in several companies that must use Word documents that
require macros.  For instance, we have a small local phone systems company
that has half a dozen users using a set of documents laden with macros
from Samsung so they can build quotes and orders.  We've asked Samsung to
provide the same functionality with less dangerous technology, but that
seems unlikely to happen before the heat-death of the universe.  It's
ugly, but there's not enough competition in the phone system market to
weed out this sort of BS, so our client is stuck with it regardless of how
much it irritates us from a security perspective.


That doesn't mean they can't turn it on for their "need."  Please note the 
discussion is centered around "default behaviour," not "included 
functionality."

Macro-laden documents don't bother me per se, but the level of
functionality provided by Office Basic is far too broad to be appropriate
for general consumption.  I'm sure some people write macros that pull in


That was the exact point, so I think we're in agreement.

We do see a steady growth in OpenOffice usage since the released 1.0 so
hopefully these problems won't be with us in ten years.  Hope, hope, hope.


I dunno, I had to switch to cxoffice and Word/Powerpoint because 
StarOffice wasn't quite there.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Annoying pop-ups Scott, Richard (Oct 31)
- RE: Annoying pop-ups R. DuFresne (Nov 01)
- Message not available
  - RE: Annoying pop-ups Gregory Austin (Nov 01)
    - RE: Annoying pop-ups R. DuFresne (Nov 01)
    - Message not available
    - RE: Annoying pop-ups Gregory Austin (Nov 01)
    - RE: Annoying pop-ups R. DuFresne (Nov 01)
    - RE: Annoying pop-ups Paul Robertson (Nov 01)
    - RE: Annoying pop-ups Christopher Hicks (Nov 01)
    - RE: Annoying pop-ups Paul D. Robertson (Nov 01)
    - RE: Annoying pop-ups Bill Royds (Nov 02)
    - Re: Annoying pop-ups Gary Flynn (Nov 01)
- <Possible follow-ups>
- RE: Annoying pop-ups Scott, Richard (Nov 01)
- RE: Annoying pop-ups Scott, Richard (Nov 01)