Firewall Wizards mailing list archives
RE: Annoying pop-ups
From: "Paul D. Robertson" <proberts () patriot net>
Date: Fri, 1 Nov 2002 22:29:31 -0500 (EST)
On Fri, 1 Nov 2002, Christopher Hicks wrote:
Macros aren't inherently evil and lots of people do need them.
They're an attack vector turned on for *everyone* when a small percentage of people actually use them. I doubt that (before they were incorporated into Word itself so that decoupling was neigh on impossible) for the period of time that macro viruses were prevalent/disasterous, I doubt that 2% of Word users had ever run a legitimate macro. 100% vulnerability prevalence for 2% functionality is a bad risk/reward ratio.
We deal with folks in several companies that must use Word documents that require macros. For instance, we have a small local phone systems company that has half a dozen users using a set of documents laden with macros from Samsung so they can build quotes and orders. We've asked Samsung to provide the same functionality with less dangerous technology, but that seems unlikely to happen before the heat-death of the universe. It's ugly, but there's not enough competition in the phone system market to weed out this sort of BS, so our client is stuck with it regardless of how much it irritates us from a security perspective.
That doesn't mean they can't turn it on for their "need." Please note the discussion is centered around "default behaviour," not "included functionality."
Macro-laden documents don't bother me per se, but the level of functionality provided by Office Basic is far too broad to be appropriate for general consumption. I'm sure some people write macros that pull in
That was the exact point, so I think we're in agreement.
We do see a steady growth in OpenOffice usage since the released 1.0 so hopefully these problems won't be with us in ten years. Hope, hope, hope.
I dunno, I had to switch to cxoffice and Word/Powerpoint because StarOffice wasn't quite there. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Annoying pop-ups Scott, Richard (Oct 31)
- RE: Annoying pop-ups R. DuFresne (Nov 01)
- Message not available
- RE: Annoying pop-ups Gregory Austin (Nov 01)
- RE: Annoying pop-ups R. DuFresne (Nov 01)
- Message not available
- RE: Annoying pop-ups Gregory Austin (Nov 01)
- RE: Annoying pop-ups R. DuFresne (Nov 01)
- RE: Annoying pop-ups Paul Robertson (Nov 01)
- RE: Annoying pop-ups Christopher Hicks (Nov 01)
- RE: Annoying pop-ups Paul D. Robertson (Nov 01)
- RE: Annoying pop-ups Bill Royds (Nov 02)
- RE: Annoying pop-ups Gregory Austin (Nov 01)
- Re: Annoying pop-ups Gary Flynn (Nov 01)
- <Possible follow-ups>
- RE: Annoying pop-ups Scott, Richard (Nov 01)
- RE: Annoying pop-ups Scott, Richard (Nov 01)