Re: Winword Macro Viruses: unsafe to use Word as a viewer?

• To: www-security@ns2.rutgers.edu
• Subject: Re: Winword Macro Viruses: unsafe to use Word as a viewer?
• From: staatsvr@ss2.sews.wpafb.af.mil (VERN R. STAATS)
• Date: Wed, 14 Feb 1996 18:13:30 -0500
• Reply-To: staatsvr@ss2.sews.wpafb.af.mil

Regarding using macro-capable programs as web data viewers,
David M. Chess <chess@watson.ibm.com> writes:
DMC> 
DMC> ...  The Microsoft detection tool will warn you
DMC> if it finds macros in documents that wouldn't normally
DMC> be expected to contain macros, but it only works if a
DMC> document is opened in certain ways, ...

The MS-ScanProt.Dot protective macros should warn of any macros
found in a document, as long as the FileOpen macro is invoked.
This does depend on how the document was opened.  I did some
tests opening a document infected with WordMacro.Concept, with
the MS-ScanProt Normal.Dot macros installed on Word 6.0.
Your Mileage May Vary, but here is what I found:

Document-opened-by      Results    Command Line (or comments)
------------------      -------    --------------------------
MS-Word File/Open       Safe       (Intended usage for ScanProt)
PC Mosaic 2.0.a.8       Infects    Winword.exe %ls
FileManager, Run        Infects    Winword.exe Concept2.Doc
FileManager, DblClick   Safe
Our Email User Agent    Safe       (Not a common one, YMMV)
Icon, Full Cmd Line     Infects    Winword.exe Concept.Doc
Icon, File Cmd Line     Safe       Concept.Doc

Maybe if you give a full command line then the FileOpen macro
is bypassed.

I've read that it is also unsafe to open documents:
o  using a Recent Files menu or list. 
o  via Drag-and-Drop to the MS-Word program window. 
o  using the Macintosh Finder or Windows NT Find File. 
o  via "desktop scraps" in Windows NT or Win95. 

DMC> You could also use a script that first runs a virus-checker
DMC> on the document, and then opens it if it passes, ...

The MS-ScanProt.Dot method is to copy the suspect document,
sans macros, to a safe document.  It would be nice to have 
this capability in a stand-alone program.  You could then
use it in scripts to clean both incoming and outgoing email
and web documents.

DMC> It'd be better to use something that just doesn't include the
DMC> macro interpreter at all; I believe Microsoft's Word Viewer
DMC> is like that.

Yup.  It does not let you disinfect documents as you can with
MS-ScanProt.Dot, but it is safe to use as a web viewer.  AFAIK,
MS-WordView is the *only* safe web viewer for .Doc files.

• Previous: I-D ACTION:draft-ietf-wts-shtml-00.txt
• Next: Comments on Security Extensions For HTML
• Index(es):
  • Index
  • Thread