Hacker News new | ask | show | jobs
by unnouinceput 1336 days ago
And a Word document is not running arbitrary code at all. Is running the code that was programmed in it. As for if that code gets to run at all, that depends on the configuration of the system. Do run it using a user that has no access to write/delete files and you'll see that the most malicious macro is benign.
1 comments
dementiapatent 1336 days ago
>Do run it using a user that has no access to write/delete files and you'll see that the most malicious macro is benign.

It could retrieve work from a server to start long running processes that mine cryptocurrency. And scan every IP/port on your local network and use metasploit to send matching exploits to everything it sees. And then hijack a local process running under a different user with disk write permissions.

I would like to see macros restricted similar to Javascript in the browser. You can still run code and manipulate local data, but you don't get any direct access to the host OS. No disk access, no registry access, no way to create a process, only able to calculate things and change the document itself. And there must be no checkbox to disable these protections.

link
unnouinceput 1336 days ago
All of the above means a poorly configured system. A correctly configured Windows system would not allow any of that to happen.

1- For network privileges you can restrict user to strict network location and nothing else.

2 - For scanning it also needs privileges that can be restricted using policies.

3 - Can't send anything if it doesn't have the correct privileges.

Who's stopping you to create your own version of VBA, release it and replace Microsoft Office suite with your own defined version as you said. And in the process of doing this you'll become billionaire too.

Until then, a correctly configured Windows system is immune to all of the above.

link
dementiapatent 1335 days ago
I salute the IT team who keeps all of those security policies in place while not interfering with daily operations.

>Who's stopping you to create your own version of VBA, release it and replace Microsoft Office suite with your own defined version as you said.

I'm stopping myself because nobody would use it :)

link