Beware of Virus-Infected Macros and Self-Signed SSL Certificates


Office Macro threats

I saw an article today whose headline ("Remember macro viruses? Infected Word and Excel files? They're back...") drew my eye. It also got coverage on The Register in their usual style :-).

The gist is that virus-infected Macros fell out of fashion due to security changes in Office, but now the target is the User rather than Office. The aim is to persuade the User that the document is more secure because the macro is present and to just click to enable the content.

The article (and the comments that follow) are mostly about random documents sent to you from somewhere out there on the Internet. Clicking to open those (let alone to enable macros) is rarely a good idea.

Inside an Enterprise, macros are used more frequently than the article needs to acknowledge. They're used to add extra automation functionality to Word and Excel. In this case, the macro-enabled document is often from a known colleague and the enterprise web domain from whence it came is a trusted zone.

Typically, a layered security model would be used inside an enterprise to defend against this threat.

The first perimeter layer should be mail scanning - do you really need macro-enabled documents coming in? If not, block them from inbound mail.

The next layer should be that all the client PCs are up-to-date with anti-virus signatures. Check that your enterprise anti-virus solution is scanning Office documents. This catches cases where a document has come in from a USB stick or a file sharing service like DropBox.

Application level filtering such as setting the macro security to "Disable all macros except digitally signed macros" provides a final layer, but it has the disadvantage that signing isn't well understood.

A way to improve security (not mentioned in the article) for behind-the-firewall macro-enabled usage is to generate and use a self-signed SSL security certificate. These are not so suitable for public websites, but are useful for internal sites and applications such as code signing (to confirm the software author and guarantee the code has not been altered). This is especially true if the organisation is large and there's a chance the colleague sending the file is not known to the recipient.

Self-signed certificates can be created for free using a tool such as the OpenSSL toolkit, which can be used to generate an RSA Private Key and CSR (Certificate Signing Request) for Linux/Apache environments. In a Windows based environment, you can use a tool such as SelfCert.exe, or generate a code signing certificate using Microsoft Certificate Services.

In some implementations the end-user will still get a warning and have to accept the certificate. Some argue this can promote bad habits if end-users become blasé about accepting SSL certificates because "they were told to". However, in the internal enterprise model we are addressing, the way around this is to pre-install the SSL certificate on every machine. That way, the trust question is never asked. A means to achieve this is for IT departments to push the certificate out as a trusted publisher to client PCs using group policies. Read this Microsoft TechNet article for more detail.

Tags: Compliance, Document Management and Control

Paul Walsh

Written by Paul Walsh

Paul Walsh was one of the founders of Cognidox. After a period as an academic working in user experience (UX) research, Paul started a 25-year career in software development. He's worked for multinational telecom companies (Nortel), two $1B Cambridge companies (Ionica, Virata), and co-founded a couple of startup companies. His experience includes network management software, embedded software on silicon, enterprise software, and cloud computing.

Related Posts

5 Steps to a Robust Corrective Action Process

It’s the job of your corrective action process to identify and eliminate the systemic issues that ...

5 Challenges in Building a Pharmacovigilance System Master File

Managing the integrity and accessibility of a PSMF (Pharmacovigilance System Master File) is a key ...

Mastering Non-Conformance Reports: A Guide for Quality Management

How do you log and deal with non-conformities so that faulty products don't end up in the hands of ...

The Importance of Document Control Systems in Business Operations

What does it mean to 'control documents'? And who needs a formal document control system to manage ...

Enhancing Document Management: Why Google Drive Falls Short

Google Drive is a cloud-based program that allows you to create, edit, store, and share documents. ...

Is SharePoint the Right Choice for Your Medical Device QMS?

A Quality Management System (QMS) is a requirement for medical device developers across the globe. ...