# Panic like it's 1999: Microsoft Office macro viruses are BACK

Macro viruses involving infected Word and Excel files were a plague in the late 1990s. Yet, like grunge music, the genre fell into decline as techniques and technologies moved on. More recently macro viruses have staged something of a revival, thanks to social-engineering trickery. Windows executable malware has dominated …

1. This post has been deleted by its author

2. #### I'm not dead yet! I don't want to go on that cart!!

I remember thinking "Isn't that a security risk?" when I first heard about VBA. We did not have to wait long for confirmation. It is worrying that they still haven't put a sufficiently tight sandbox around VBA. I can see reasons to use macros within a document (I have used for loops and while loops in LaTeX at times), but I see no reason why code within a document should ever be allowed to alter template files or indeed any other file on disk (except the printed, postscript, or pdf output) which outweighs the security risks involved.

1. #### Re: I'm not dead yet! I don't want to go on that cart!!

Before long people will be asking for code to edit or even create .txt, .csv. .xml files and the rest.

I can't begin to think what I haven't done with VBA over the years. Like everything else it's a powerful tool and putting it into a sandbox is getting around the real problem -- users bringing files onto the machine to run in the first place.

The current restrictive policies that MS have in place at moment is all down to the time when we had the Melissa and the ILoveYou virus sometime back in the last century. But cutting off VBA at the knees because of some malignent software is like saying thae we ought to stop C and C# applications writing to the hard drive too because someone may do something naughty with it too.

And, yes, I have written VBS to edit templates. Why? For lots of clients, who may be small firms with minimal skills I used to supply templates for their office: Memo, Letter, Long Document, Fax (in those days) and so on. I would have the basic VBA in those templates but they may decide to change their forrmatting.

Rather than pester me all the time for changes I gave them a tool which would change their document templates; such as Styles, Paragraphing, Tabs and Numbering. All those horrible things that most people couldn't understand or found it hard to use the inbuilt dialog boxes. So, in these cases I improved upon it by making them a VBA application which would do it for them.

In the days of the 'improved' Office interface such tools are even more useful than before. So, why stop VBA from editing .dot and .dotx files?

1. #### mixing what doesn't mix

Putting aside the brainless habit, hopefully in the past, of MS to usually allow a lot of dangerous features to be activated by default including Macros, AutoRun, RDP login, ActveX etc, the main problem with Macros (VBA) in MSO, as was suggested in the previous comment, is mixing executable code and document (formatting) in the same file, while allowing there some potentially dangerous code there. Most other document creation suites are more do distinguish these two different things.

Compare it with Emacs Lisp .el files or the same .tex files, the former might contain some potentially dangerous stuff, like shell-command-to-string function, however, an .el file is NOT a document! While the latter .tex file would not contain anything potentially bad, other than \write operator in TeX. A few precautionary measures are in place though. In case of LaTeX, all the Macro stuff is provided by the .cls and .sty files. Those are not documents though.

2. #### Re: I'm not dead yet! I don't want to go on that cart!!

"It is worrying that they still haven't put a sufficiently tight sandbox around VBA"

There are very tight security restrictions available for VBA out of the box - e.g. require signed code, only use trusted locations, etc. A sandbox isnt a solution for a tool that a substantial part of the pufrpose of is to allow access and integration to external code and data.

3. #### Users, Who'd have 'em.

That's the problem with macros and VBA scripts, so phenomenally useful for enabling and automating processes within a business but also dreadfully open to abuse.

If people could just think before enabling macros on a document, a lot of this trouble could be avoided. The problem is, however, there is still a substantial number of users who wouldn't even know what a macro is, think it's probably a necessity and so just turn it on, 'just in case'.

Sadly, despite all the warnings that Microsoft puts on its Office products when a potentially threatening file is opened (and these warning are a pain if you don't want to see them), the 'Just In Case' scenario for many users is still to enable the code.

1. #### Re: Users, Who'd have 'em.

Well... VBA scripts give at least a bit of use to office products as they allow at least a little bit of automation. Of course in an ideal world, people would just use flat text files and the unixoid tools available.

2. #### Re: Users, Who'd have 'em.

I know of one ERP suite that requires the Macro settings in Office to be turned to allow macros from any source to be executed, because their macros aren't signed... That leaves the users open to macro viruses, because they are no longer prompted.

1. #### Re: Users, Who'd have 'em.

>>"I know of one ERP suite that requires the Macro settings in Office to be turned to allow macros from any source to be executed"

I hope you told them why they're not getting your business. What kind of a company would do something like that?

If I want a new bathroom I can "get a man in"; he ummms and ahhhs and gives me a price then quotes me a timescale;3 months and £5k later we are still picking out the colour of the tiles and showering in the kitchen sink, but we have a glossy brochure and are confident it will be the best bathroom ever.

Or, I can get "a man in a mate of a mate down the pub told me about" and he turns up with a sledgehammer and some polyfila that night after a few whiskies and a packet of pork scratchings. The next day I have a bathroom.

A year later the floor/ceiling collapses, but it's OK, we ****d off after 6 months to another house and did the same thing there, and we're moving on to gas pipes and electrical wiring next now we have so much renovation experience!

Wow. I'm getting a few boo's from what I thought was a relatively tame post.

The moral was meant to be:

VBA = instant, which is great, but there can be unseen dangers building up if you rely on it too heavily and the users don't understand the code.

Full-on professional I.T. solutions are often "better" but can be prohibitively slow and costly.

...and I've seen far too many "experts" working on important projects who's only claim to fame = googling a couple of VBA scripts.

Users then trust these "experts" and, often, on their advice, tick a little box that says "allow all macros from all sources without notification".

Nice job ms BTW.

I don't want to see the castration of VBA but rather dramatic improvements to security in general throughout the windows os. I'd also like ms to build in a macro parsing "warning contains nuts" feature telling the user exactly what the code can/will do before they open/execute it. And ffs stop letting me crack all your ms office passwords in under 5 mins please using only the letters A and B...

I think the boos are probably mainly because people didn't get what you were trying to say. I know that I didn't on first read.

I thought for a moment I had strayed into an amanfrommars comment.

5. #### The macro virus would spread into a user's Office template files

How about making normal.dot file read-only for the current user, and using the Word Viewer for opening email attachments.

1. #### Re: The macro virus would spread into a user's Office template files

The latter would be a good alternative, but making Normal.dot read-only isn't an option for many users. I find I need to alter or add styles regularly.

1. #### Re: The macro virus would spread into a user's Office template files

Ideally the styles should be in each of the template files rather than normal.dot.

In fact, I will go so far and stick my neck out and say that one should never touch normal.dot -- don't mess with the styles and don't put code in there. I have always viewed normal.dot as a half-arsed 'thing' invented by MS to do their own thing.

In the case of Word (which is clearly what we're talking about) I would put code in templates in the start-up folder (and there could be loads of .dot files in here with VBA depending on what the user wanted) and also code in each of the document template files. It is in these where I would put the styles.

I have always seen normal.dot as something that can be sacrififced and if the suite of templates has been made strong enough then everything the user needs is in there and if normal.dot ever gets nuked then no change will happen to the user's Word environment.

I have always seen Word VBA as more than just mere macros. On some of my clients' sites I have very complex code which drives everyting from Document Management, Contact Databases and about everything that one could think of.

VBA, if I may counter, isn't "instant" at all. Yes, one can do quick hacks and runs but it is also a fully fledged language and development environment. I see it as VB6 with an Office application clagged onto the front and a whole slew of inbuilt objects to play with. Kiddie stuff it needn't be. There's a very large business out there which has in their code, and they won't know it, a binary tree search all done with VBA.

It's a great environment. Please don't wish it nobbled.

1. #### Re: The macro virus would spread into a user's Office template files

I put my macros in normal.dot. That way, I don't have to try to put macro code in documents that I'm asking other people to open, which invariably leads to (at best) confusion, or (at worst) open suspicion.

2. #### Re: The macro virus would spread into a user's Office template files

I don't think these things are actually macro viruses in the old sense, and making normal.dot read only will not work with these.

6. #### Really Shitty Impractical Security Advice..

"Szappanos offers a fool-proof way of avoiding infection - disabling macros: "There is no justification as to why the content of a document can only be displayed properly if the execution of macros is enabled. If you receive a document with this advice, be aware: you are probably being attacked."

Fool-proof, huh?

I love it when security researchers speak with authority on something they know little about... I want to go back to this line: "There is no justification as to why the content of a document can only be displayed properly if the execution of macros is enabled". Excel spreadsheets can pool data from a hundreds of different sources. In banking alone its common. Turn that feature off, and there is no content!

Half the world's banking systems run on VBA, and a lot of SME's too, so that's hardly an answer... Welcome to the real world 'Szappi' where things are messy, and companies are either loath to spend money on IT, too small, too cheap or too inept to implement things properly ala RBS meltdowns.... So disabling macros is hardly an answer, except if you want to cut out your heart just in case it gets a coronary!

So is Excel a wise choice? No, but that's the reality! A lot of businesses can't and won't wait years for full life-cycle development, and a lot of Fortune 500 shops are just too slow to deliver the goods, so business heads code their own tree-surgeon like solutions!

Part of the problem is this... Rapid Application Development hasn't progressed much since legacy VB6. Instead M$just keeps cynically changing things for ongoing lock-in. That means the roundabout start-to end app dev time hasn't improved at all. BTW: I'm not some MS hater, I'm MS certified, use C# et al and have a degree in IT. But what's key is this, is it quicker for me to develop in .Net? No it isn't! I always warn the trading team that its unwise to keep using VBA for everything... But they always respond with: Can you do it quicker in .Net or Java? I admit, No I can't... So they say do it in VBA as we need it yesterday! 1. #### Re: Really Shitty Impractical Security Advice.. If you're pooling data from hundreds of different sources, then it isn't content *in* the Excel sheet. I just deserve a pedant alert for that, but, if you're *receiving* the document, how many of those data sources are accessible to you? If it's from outside your company? So, you're unlikely to get useful results from an Excel spreadsheet with macros unless you already know everything about it (who wrote it, what the macros do, what data sources they're using). Enabling macros on a file you've just received from an unknown source because the file asks you to is foolish. Additional pedant point, Szappanos said "document", and every one of the example attacks in his paper is a Word file. For ordinary users, a document *is* a Word file, and I'd be interested to hear of scenarios where sending a Word document with macros is good for the recipient. Szappanos was offering foolproof advice. What does this mean for the half of the world's banking systems that are running on cobbled-together VBA, have they learnt anything from RBS? 1. #### Re: Really Shitty Impractical Security Advice.. I write a lot of additional functions, which take the data in cells and convert it. For example we have a time analysis module that calculates hours, based on book-in and book-out times from an entry system. Excel though wants to round 24 hours into 1 day, so 96 hours shows as 0 hours. A simple VB function adds a formula to Excel which automatically formats the hours correctly. 2. #### Re: Really Shitty Impractical Security Advice.. >>"Part of the problem is this... Rapid Application Development hasn't progressed much since legacy VB6. Instead M$ just keeps cynically changing things for ongoing lock-in. That means the roundabout start-to end app dev time hasn't improved at all."

There has been some recent progress on this. But the snag is it's Windows 8 onwards. So whilst it's nice, it will be a long time coming to the banking sector. Basically the new Web Plugins system for Office uses ONLY signed code which is accompanied by a manifest.xml file. The file defines exactly what permissions the running code has - e.g. a whitelist of remote servers it can access, what other files it can read from, whether it can access your address books, etc. It's pretty detailed. Adherance to the published restrictions is baked into the OS itself. But like I say, Windows 8 onwards only, so not a general fix any time soon.

3. #### Re: Really Shitty Impractical Security Advice..

You, sir (or madam), provide a breath of freah air of reality to the proceedings.

Thank you.

4. #### Re: Really Shitty Impractical Security Advice..

> Half the world's banking systems run on VBA

Exactly none of the worlds banking systems run on VBA.

The worlds banking systems came into existence a long time before VBA and none of the banks have migrated theses systems from the mainframes/server farms that they run on into an excel spreadsheet.

1. #### "Exactly none of the worlds banking systems run on VBA."

Internally they do, sorry to disappoint you Mr AC!

5. #### Re: Really Shitty Impractical Security Advice..

One of the things my customers get very bored with hearing from me is the mantra that:-

Excel must NOT be used in "production" situations. It should be considered as a "prototyping" tool ONLY.

Yes of course it takes longer to do the job properly. The classic analogy is using duct tape for something where the correct solution is more expensive and takes longer, but is a damned sight more durable in the long term.

7. #### receiving a document in a proprietary format

If you receive a document with this advice, be aware: you are probably being attacked

Exactly, when I receive mail with an attachment containing a document in a format other than text or other fully open document format, such as pdf, odf, abw, djvu, ps etc., I feel attacked by someone's ignorance. That's why following this advice I put a footnote at the end my own messages:

#Please do not send me Microsoft Office/Apple iWork documents. Send OpenDocument instead!

1. #### Re: receiving a document in a proprietary format

Shunning proprietary formats is fine until you make money from dealing with them and lose money as all your employees convert to/from them to deal with the rest of the world. Security is a tradeoff.

However, there are several things which could change to help the situation and this is where I hold MS to account for not progressing the state of the art in OS and application design. Free *nix is one thing, but if I'm paying someone for the next OS version, I expect progress.

The OS arbitrates resource access. MS can do this rather badly because it pushes security out to the application/GUI. E.g. on many citrix systems, cmd.com is locked down - you can't see it in explorer. However, open Word:File->open and you can copy, paste the file to a different name and execute it happily.

I want a "flag on modification" option from the OS, along with "remember for this session" options. I want separate installation locations for user-installed apps and admin-installed apps. I want security manifests with each application & user context. If IE wants to provide http access to other apps, the OS needs to mediate that. When you install an app, there should be a list of resources the app needs. Word might want access to http://wordtemplates.microsoft.com, which is fine. Access to all the internet is not. The security manifest can be ok'ed at installation and after that any resource access outside that manifest should be flagged by the OS. The same goes for email. Inter-application communication needs to go through the OS, not direct. That way we don't end up with a hodgepodge of apps doing their own thing. We'll also need categories for "its a local proxy" not and end-point.

I want directory filtering for data providers. Yes, skype can use my address-book without asking, but I only want it to see names plus any data it adds. Words with Friends can ask to use my address book but may only see names. So much data is held in network stores but our OS's haven't really progressed beyond file-systems. I want the WAF, DBF and LDAP firewalls to come to the OS, not be the preserve of rich enterprises. I know security is hard to do for end-users, but MS and Apple have enough market share to make it happen. Sadly, along with Google, they have all jumped on the, "all your data are belong to us" bandwagon. Perhaps this could be MS' USP in the mobile market, "We'll give you decent access controls on your data." It might work better than the Win8 TIFKAM strategy.

1. #### Re: receiving a document in a proprietary format

Shunning proprietary formats is fine until you make money from dealing with them and lose money as all your employees convert to/from them to deal with the rest of the world.

Good Lord, I don't make money by dealing with them... directly :) On another note, with all ridiculous ubiquity of MSO formats, some truly wonderful free formats are sadly unknown to so many. Say, djvu is the best for scanned documents. I get them rejected very often when trying to send scans.

1. #### Re: receiving a document in a proprietary format

So fucking why did I get 2 downvotes here, or was it the same ignorance in action I was talking about when mentioning the djvu format?

1. #### Re: receiving a document in a proprietary format

>>"So fucking why did I get 2 downvotes here,"

Same reason I get downvoted sometimes - snide, sanctimonious tone.

Either that or your proclaiming of how you often send people attachments in a format you pretty much know they wont be able to read ; )

(You're down to three downvotes now, at time of posting, btw)

2. #### Re: receiving a document in a proprietary format

And ODF has a macro language as well, as does PDF (you can embed JavaScript in it). And Adobe has more than enought problems with security in PDF documents. Your choice has nothing to do with safety.

1. #### js and pdf proprietary extension, @big_D

And ODF has a macro language as well...

Yes it does, it is defaulted to not being active, moreover, a user is warned multiple times, and I was referring to not only this...

as does PDF (you can embed JavaScript in it)

I see that you confuse the standard of PDF 1.0--1.7 with some proprietary inclusions for Adobe Acobrat. No, JavaScript is not a part of generally accepted PDF ISO standard!

And Adobe has more than enought problems with security in PDF documents.

Yes, and Adobe reader sucks the most of all pdf viewers, I remember that when you recompile with pdf(La)TeX and the pdf output is still open, Adobe reader would crash. Evince, kpdf/ocular atril, xpdf or even ghost viewer and X Emacs embedded pdf viewer are much better ways to go, not this piece of lame bloat from Adobe! There are quite a few nice ones for Android as well. And did I mention a non-MSWindows GNU/Linux, Android or *BSD environment?

Please don't take me for a clueless Windows ad.. I mean user.

Your choice has nothing to do with safety.

My choice has nothing to do with your assumptions,I take it.

1. #### Re: js and pdf proprietary extension, @big_D

>>"I see that you confuse the standard of PDF 1.0--1.7 with some proprietary inclusions for Adobe Acobrat. No, JavaScript is not a part of generally accepted PDF ISO standard!"

I don't think any recipient of an email attachment is going to know whether RandomFile.pdf is some sub-set of the general PDF files that isn't a risk or if it's not. That's the scenario that you gave when you put it on a list with text files, et al. that you were happier to receive as email attachments.

>>>>And ODF has a macro language as well...

>>Yes it does, it is defaulted to not being active, moreover, a user is warned multiple times, and I was referring to not only this...

It's the same as in MS Office. I just created a macro in Libre Office, saved it as part of the document then re-opened after restarting the program. I got a message saying the document contained macros and that this could be dangerous. I clicked "ok" and then I enabled macros. Only difference in MS Office that I see is that it highlights at the top that macros are disabled under the heading: "Security Warning" and puts the option to enable it there under that. In LibreOffice I have to go into a menu to do it and there isn't a message about security.

I don't see either way as significantly different - they're both just relying on the user knowing not to do this.

>>"Please don't take me for a clueless Windows ad.. I mean user."

1. #### Re: js and pdf proprietary extension, @big_D

I don't think any recipient of an email attachment is going to know whether RandomFile.pdf is some sub-set of the general PDF files that isn't a risk or if it's not

He or she might not know, that is why I warned against the use of acrobat reader, use a better PDF viewer and tool and don't use MS Windows, since it's complicated to get a decent default PDF reader, at least it's harder than on GNU/Linux or *BSD.

That's the scenario that you gave when you put it on a list with text files, et al. that you were happier to receive as email attachments.

I am not sure which scenario you're alluding to. The list I provided were standard document formats. I haven't heard about some proprietary extensions to djvu, postscript, dvi or text files, but even if those exist viewers that handle those are better off ignoring them.

It's the same as in MS Office.

I did not say it was not the same. Although it was primarily MSO Macro Viruses, I am not sure how LO is susceptible to those. I also mentioned that my reason to ignore MS office formats was not only the security concern.

That is a Windows admin. FYI, the two-dot (or three-dot) sign is called an ellipsis, (ἔλλειψις -- omission). No, I would not recommend that comment as a Windows ad :)

1. #### Re: js and pdf proprietary extension, @big_D

>>"I am not sure which scenario you're alluding to"

The one that I quoted in the post you replied to where you wrote that you feel "attacked by ignorance" if someone sends you an attachment in a format other than on your list. We talking about receiving files as attachments. You put ODF and PDF on your list of ones that you don't feel attacked by. I pointed out that PDF has a history of security risks and that ODF works on the same principles as OOXML in that it can contain embedded macros and relies on a user being informed enough to say "no".

>>>>I don't think any recipient of an email attachment is going to know whether RandomFile.pdf is some sub-set of the general PDF files that isn't a risk or if it's not

>>He or she might not know, that is why I warned against the use of acrobat reader, use a better PDF viewer

I'd say the overwhelming majority of users wouldn't know what version of PDF standard a file attachment comes in. Ergo, your arguing that PDF as an extension should be on the list of less dangerous attachments because some versions of the standard are safer is wrong. That is simple enough.

>>"FYI, the two-dot (or three-dot) sign is called an ellipsis,"

Yes, everyone with basic English knows what ellipses are. Rather obviously I was asking what "ad..." was supposed to be / what you were trying to say. It sounded vaguely like you were trying to mock something but I didn't get your meaning.

1. #### @h4rmony

I said it multiple times, "attacked by the ignorance" meant not necessarily security. It's ignorance of existence of free software often of superior quality for specific tasks. Just the phrase I quoted caught me there... Most of the time a text file, djvu or pdf file would be a better choice, attaching an Excel or a Word doc (or not being able to read say djvu) would be an ignorance in my mind.

the overwhelming majority of users wouldn't know what version of PDF standard a file attachment comes in.

For overwhelming majority internet and PC are a very dangerous place to be in already. I was simply arguing that if you use atril document viewer (like me) you're safer and more comfortable. The proprietary extension part of this file would not run, because it's not supported.

...because some versions of the standard are safer is wrong.

Once again, I meant the ISO open standard (versions <=1.7) Your allusion that it's a part of the ISO standard is wrong. A user is safer to use a free PDF viewer recognizing this standard and ignoring non-standard proprietary bits. I think I made it clear.

1. #### Re: @h4rmony

>>"I said it multiple times, "attacked by the ignorance" meant not necessarily security. It's ignorance of existence of free software often of superior quality"

I actually don't see anywhere that you said you weren't talking about security. But now that you've made that clear - so the story and conversation is about security but you're just using it as an opportunity to attack people who are using your non-preferred formats.

I don't think it's fair to berate people for sending you an Excel spreadsheet, much less say they're 'attacking you with their ignorance'. But anyway, it's off-topic. We're talking about security and OOXML and ODF are equivalent in the issue of macros. Actually I was corrected by Uffe elswhere - Windows actually flags files received over the Internet and Office will run these in "low integrity mode" even if you enable the macros, meaning reduced privileges.

>>"I was simply arguing that if you use atril document viewer (like me) you're safer and more comfortable. The proprietary extension part of this file would not run, because it's not supported"

For most people, a PDF viewer that seemingly randomly failed to handle PDF files wont constitute "better". ('seemingly' because few users are going to know an attachment is this standard or that standard when it just says SomeFile.pdf). This doesn't support PDFs going on a list of more trustworthy attachments.

>>A user is safer to use a free PDF viewer recognizing this standard and ignoring non-standard proprietary bits. I think I made it clear.

And a viewer that doesn't implement common parts of real world PDFs might be more purist and safer, but is going to be frustrating for most users, which is what I am saying. Most people will have a more full-featured viewer installed. In a discussion on attachment security, PDFs should not be on any preferred list is all that I'm arguing.

1. #### Re: @h4rmony

I actually don't see anywhere that you said you weren't talking about security.

Let's see here, did you see me actually talking about security in that post? I also was not talking about many other things. But a comment earlier above I did. I also had to correct you and others on what ISO PDF standard doesn't have.

..but you're just using it as an opportunity to attack people

Attacking people is not my hobby, ignorance is what I like to attack.

And a viewer that doesn't implement common parts of real world PDFs might be more purist and safer, but is going to be frustrating for most users...

So these are "common parts" and "the real world" already? Viruses and trojans are also a common part of the real world as well as virus scanners and antivirus software. There is a simple way to remove these common parts and from everyone's real world: use free, non proprietary software and file formats, period.

PDFs should not be on any preferred list is all that I'm arguing.

I am arguing the opposite, at least, it is good that you are not making my preferred list.

1. #### Re: @h4rmony

>>>>I actually don't see anywhere that you said you weren't talking about security.

>>Let's see here, did you see me actually talking about security in that post?

Well it's a story about security, you began you post with a quote about detecing when an email attachment was a security threat and replied to that quote with a list of attachment types you liked... which included PDFs and ODF. This is a pretty silly tangent, btw - you objecting to my saying PDFs shouldn't be considered secure by saying that (with nothing to suggest this, incidentally) that you weren't considering security. Okay, so that doesn't make what I said incorrect in any way, you just want to make clear that despite the subject and what everyone else is talking about, you were just launching off on a subject of your own. No problem. Let's move on.

>>"Attacking people is not my hobby, ignorance is what I like to attack."

Uh, no. If you start a post by saying you feel threatened by people's ignorance if they send an attachment you don't approve of, that's attacking them. Well, us, really, seeing as many of us do like / use those formats. Calling us "ignorant" is a threat. And given two people so far in this thread have had to explain about macros in ODF to you (one of your approved formats), "ignorant" isn't really fair, either.

>>"So these are "common parts" and "the real world" already? Viruses and trojans are also a common part of the real world as well as virus scanners and antivirus software. There is a simple way to remove these common parts and from everyone's real world: use free, non proprietary software and file formats, period."

Firstly, that doesn't address the part of my post you quoted, or any part in fact. Secondly, it's factually wrong. I can write malware using macros in Libre Office that relies on exactly the same principles of user ignorance as macros in MS Office. The only difference is that MS Office would run the macros in a lower privilege state than Libre Office even if you did enable them. The fact that they're (both) open, doesn't provide security. Equally I could write a GNU/Linux trojan this afternoon and it would be written entirely in Open Source code. You are confusing what Open Source is about. It's NOT about limiting functionality - which is why Libre Office has macros, to use the current example.

>>>>PDFs should not be on any preferred list is all that I'm arguing.

>>I am arguing the opposite, at least,

Specifically, the quote you have taken from my post above is talking a preferred list for security / trustworthiness. Arguing that PDFs should be more trusted is stupid as they have a known history as a method of malware delivery. And users do not distinguish between different versions of the PDF standard or check what extensions may be enabled.

>>it is good that you are not making my preferred list.

Okay.

1. #### h4rmony, you're super-great!

...if they send an attachment you don't approve of, that's attacking them.

Okay, is this is your definition (?), I feel from your comments I am attacking you as well. Since you're a Microsoft advocate here (while still using Debian and CentOS according your other comments, which is supposed to add more value to this, another get the facts business), so it's okay with me.

And, please, don't even try to refute it, at least with me, it won't work.

Calling us "ignorant" is a threat.

If you prefer sending docs in doc, docx, xls etc format when another format is a better way to go, than you are ignorant by my definition. Calling spade a spade is a threat to a spade, I agree with that.

I can write malware using macros in Libre Office that relies on exactly the same principles of user ignorance as macros in MS Office.

AMOF, I was talking about atril document viewer that won't allow all those bad things stupidly allowed by the proprietary Adobe reader, that according to you is mostly in use. I know you also mentioned, that without those scary and dangerous proprietary bits the IT world is devoid of color, beauty and sense. Are you sure it's only MS you're trying to protect here? But the due thanks do indeed go to Adobe, the good part of the company, that created the open standard of PDF and PostScript formats. MS doesn't even deserve one hundredth of this.

As far as your threat is concerned, go ahead and try infecting us, the users of ods, odt and odp format, you'll be praised to be the first one after those hundreds of thousands if not millions of Windows users that have fallen victims to this already. H4rmony is super-great! For myself, I'd call a math paper written in odf "an ignorance attack" as well (even if a person is a Math, Physics genius), for better formatting things should laid out by means of LaTeX or TeX.. Although a LO formula editor is much better adn closer to TeX than that infamous and ignorant MS Equations!

Arguing that PDFs should be more trusted is stupid as they have a known history as a method of malware delivery.

It is stupid if one uses Adobe reader, are you using one?.. on Debian and CentOS, I am sure you're not...

Okay

Okay? No it's great.

Preferring wine, but there is no such icon.

1. #### Re: h4rmony, you're super-great!

>>"...if they send an attachment you don't approve of, that's attacking them. "

If you have to cut your quotes from me off part way through a sentence, you may be trying to misrepresent me. It's a clue. Here's the full sentence I wrote:

>>"If you start a post by saying you feel threatened by people's ignorance if they send an attachment you don't approve of, that's attacking them"

Yeah, calling a lot of people ignorant is an attack on them. Especially when your reasoning that they are "ignorant" is because they just happen to be sending you a common file format that you personally don't approve of.

>>Since you're a Microsoft advocate here (while still using Debian and CentOS according your other comments, which is supposed to add more value to this, another get the facts business)

I'm not a "Microsoft advocate". I like good technology. All of my posts have been in defence of ill-founded accusations, not attacks by me on others. For example, Libre Office has the same macros issue as MS Office and has pretty much hit on the same solution as well. Pointing that out is not attacking Libre Office / ODF. Nor is it advocating MS Office. It's simply highlighting that someone shouldn't hold one up as more secure than the other in this regard.

Of course to a partisan person, neutrality appears bias. I like and use Debian and MS products. There's nothing wrong with that. In fact, it lets me make informed comparisons. I'm sure you recall that ridiculous discussion on Powershell vs. Bash where I posted a question asking for help on Powershell - a topic with no reference to Bash, and you waded in with a tonne of posts about how Powershell must be inferior to Bash before finally admitting you hadn't used Powershell. Having a wide range of experience is a GOOD thing, so I have no problem with you highlighting that I use Debian, CentOS and Windows 8 in my work. I'm happy to do so and I fail to see why that's a negative.

>>"If you prefer sending docs in doc, docx, xls etc format when another format is a better way to go, than you are ignorant by my definition."

First you have to prove that your other format is better. You have singularly not done that in this discussion. The above statement contains an unproven assumption which you appear to have taken for granted. Furthermore, just because someone doesn't agree with you, that is not a definition of ignorance.

In fact, two people pointed out to YOU that Libre Office documents can contain macros the same way that MS Office documents do, so I have some doubts just how much you actually know on the subject.

>>"I know you also mentioned, that without those scary and dangerous proprietary bits the IT world is devoid of color, beauty and sense."

I said nothing remotely like that. If you even respond to this post have the decency to find something I've written in this thread that remotely matches up to what you just said that I said. It's a ridiculous thing to post - anyone following this thread can easily look back at my posts and see you're now making up positions for me.

>>"But the due thanks do indeed go to Adobe, the good part of the company, that created the open standard of PDF and PostScript formats. MS doesn't even deserve one hundredth of this."

See, I'm trying to argue security aspects of file formats and features. You're repeatedly going off to make emotive assertions about what Microsoft doesn't deserve. This is why your arguments keep shifting around - because you use them as tools to shore up your dislike rather than as an interesting discussion in and of themself. I keep trying to stay focused on security, you keep using my posts to launch off into diatribes about proprietary software. And so eventually, I end up making a post like this where instead of talking about execution priveleges for Macros as I was earlier, I'm just defending myself against rambling attacks and sly suggestions that I'm making things up. Oh, and childish comments about how h4rm0ny is not on your preferred list. *sigh*

>>"As far as your threat is concerned, go ahead and try infecting us, the users of ods, odt and odp format, you'll be praised to be the first one after those hundreds of thousands if not millions of Windows users that have fallen victims to this already. H4rmony is super-great! "

This is not only childish, but gross misinterpretation and I really object to it. Firstly, I made no "threat". I pointed out that I could write a trojan for GNU/Linux that worked on exactly the same principles as one for Windows. That's a technical point and an accurate one. Secondly, don't even try to pull an "Us vs. Them" when you say 'go ahead and try infecting us'. I use GNU/Linux daily, as you know. You don't get to cast me as some Other. I started out with SuSE 6.4 long ago. Like it or not, I'm part of the Linux community, so tough. You have no special claim to represent the Linux community and in fact, I think your preachy comments about how other people are ignorant cast us all in a bad light, tbh.

>>"For myself, I'd call a math paper written in odf "an ignorance attack" as well (even if a person is a Math, Physics genius), for better formatting things should laid out by means of LaTeX or TeX.."

So? Are we meant to conclude that if LaTeX is better for laying out maths papers than ODF then someone is wrong to use OOXML over ODF? You're missing a few steps there. Argument by analogy is generally a poor dodge to avoid having to prove something. Or is your contention that if you accurately call something ignorant in one case, then you are accurate to call something ignorant in another? Again - missing a few steps.

>>"Although a LO formula editor is much better adn closer to TeX than that infamous and ignorant MS Equations!"

By this point, I'd be willing to bet money that you have no significant experience in using the current formula editors in MS Office. Am I right? For a start "MS Equations" was deprecated some years ago. I think it's still available for backwards compatibility, but formula editing is built into MS Office without that now. Because I'm near certain you don't use it, based on your history of criticising without actual experience (ref. the extended argument you had about the flaws in Powershell before admitting you hadn't used it), I bothered to install the Maths plug in for Libre Office to do a quick comparison. Obviously there's no substitute for experience, but here are two screenshots of me editing a famous equation in both products, which I entered from scratch. I think the comparison is actually quite a fun one:

Here is Office 2013 formula editor: http://oi62.tinypic.com/2iqfjw6.jpg

Here is Libre Office formular editor: http://oi57.tinypic.com/2091r2d.jpg

Note, it took me a few goes to find the formula editor in Libre Office as I've not used it before. I found it tucked away under Insert->Object->Formula. On the ribbon, you just go to the Insert tab and there's a big Pi symbol with formula written underneath it, which I personally find a little more accessible.

Anyway, looking at them both and trying to enter some formula, I don't see the basis for claiming superiority for LO's implementation. Although I'll concede you did deliberately compare it to older and officially deprecated tools. Libre Office does have a long-hand text entry box option which MS Office does not, but I found it pretty painful to use. I'm still interested to know if you've used the current version of formula in MS Office seeing as you're so keen to criticise. Honest answer, please.

>>"It is stupid if one uses Adobe reader, are you using one?.. on Debian and CentOS, I am sure you're not..."

No, I'm not. But the world of computer security doesn't depend on what I use. I said PDFs shouldn't be on a preferred list for security (several times now, my point really should be quite clear). That some people use less capable PDF readers than the current most popular PDF reader in the world, is not an argument that they should be. You do this repeatedly - instead of rebutting my point, you quote part of it and then say something true as if it does rebutt my point without actually showing in any way how it does (or could!).

As to the final silly little barbs you're sticking on the end of your posts, I'm going to recap:

You: "it is good that you are not making my preferred list."

Me: "Okay".

You: "Okay? No it's great."

What should this exchange tell you about your posts? That they are personally antagonistic and that you're being rather childish. Just stick to the discussion and if you want to talk about relative security of file formats, I'm happy to do so. I'm even happy to talk about the merits of Libre Office vs. MS Office formula editors. But lets not have this ridiculous stuff about how I'm not on your preferred list. I don't care and it benefits no-one.

1. #### Re: h4rmony, you're super-great!

Made a typo in my formula! Correct one for Office 2013 is here: http://oi60.tinypic.com/2lut8vs.jpg

Not that it would matter for purposes of illustrating the formula editors, but I feel sure that detail would be used to hone in on rather than actually comparing the editors if I didn't correct it.

1. #### math editors

Just a quick reply. Did you notice that in Lomath editor a bottom window allows entering raw text, a pseudo mark-up language somewhat similar to TeX. On your pictures it is not obvious if it is there. Perhaps, the current MSO analog also allows this method of entering the text. In particular, that Heisenberg's principle would be entered like this:

%DELTA x %DELTA p>= {hbar}over{2}

In LaTeX though it would be

$\Delta x\Delta p\geq \frac{\hbar}{2}$

From my own long experience, entering raw text is much faster than clicking on icons, this is one of the reasons why people went TeX and LaTeX. Moreover, my LaTeX documents as any other editing is done in GNU Emacs. With autocomplete mode for LaTeX if type "\De" I get an auto completion prompt if wait for half a second, then I press a tab for it.

AOMF, I had to deal with MS Equations circa 94-96 it was a disaster as an editor. The idea to embed pictures for every single pictographic item was brainless. Not only it was a mouse-driven principle to enter formulas, the fundamental problem with that was that with a 10 page document filled with a few formulas you get a non-editable document. I remember if press save and wait for tens of minutes before it crashes... Just recently a colleague asked to convert her document to LaTeX, since this (a British) journal didn't like the style and the fact it was in MS Word, not that they are not accepting it in doc, but they require a certain style there. It's hard to change style if it's not in (La)TeX, hard to automate it. So, I tried to convert it, but the formulas were all embedded pictures. She was using some version of MSO that didn't have this better approach to formulas. All formulas had to be retyped.

1. #### Re: math editors

>>"Just a quick reply. Did you notice that in Lomath editor a bottom window allows entering raw text, a pseudo mark-up language somewhat similar to TeX. On your pictures it is not obvious if it is there."

Yes. From my post: "Libre Office does have a long-hand text entry box option which MS Office does not, but I found it pretty painful to use."

Much of the rest of your post is (a) comparing TeX / LaTeX to the tool when what you wrote was that Libre Office's formula editing was much better than the one in MS Office - I don't wish to just change subject from what you claimed; and (b) repeatedly talking about MS Equation Editor which as I pointed out, is old deprecated and has been replaced some time ago.

I several times in my post asked if you had actually used the current version in any way that actually would give you some familiarity with it. You've not answered that. I'm going to take this as admission that you haven't. If I'm wrong then by all means correct me.

>>Just recently a colleague asked to convert her document to LaTeX, since this (a British) journal didn't like the style and the fact it was in MS Word, not that they are not accepting it in doc, but they require a certain style there. It's hard to change style if it's not in (La)TeX, hard to automate it. So, I tried to convert it, but the formulas were all embedded pictures

Here is the formatting options for formula in the current version of Word: http://oi57.tinypic.com/s1kl6t.jpg

And this is why I keep repeating that it's pointless for you to keep attacking the way things were in the past. Technology progresses and if you're going to start arguments about why ODF is better than OOXML and say people are attacking you with their ignorance for attaching the latter, then it doesn't support your argument to talk about old legacy versions.

Incidentally, you can also export the formulas you create in Word as MathML which is, as I'm sure you are aware, a popular standard and also means, should you wish, it's pretty easy to transform formulas you create in Word into TeX / LaTeX if you wish.

>>AOMF, I had to deal with MS Equations circa 94-96

Precisely. If you're going to start talking about the inferiority of one file format to another, you have to talk about the current and standard ones, not "circa 94-96" if you want to support such a statement.

Why don't you just try the new versions and see for yourself if you like them? At least then you'd be making an informed choice.

1. #### Re: math editors

Oh, and seeing as in response to my comment about how MS Office and Libre Office are similar in macro security we are now talking about maths editors (which suggests you might be shifting the goal posts, slightly, btw), I'll throw in one more thing you can do in MS Office for maths formulas:

http://oi62.tinypic.com/15yjb5k.jpg

I did that on a Surface RT with my finger. I imagine with a proper stylus such as on a Pro, you could do a whole lot more. There's a slight mistake in it where it's mistaken a symbol but that's easily corrected by just highlighting it and selecting the correct one.

2. #### Re: js and pdf proprietary extension, @big_D

[i]>>It's the same as in MS Office[/i]

It's similar. But MS Office (since Office 2010) also *sandboxes* documents that have been received from the Internet zone. This applies to files received through email or downloaded through a browser (all browsers support this).

Such files contain a marker in an alternate data stream that specifies that the file came from the "Internet zone".

When Office opens such a file it will open in a sandboxed process. The entire process runs in "low integrity mode" - and thus whatever it's macros may try to do - even if enabled - they will be restricted to the permissions of the low integrity process.

1. #### Re: js and pdf proprietary extension, @big_D

>>"It's similar. But MS Office (since Office 2010) also *sandboxes* documents that have been received from the Internet zone. This applies to files received through email or downloaded through a browser (all browsers support this)."

Good point. I actually knew that and forgot it. Thanks for correcting me.

3. #### Re: receiving a document in a proprietary format

>>"Exactly, when I receive mail with an attachment containing a document in a format other than text or other fully open document format, such as pdf, odf, abw, djvu, ps etc., I feel attacked by someone's ignorance"

PDFs have contained malware in the past. You shouldn't put it on a list of inherently trustworthy attachments. Similarly an ODF document is actually a library which can contain macros for the document. And (correct me if I'm wrong somebody) the standard language used for macros in Libre Office can make system and file system calls. You can try this yourself very easily - just create a new document in Writer, open the macro editor and create a new module under that document and save it.

You'll get a warning of "this document contains macros" just the same as you do in MS Office. No better, no worse, really. They're both dependent on the recipient knowing well enough not to enable them.

Also, OOXML is an open standard, btw.

1. #### Re: receiving a document in a proprietary format

PDFs have contained malware in the past

Every piece of Windows software might have contained malware in the past. No, I am not referring to proprietary Adobe Distiller specification. To be on a safer side, to create PDF documents, use La(TeX), postscript and pdf tools, conversion by means of a PostScript driver would also help (there is also a generic PS/PDF printer available with CUPS distribution). I also use ImageMagick, fpsed pdf/ps annotator and pdftk suite for various purposes.

Also, OOXML is an open standard, btw.

I hope you weren't born yesterday and know about all the controversies of this standardization, in case, you haven't heard there is an article on it.

1. #### Re: receiving a document in a proprietary format

>>"Every piece of Windows software might have contained malware in the past"

Which is why we have things like virus scanners. Windows having a history of malware doesn't mean PDFs don't also - it's not a competition. You put PDFs on your list of attachments you considered acceptable. It has an ignoble history of exploits. Windows malware doesn't justify preferentially treating PDFs.

>>"To be on a safer side, to create PDF documents, use La(TeX), postscript and pdf tools, conversion by means of a PostScript driver would also help "

We're not talking about ways to avoid creating malware. You can do that just by, well... not creating malware. We're talking about receiving these documents, not whether there's a security risk in creating them!

>>>>Also, OOXML is an open standard, btw.

>>I hope you weren't born yesterday and know about all the controversies of this standardization, in case, you haven't heard there is an article on it.

Yes, very familiar with the history. More interested in the present. The old OOXML was a hatchet job containing a lot of parts that still hadn't been documented properly. It shouldn't have been approved, all agree and I opposed it too at the time. The new version is much, much better and is an open standard. Things move on.

8. "There is no justification as to why the content of a document can only be displayed properly if the execution of macros is enabled."

I've often said the same about JavaScript. But it never stops people from designing web pages that way.

1. Agreed. The only JavaScript needed, or on any of my pages, is when there's a form then there's a simply bit of JavaScript to put the cursor into the first control.

Other than that I shun the beast entirely for a myraid of reasons.

9. The security guy evidently has never worked in a corporate environment. Virtually all our corporate Word templates have macros in to create metadata for the CMS to index, while its a rare Excel spreadsheet that /doesn't/ have a raft of VBA attached.

1. I agree.

But I also agree with "the security guy". VBA is an exceptionally bad way to create or track 'metadata' or populate a spreadsheet. Heck, even Sharepoint would do a better job.

Well, it's OK as long as it's just for your own private use, and you'll export the results to some static format before sharing them with others - but in a sheet you pass around and share between others? That's like sharing a condom.

10. #### Yeah, just like..

"There is no justification as to why the content of a document can only be displayed properly if the execution of macros is enabled."

Yeah, just like with HTML and Javascript.

Oh wait...

## POST COMMENT House rules

Not a member of The Register? Create a new account here.