Sign in / up

back to article PSA: Turning off silent macros in Office for Mac leaves users wide open to silent macro attacks

A security hole in Office for Mac can be exploited by miscreants to potentially run malicious code on victims' shiny computers without anyone noticing. The CERT Coordination Center at Carnegie Melon University, on the US East Coast, warns the bug arises when folks activate the "disable all macros without notification" option …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Pascal Monett Silver badge
    Facepalm

    I don't get it

    As a programmer, how can one possibly get two different results for doing the same thing, but one is with notification and one is without ?

    I'm not going to code disabling macros twice, having a notification is just an option, so how did Microsoft get there ?

    23 0 Reply
    1. Paul Crawford Silver badge
      Reply Icon

      Re: I don't get it

      It seems even worse, as it appears to be Mac-specific. I mean, just how fragmented is the code base?

      13 0 Reply
      1. GnuTzu
        Reply Icon

        Re: I don't get it

        I would say it must be very cobbled together, but then that would be an insult to cobblers.

        Kidding aside, I think it really hints at how applications that handle many document formats will have separate code bases for families of formats. Even more, the thing about macros, scripting, languages, and the such is that we can reasonably expect multiple interpreters--each with their own code bases.

        Wait, does Office support anything other than VBA? Sorry, time for a bit of research. Yet, I'll leave the point above stand as a general concept.

        Sure, I like to take a poke at Microsoft when I get the opportunity. But, those of us who don't use commercial software (except maybe some drivers) need to watch out for this as well. Surely, this is a key anti-pattern that we're looking at here, and it could well happen elsewhere and likely has.

        5 0 Reply
        1. katrinab Silver badge
          Reply Icon
          Flame

          Re: I don't get it

          "Wait, does Office support anything other than VBA?"

          Applescript, javascript, and objective C apparently. The latter being new additons for scripting support. So, plenty of ways to cause havoc.

          4 0 Reply
          1. GnuTzu
            Reply Icon
            Thumb Up

            Re: I don't get it

            Ah, much thanks. Now, shall we rank them for how exploitable they are? Umm... let's see, anything that can get you to an evil web page can get a password. Anything that can write a file can plant mal...root... Wait, most people here already know this stuff. O.K. so we like to preach to the choir just a teensy bit.

            2 0 Reply
      2. Fungus Bob
        Reply Icon

        Re: just how fragmented is the code base?

        Let's see, we have an office "suite" that started out as 3 separate applications that got duct taped together 3 decades ago and have been updated numerous times, had other things shoehorned in, got ported to different operating systems, been relentlessly hacked, whacked and patched so much that the whole thing is now only held together by unicorn farts and happythoughts.

        0 0 Reply
    2. stiine Silver badge
      Reply Icon

      Re: I don't get it

      By being a poor programmer writing code for a poor system. You don't think that the Visual (basic|studio|etc) line of products were designed for consumers, do you?

      3 0 Reply
  2. don't you hate it when you lose your account

    Testing

    How did this get through quality control? It's not as if there were an infinite number of criteria to test against

    12 0 Reply
    1. schplazingo
      Reply Icon

      Re: Testing

      Microsoft doesn't have QC any more. As long as it compiles two times out of three it just ships it out, waits for the users to find the bugs and then, maybe, at some point in the future, thinks about fixing some of the more egregious ones.

      21 1 Reply
      1. Claptrap314 Silver badge
        Reply Icon

        Re: Testing

        Microsoft doesn't have QC.

        FTFY

        3 1 Reply
    2. DJV Silver badge
      Reply Icon

      Re: Testing

      Dictionary definition of testing: Something Microsoft used to do but now leaves for their beta testers users.

      13 0 Reply
      1. don't you hate it when you lose your account
        Reply Icon

        Boeing

        All sounds like a lack of regulation. If the software you use was an airplane, would you use it or worse not hold the manufacturers responsible?

        3 0 Reply
        1. stiine Silver badge
          Reply Icon

          Re: Boeing

          If software was an airplane, I'd be at the airport with a video camera feeding the internet, with ads.

          7 0 Reply
          1. Tom 7
            Reply Icon

            Re: Boeing

            I love the smell of long pig roasting in the morning

            0 0 Reply
        2. GnuTzu
          Reply Icon
          Unhappy

          Re: Boeing

          It just hit me that failed regulation in a certain wealthy country resulted in two tragedies in poorer countries. And yes, I have been following this; It's just that the subtlety somehow didn't register.

          The second pitot was an option because Boeing was permitted to make it appear that the system wasn't critical and thus not be subject to a mandatory redundancy requirement. Yet, airlines of wealthy countries went ahead and bought the optional second pitot, while less wealthy ones did not.

          I'm feeling very nauseous at the moment. I think I'm likely to feel that way for a very long time. Can we have our democracy back, please, so that our votes actually count?

          7 0 Reply
          1. ma1010
            Reply Icon
            Unhappy

            Re: Boeing

            Well, right now you can vote for the Republicans who are pretty much owned by the corporations, OR you can vote for the Democrats who are pretty much owned by the corporations.

            Yeah, I'm sick of them, too. Screw 'em all! Let's start our own political party that's actually for the people! All we have to do is find some sponsors with enough money to pay campaign expenses so we can advertise our new party and get candidates elected. We need someone with lots of money, though. Like, uh, some big corporations...

            Oh, yeah, looks like we have a problem there. I guess we're screwed before we start, actually.

            7 0 Reply
            1. GnuTzu
              Reply Icon

              Re: Boeing

              Yeah, the difference between the two parties is that one is a little less transparent about being owned by corporations while the other is a little more in denial about being owned by the corporations.

              And, I'm not holding my breath, but: fairvote.org and represent.us

              2 0 Reply
          2. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: Boeing

            Remember, we're not a *democracy*, we're a *republic* as many will observe.

            2 0 Reply
          3. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: Boeing

            "Can we have our democracy back, please, so that our votes actually count?"

            Democracy was dealt a serious blow after Citizens United.

            (It's important to note that the last two words of that sentence are capitalized to show that it has an opposite meaning of what you'd think)

            2 0 Reply
          4. veti Silver badge
            Reply Icon

            Re: Boeing

            It's not impossible, just difficult.

            You need to make it harder to buy votes. Stop political advertising, make it illegal for politicians or their supporters to pay for publicity of any kind.

            It'll require a constitutional amendment, but that's not impossible either.

            4 0 Reply
            1. GnuTzu
              Reply Icon

              Re: Boeing

              "...harder to buy votes..."

              Actually, plank #1 at represent.us is establishing anti-corruption laws.

              0 0 Reply
        3. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Boeing

          Now that's an idea, to add an EULA to airplane tickets?

          4 0 Reply
          1. GnuTzu
            Reply Icon

            Re: Boeing

            Oh, that is such an evil idea. So, why did I just vote it up? It seems this twisted world has got me so confused that I thought it must have been a joke. Yet, that's the way it's going, isn't it? When we buy a ticket, we're going to sign our lives away--literally. (And, that's not the valley girl, err and boy, meaning of "literally".)

            1 0 Reply
      2. MiguelC Silver badge
        Reply Icon
        Coat

        Re: Testing

        At least Microsoft can boast of having the largest testing team in the world, at around 1.2 billion.

        That's how committed they are to testing!

        8 0 Reply
        1. GnuTzu
          Reply Icon
          Thumb Up

          Re: Testing

          It actually took me a second to get that, but only a second. O.K. maybe two.

          0 0 Reply
      3. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Testing

        When did MS *not* leave testing to their users?

        0 0 Reply
  3. Paulgab

    Issue fixed

    This issue has been resolved in the Insider Fast 16.32.19102800 (released last Tuesday) that the Office build with a version of 16.31.19102400 and later will have the fix, this fix will be available in corresponding channel following this schedule.

    Insider Slow - November 4th, 2019

    Production - November 12th, 2019

    3 0 Reply
  4. Ken Moorhouse Silver badge

    YMMV

    Your Macro May Vary

    9 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    I always left notification on

    I always left notification on, not because I would ever authorise a macro but more to see who was trying it on.

    That said, my new MacBook is a Microsoft Office free zone - I just hope LibreOffice doesn't get too many problems :).

    4 0 Reply
    1. GnuTzu
      Reply Icon

      Re: I always left notification on

      Feature request: always deny + always alert.

      2 0 Reply
      1. Charles 9
        Reply Icon

        Re: I always left notification on

        Won't that just cause Click Fatigue, aka SUAJLMGOWIA?

        1 0 Reply
        1. DJV Silver badge
          Reply Icon

          SUAJLMGOWIA

          Huh?

          0 0 Reply
        2. GnuTzu
          Reply Icon

          Re: I always left notification on

          That's worth a chuckle. But, if it was really that bad, you'd hope the requests/alerts would accumulate in a list--instead of an individual dialog for each one. It would be like that alert that lists all the sluggish add-ons slowing your browser down and recommends which ones to turn off.

          0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like