 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
And lo on Thu, 06 Dec 2007 12:23:41 -0000, Invisible <voi### [at] dev null> did
spake, saying:
> Phil Cook wrote:
>
>> As Scott said you just turn down the security options from "I'm an
>> idiot protect me" to "I'm a grown-up let me make my own decisions"
>
> Well I pretty much assumed it would be an on/off settings, and even I am
> not too keen on turning the security off completely.
No amazingly they did add an adult option alongside the absolutes.
>>> Google did at least manage to find me a relevant article without much
>>> ado.
>>>
>>> http://msdn2.microsoft.com/en-us/library/aa141471(office.10).aspx
>> or you could have checked your posts as I've told you how to do this
>> twice now :-)
>
> I followed the instructions you gave me for Office 97 and they didn't
> work. (I forget where exactly it fails.) The instructions I found here
> actually worked.
Hmm okay.
>>> 3. Nagivate several system folders. (You know, the ones where Windows
>>> Explorer insists "This is dangerous. We have hidden it for your own
>>> safety. Do you *really* want to touch this stuff? We warned you!")
>> or run a search for selfcert.exe
>
> Actually I used a command prompt, but hey.
>
>>> 4. Run the certificate creation tool. This creates a self-signed
>>> certificate which you cannot export or back up. (Yay!)
>> Um you mean except when you go to sign it, view details and pick "Copy
>> to file"?
>
> I did follow the instructions for backing up the certificate, but
> apparently "the private key is marked as not exportable and cannot be
> saved". So you can save the certificate itself, just not the key. Very
> helpful.
Try makecert instead.
>>> 7. Find the right menu item.
>> Tools|Digital Signature.. at least on 2k, hardly surprising.
>
> It's easy once you figure out it's under Tools, yes.
or read the article you linked to :-)
--
Phil Cook
--
I once tried to be apathetic, but I just couldn't be bothered
http://flipc.blogspot.com
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> I followed the instructions you gave me for Office 97 and they didn't
>> work. (I forget where exactly it fails.) The instructions I found here
>> actually worked.
>
> Hmm okay.
Well, to be honest it's getting quite hard to find information about
Office 97. Hopefully Office 2003 will be an easier proposition...
>> I did follow the instructions for backing up the certificate, but
>> apparently "the private key is marked as not exportable and cannot be
>> saved". So you can save the certificate itself, just not the key. Very
>> helpful.
>
> Try makecert instead.
It's not there.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
And lo on Thu, 06 Dec 2007 12:57:53 -0000, Invisible <voi### [at] devnull> did
spake, saying:
>>> I followed the instructions you gave me for Office 97 and they didn't
>>> work. (I forget where exactly it fails.) The instructions I found here
>>> actually worked.
>> Hmm okay.
>
> Well, to be honest it's getting quite hard to find information about
> Office 97. Hopefully Office 2003 will be an easier proposition...
Well at least until Office 2010
>>> I did follow the instructions for backing up the certificate, but
>>> apparently "the private key is marked as not exportable and cannot be
>>> saved". So you can save the certificate itself, just not the key. Very
>>> helpful.
>> Try makecert instead.
>
> It's not there.
GIYF
--
Phil Cook
--
I once tried to be apathetic, but I just couldn't be bothered
http://flipc.blogspot.com
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Thu, 06 Dec 2007 12:50:02 +0000, Invisible wrote:
> Vincent Le Chevalier wrote:
>> Invisible a écrit :
>>> PS. Does OpenOffice provide a scripting language?
>>
>> Several of them, it seems:
>> http://framework.openoffice.org/scripting/index.html
>>
>> I never used that, though...
>
> "OpenOffice Basic"? Oh, that's original...
It's descriptive. You'd be happier if it was called, I don't know,
"OpenOffice Splash"?
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible wrote:
> (That's what Office 97 had.)
Actually, Office 97 had a way for a macro to turn on the "don't disallow
macros" flag. A true security cluster-fk. Like, huh? Disallow macros,
unless the macro with the malware in it says to allow macros?
> (By default they install VBA but not the tools apparently necessary to
> actually enable it to run.
No. The tools to let it run, but not the tools to make new macros. Just
like having by default a Java VM runtime installed without installing
the Java compiler.
> I wonder - how do you develop new code if it's always disabled until you
> sign it?
The same way you develop new code if it's always unrunnable until you
compile it.
> (And - one hopes - every time you change it this invalidates
> the signature...)
Yes. That's the point of it.
--
Darren New / San Diego, CA, USA (PST)
It's not feature creep if you put it
at the end and adjust the release date.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
And MS could have made it easier by identifying the minimum subset of
macro functions that are necessary for virus propagation, and
eliminating enough of those functions to make virus propagation impossible.
Simply never writing macros to normal.dot would have stopped the
propagation of many viruses, and depriving macros of the ability to
disable menu commands would have helped, too.
Regards,
John
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
John VanSickle <evi### [at] hotmailcom> wrote:
> Simply never writing macros to normal.dot would have stopped the
> propagation of many viruses, and depriving macros of the ability to
> disable menu commands would have helped, too.
It's not the first time when MS's concept of fixing a security hole is
to either ignore it (by argumenting it's not a problem) or going completely
overboard, instead of actually fixing the problem itself.
Somehow it gives the impression of a beginner and proud-of-itself
programmer who is given a bug report. He either is too proud to admit
the problem, or can't imagine a better solution to it than to disable
half of the functionality of the program. You know, like those cases you
can constantly read at the daily WTF.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
I basically agree with everything you two have said.
How about you ask the user before letting a macro perform a potentially
risky action? (Unless it's signed of course.)
OTOH, some idiots will click anything put in front of them, so... how
about just turn off all potentially unsafe functionallity unless the
macro is signed, and say "hey, get the macro author to sign this if you
really want it to work"? (But provide no way to actually enable the
macro just by clicking the window.)
The vast majority of macros are for auto-generating document content. If
you turn off the ability to access other files / documents and disable
changing the user's settings, it's pretty much impossible for a
malicious macro to do anything except screw up the document it's already
infected. Dude, how hard is that?
But hey, why do that when you can just completely disable all macro
functionallity?
(Question: Has anybody ever actually *seen* a macro virus? I'm told they
exist, but I've never ever come across one...)
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
And lo on Fri, 07 Dec 2007 09:58:06 -0000, Invisible <voi### [at] devnull> did
spake, saying:
> I basically agree with everything you two have said.
>
> How about you ask the user before letting a macro perform a potentially
> risky action? (Unless it's signed of course.)
I believe that's called Vista ;-)
> OTOH, some idiots will click anything put in front of them, so... how
> about just turn off all potentially unsafe functionallity unless the
> macro is signed, and say "hey, get the macro author to sign this if you
> really want it to work"? (But provide no way to actually enable the
> macro just by clicking the window.)
Then you'd just get the 'unsafe' macros being signed, unless you want to
force everyone to buy a certificate?
> The vast majority of macros are for auto-generating document content. If
> you turn off the ability to access other files / documents and disable
> changing the user's settings, it's pretty much impossible for a
> malicious macro to do anything except screw up the document it's already
> infected. Dude, how hard is that?
Except where you want a macro to be able to access other documents and
files and change settings. For example IIRC in one version of Word to
print out a document to a non-default printer via VBA requires you to
change the default printer to the one you want to print to then change it
back again.
> But hey, why do that when you can just completely disable all macro
> functionallity?
Because it's easier
> (Question: Has anybody ever actually *seen* a macro virus? I'm told they
> exist, but I've never ever come across one...)
In the early days when they were new, sure. Not so much nowadays.
--
Phil Cook
--
I once tried to be apathetic, but I just couldn't be bothered
http://flipc.blogspot.com
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp wrote:
> John VanSickle <evi### [at] hotmailcom> wrote:
>> Simply never writing macros to normal.dot would have stopped the
>> propagation of many viruses, and depriving macros of the ability to
>> disable menu commands would have helped, too.
>
> It's not the first time when MS's concept of fixing a security hole is
> to either ignore it (by argumenting it's not a problem) or going completely
> overboard, instead of actually fixing the problem itself.
Aside from the recurring buffer overruns bugs (it seems like one of
those pop up every month[1]), every security hole appears to involve a
feature that MS added for its own benefit, and not for the user's.
IE is a good example of this. Frankly, everything that isn't directly
related to displaying content formatted in HTML should be relegated to
plug-ins that the user can shut off at will. That includes automatic
download, install, JavaCurse^H^H^H^H^HScript, and so on.
> Somehow it gives the impression of a beginner and proud-of-itself
> programmer who is given a bug report. He either is too proud to admit
> the problem, or can't imagine a better solution to it than to disable
> half of the functionality of the program. You know, like those cases you
> can constantly read at the daily WTF.
Disabling half of the functionality in IE would be a pretty good idea.
Regards,
John
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
