Smurf on Spreadsheets

Microsoft have released some security patches to address critical flaws in Excel and some other Office components. Details here, looks like 2003 SP3 and 2007 SP1 are pretty much ok, but worth patching to keep everything in sync.

El Reg has some info here too.

The key point I wanted to make which people seem to miss is that this exploit (like many others) does not require macros. So clicking ‘disable macros’ doesn’t keep you safe. It is simply a malformed file, that may not contain macros or any data at all, just a certain binary sequence.

Another point worth mentioning is that in this attack like many others the attacker gets the same rights as the user they hacked. This is why so many security pros recommend running as the most limited rights user you can. Unfortunately to get any development done its much less hassle to run as admin, sadly that means an attacker would get admin right too.

If you apply the patches and have any problems let us know.

cheers

simon

Imagine in full Doolittle style you can speak to the animals.

Imagine further that you speak fluent turkey.

You visit some of the large turkey farms around the beginning of December and ask them to vote on what should be top of the Christmas menu.

Will they vote for turkey? or will they vote for anything but turkey?

(If you don’t eat turkey, and/or celebrate Christmas than substitute event and food of choice (vegetables are fine - our royal family are well known plant talkers)

-

Imagine you speak fluent IS department XAML jargon.

You visit you IS department at the start of next years budgeting round and ask them to vote on whether they should empower their business users by providing access to the tools and frameworks that the IS department currently only use themselves.

Will they vote themselves out of a job?

The best will understand that empowering the users helps everybody and will not lead to job losses in IS, it may even lead to more rewarding work for people throughout the organisation. There won’t be many of these though.

Most will vote to keep as much control as possible, so that would be no dev tools to users. They will continue quoting crazy money for internal projects. Thats not real money by the way, its cross charges, not real customers giving the company real money in return for providing them with something of value. More on that later.

Every organisation will have significant use of spreadsheet based systems, those that have an excessive dependency on them have an IS department rooted firmly in the second camp above. Those that use spreadsheets in conjunction with other best for the job tools (eg Access, ADO, COM, .net, etc etc) have a more enlightened IS department - these are great places to work.

I’ve worked in few of these great places anyone else?

cheers

Simon

• Autonomy
• self determination
• power
• Freedom from the tyranny of IS departments
• Trojan horse

Call it what you like, VBA gives the power to the people, without having to beg to the power crazed people in the IS department for permission to do your job.

I missed this one off the other list, Marcus reminded me in a comment.

I think this point is getting more and more important, as the IS department, full of SOX fuelled bravado, is moving in for the kill. They are desperate to boss the business, and are most likely seeking retribution for decades of brutal staff cuts.

I have another post in the pipeline about this battle, but for now I thinks fair to say, Excel/VBA is one of the key tools in the battle. I would say Access, Excel and VBA are some of the key targets of the job prevention department.

In a way I think we are lucky that Office itself is so dependant on VBA that Microsoft do not recommend fully disabling it via policy. If that barrier were to be lifted, perhaps by implementing sumif.xla etc as VSTO add-ins? then things might change.

You may have noticed that most of what I reckon is great about VBA has nothing to do with language structure. It’s more to do with external factors, many of which are outside the current direct control of MS.

Cheers

Simon

Had some fun recently with a client.

They sent me a complex workbook to repair. I made the required changes in the worksheets and the code and sent it back.

He claimed when he opened it it said ‘Macros could not be found’

I went through all the usual security style stuff trying not to patronise him, but in the end I just resent the file (zipped). Eventually he got a complete version.

Then he tried to send it back for my reference and I only got half of it, same ‘Macros not found’ message.

Anyway it appears some helpful email server somewhere enroute from sunny Cumbria to California has stripped off the whole VBA project having ‘found’ some 1970’s macro. None of my virus scanners picked up a problem with the file so I’m pretty confident it’s clean.

Anyone had that before?

The macro allegedly ‘found’ was WORD.97.Nottice.AR. I think it might be a word macro virus (the clue is in the name). Anyone had that flagged before?

I can’t help thinking the virus scanner has got it wrong, well one scanner has. Either my desktop scanner(s), and the clients desktop AV, or the exchange one.

I have had this problem before and I have a feeling it might be related to my notes module that only contains comments. Anyone else?

Cheers

Simon

My new book is about to be published(And you all thought I’ve been tossing it off all this time )

Click the pic for more info.

Thx to Chris for the link.

More whining about Excel (in)security here.

I’d just like to highlight something I think a few people are missing.

.xls danger doesn’t start and end with dodgy VBA or XLM. Those are issues for sure, as both are very powerful languages.

It is possible to have a .xls file with some dodgy binary in it. eg by using a hex editor. When Excel opens the file and tries to parse the binary, it could overflow leaving your machine vulnerable. The workbook may have neither VBA or XLM, it may not even have any cell values.

This is called fuzzing, it was big in 2007, and Excel was a favourite target. Microsoft have also done a lot of work in this area, and their fuzzing has driven a lot of the recent service pack updates.

Just because you disabled macros doesn’t make you safe.

Also when you sign a workbook you only sign the VBA project, the workbook stream (and others) can still be modified without breaking the signature.

Just saying..

cheers

Simon

scamming the phishers

Netcraft finds a freely downloadable phishing kit contains a twist - it emails all victim details to the kit builder as well as the phisher.

Be careful - its a jungle out there!

Ages ago I moaned about how the wildly unrepresentative User Experience clicks program had been used to justify the abysmal ribbon. And have continued to ridicule it even though I said I wouldn’t - sorry about that.

Recently I had a pop about the wildly skewed on-line help usage data that MS are now using to try and slow (or maybe even reverse?) the decline in usefulness of Office Help. Assuming they continue to infer the behavior of the population based on their skewed on-line sample, then Help in Office 14 will likely be all but unusable for experienced users.

Imagine though for a minute you had accurate information about which file types people were working with. And further that many of the supported ones are almost never used. And also imagine some of those file parsers had some flaky pre-trustworthy zero day exploit fodder in them. Looks like a quick cheap security win right? make access to those files (and their flaky parsers) hard by default, and everyone’s a winner.

Meanwhile back in the real world, sadly the data is woefully skewed towards individual users with limited computing experience. Expert users and corporate users are barely represented - oops.

The User Experience piss poor data blight strikes again!

Does anyone have an example of where that ‘data’ ;-) was used and we got something useful?

Please Microsoft if there are any features in (or removed from - or just shuffled around in) Excel 14 driven primarily by those clicks, please get some feedback from the Excel community before baking them into the final build.

What do you think? Am I missing something?

cheers

Simon

David LeBlanc covers it very well here.

2 key takeaways from his blog post:

1. The choice was leave everyone unpatched (/insecure) for months or do this quick and dirty now. I suspect if they had had more representative usage data things may have turned out differently. I don’t blame the security team, I blame the invalid inference from the massively skewed User Exp. ‘data’.
2. The excellent way he deals with a rude commenter

The password expires far too frequently for the level of risk - its just an extranet giving access to minimal data, none of which is earth shattering. And I very rarely use it.

I’d have thought a permanent password would have been adequate. I have never understood the value of passwords that expire in 60 or 90 days, its just a ball ache for occasional users and for the admins who have to reset everything every couple of months. I’m not convinced its mitigating any real world worthwhile risks in this case. (correct me if I’m wrong?, I suppose it does save them from having to manually delete users - maybe 6 monthly then?)

The warning emails start weeks before its due to expire. Obviously at that point the message gets marked as non-urgent in my mind. I then continue to ignore all subsequent warnings right up until my account gets frozen.

The messages should probably come from different sources and have different titles to differentiate the informational ‘it will soon be time to change your password’ from the ‘urgent action required - you are about to get locked out’.

The subject line ‘Password expiration warning’ repeated in daily emails I find incredibly easy to ignore.

Anyone with me on this or do you all just think I’m a slacker for not sorting it out?

I managed to get it renewed several days before I was permanently removed for ever. Its not that simple, it requires me to use a different operating systems and a different browser to my usual ones (ie a different physical machine).

Anyone else suffering for over zealous security? (eg trying to take 2 bags on a plane in the UK (in certain airports - in some its still 1 item of hand baggage))

I won’t even talk about the cumbersome password rules, needles to say I’ve written it out on a piece of paper in my top right hand desk draw like everyone else.

cheers

Simon

Looks like MS have heard the howls and are going to provide a simple to use fix to re-enable older file formats on 2003. (ie automating the previously released registry hacks). I wonder if that might make it into 2007 too?

Here is the skinny from everyones fave news site.

I guess the point about OpenOffice and Gnumeric having better backward compatibility with Excel files than Excel 2003 SP3 and Excel 2007 smarted a little.

Fair play to MS for listening, and fixing it (in due course).

So that leaves us with a naming competition and a release date competition.

SP3a? SP3b? SP4? SP3-? SP3.1? SP3.2? KB0937840938?

I’m going to guess SP3a Feb 19th.

What do you reckon?

cheers

Simon