Got this recently:
Surprise surprise I chose… Disable!
If you are running 2010 and have VBA in password to open protected .xlsms then they should probably be in a trusted location if you want the VBA to run. (I didn’t try very hard but there didn’t seem to be an easy way to trust the doc, maybe temporarily taking the pw off it, trusting it, then redo pw, would work).
Unless you have AV that can scan them (which products do?).
cheers
Simon
Dunno if you have been following the recent SecurID hack at RSA?
They fessed up then went quiet for a few weeks so a few people assumed the worst.
(If you dont know what SecurID is, is a little token (about 10mm by 30) that generates a new 6 digit number every minute. That number can be synched to a login server to ensure only people with the right physical token can login in.)
It does appear to be a very clever attack, the spreadsheet had such an interesting name that one of the targets pulled it from the junk folder and opened it running the flash. I didn’t see anywhere whether the workbook had any VBA in or not.
One important point though is that it was a Flash vulnerability they exploited, Excel was merely the delivery mechanism. No Excel vuln was used, just its ability to act as a container.
I didn’t see how they were discovered either, but it sounds like the attackers pretty much got most of what they were after.
I wonder how many other orgs have been hit by this sort of attack, and either haven’t discovered it yet or haven’t admitted it in public?
Got any good links?
cheers
Simon
I just wanted to congratulate MS (& partners) on their efforts to bring down the Rustock spam machine.
I must check my on line spam bin to see if it has reduced by 30% in the last few days. Either way, botnet take downs can’t be a bad thing.
Have you noticed a drop in spam recently?
cheers
Simon
Opinions seemed to be mixed between ‘never heard of it’ and ‘would never used it’. But a few people did and they got burned in November when it all stopped working and they were locked out of their own files.
Anyway the issue is now apparently resolved by renewing an Office crypto certificate, full info and download available here. If you apply this fix please let us now if it does indeed resolve the problem, or not.
cheers
Simon
I’m gutted that spreadsheets don’t seem to have been implicated in the Climate Research Unit excitement. why read_me_harry.txt instead of read_me_harry.xls?
Spreadsheets are ok for amateur mistakes, but pros use Fortran?
I’m also a little disappointed that the Government Broadcasting Company (BBC) doesn’t seem to be applying its normally fairly balanced reporting to this area.
I’ve had to switch to the Telegraph (FFS) to get some balance. And maybe even the Express!!
Over the last few months I have become more and more sceptical about the motivations and justifications for some of the stuff done ‘to save our planet’. Over the last few weeks I have become more and more sceptical about mans influence on the climate. Over the last few days I have become very sceptical that the research is fit for its current purpose.
As it happens I bought a new USB portable drive last week – 320Gb for 60 quid – I am amazed the CRU couldn’t find a similar amount to prevent the ‘loss’ of their ‘critical to the survival of mankind’ data, out of their alleged budget of 20 million.
What is your take on whether our activities are causing, or about to cause catastrophic changes to our planets climate? And what should we do about it?
Seems to me if the intention was to genuinely cut CO2 rather than fund their mates in ‘green’ industries and carbon trading the govt would be pushing for:
As it is it just looks like they are trying to move us away from oil without actually explaining why. And keep their coffers full of course.
For info here is a climate change is our fault website
Here is a climate change is normal website
Here is a WSJ article highlighting the broader concerns raised by the recent fun.
So a couple of guidelines then feel free to add you view below.
This is a fairly heated topic so I’ll moderate comments pretty tightly. The discussion is about the validity of the claim that human activity is the cause of changing climate. Comments in that area are welcome.
Personal attacks, nonsensical arguments and deceptive statements are not, I’ll delete these and publish the reason for your information.
Please keep your comments short and on topic and as polite as possible.
Irrelevant stuff like references to your own or others ‘green’ credentials etc will also go in the big round file.
Don’t feel compelled to comment, I’ll keep comments open for a day orso then close them to ease the moderation. After that if you want to comment just email me and I’ll add it.
Have fun… (and play nice)
cheers
Simon
Whilst mainstream IT think about that from a security industry POV there is the infant spreadsheet management industry to consider too.
SOX, and section 404 in particular have been used to encourage organisations to take some responsibility for their crappy spreadsheets. Ideally they would de-crappify them, but in my experience companies prefer just to list them and claim they are now ‘managing them’.
It will be interesting to see what, if any, impact this legal challenge has, I think the current mood is for more legislation and control (Certainly in the UK!). But maybe those that claim SarBox has damaged US business competitiveness will hold sway.
I have seen a few remediation/migration type roles on Jobserve recently so maybe orgs are taking this seriously now. There are a lot of ingrained habits to change though.
Are you getting much SOX/Remediation business?
cheers
Simon
I was poking around the newsgroups last night when I came across a thread about IRM failing in Excel.
A few people seem to be suffering the same problem – within the last two weeks something changed and now their credentials are not accepted by Excel and they are locked out of their files.(here is the link)
My first thought was the Nov security hotfix for 2007 and 2003, but actually the thread is developing more along the lines that something changed at Hotmail (the credential authority).
I have never used IRM
Do you use IRM?
Do you have a fix for the issue these folks are seeing?
cheers
Simon
Dennis made an interesting comment on a previous thread about how as developers we should be making use of multiple virtual machine technology to mimic our clients’ environments so we can better support them.
Its a good point… but I completely disagree.
Some developers should do that for sure, what Microsoft calls ‘professional’ developers perhaps. I prefer to think of Excel/VBA developers as business developers, we are a bit closer to the business and a bit further away from the bits and bytes of hardcore coding.
We express our business knowledge in Excel and VBA for a variety of reasons. One vital one for me though is ease of deployment and hence support.
If I write a decent spreadsheet in Excel 2000, I can reasonably expect it to work perfectly in Excel 2000, 2002, and 2003. I can expect it to work at least partially in 2007. That is irrespective of the wider target environment, user rights, security credentials, previous installed components, corporate build oddities etc etc. There is no dll hell in Excel*.
If the client has Excel they can run my application. full stop, end of.
(Of course there is a little excitement about macro security, the way they messed up expired signatures, the fact no one uses them because they are such a blatant scam etc)
*(ok so we sometimes get cannot find project or library, but if we keep things close to Excel/VBA and develop with care, and with some consideration for the clients environment that doesn’t happen much, and can usually be easily fixed.)
This trivial deployment leaves us business developers free to invest our time in understanding the business better and improving our software development skills. Deployment skills? system admin/security skills? heard of them, don’t want them or need them.
This is one of the biggest reasons I have not focused on .net – its a deployment nightmare. Of course that’s solvable, just invest a bunch of time and effort learning sys admin stuff and security stuff, and a bit of virtual machine trickery and jobs a good’un. But I don’t want to do that, I want to improve my business knowledge and my coding skillz. Luckily Microsoft cater for folks like me with Excel VBA.
Don’t get me wrong .net works well for corporate developers (once they have the required sys admin knowledge) but for independent devs like me, there is way too much pain to trawl through to distribute and support custom built .net components.
So I care a little bit about my clients environment, but not much. And frankly I think the fact that developers have to spend time and effort creating such close replicas of a clients environment is a hugh fail for Windows software development and for Microsoft. ‘Write once deploy everywhere’ – in yer dreams!
Major service packs? fair enough. When you need to remotely replicate their level of hotfixes across a broad swathe of operating system components and applications the process is seriously broken IMO.
When I did asp development I had to get intimate with IIS to be able to work out when things went wrong whether it was our code or the server environment. If my Excel apps goes wrong, it’s my code, no investigation required (roughly).
I don’t have anything against .net, there is much about it I like, I just don’t think its aimed at pragmatic delivery focused independent desktop developers (like me). (Hence for the observant, the pic is from .net 1.1 from 2003). I jump at any chances I get to develop in C#, the joy of a modern language and a modern IDE, but this tends to be when I am contracted on-site in the role of corporate dev, rather than independent software developer.
What about you? do you find distributing your .net apps a true joy, the real highlight of your dev cycle?
Are you juggling more than 10 virtual machines, and keeping the patching in step with clients?
Which do you prefer development or deployment?
Do you agree with the separate roles of corp dev and business dev?
Cheers
Simon
Be careful what you are opening!
Seems there is a new vuln being actively exploited – across all recent versions of Excel, including the viewers.
cheers
Simon
One of my firmly held spreadsheet quality views is that companies could benefit from a single point of focus for their End user computing.
That could be a person or a department, but lets start with a person. Their role would be to educate and support and where necessary force compliance with quality/control standards.
I think this role kind of exists in many small to medium companies in the shape of the Office expert – to whom everyone turns when they have a problem.
Larger orgs may have information protection czars, and or network czars, database czars, desktop build czars. In short they have a person or a department specifically responsible for every significant part of the IT infrastructure except the most important – the End User Computing jungle.
Does anyone know of any companies that do have a head of EUC or something similar on an equivalent level to the boss of networking, or client apps or whatever? Ie a senior role at or just below board level. No need to mention the co name, just a yes I have seen it or a no never.
How was it structured? did they report through IT/IS or finance or another user department or what?
I think organisations are realising what a mess their EUC resources are, but I don’t see much sign of the most obvious way to manage them – assign a manager!
do you see it?
Is it just too politically hard to work across deportments in the way this would need to succeed?
cheers
simon
