Advertise Here!Call +234 (0) 8035007778
Securing the Microsoft Office Software Platform against Non-Macro Virus Attacks: Threats Vectors, Consequences and Countermeasures
The pervasiveness of the Office suite, its incorporation of the VBA macro language and the relative ease with which its applications could be automated, makes end-user's tasks more convenient, but provides incentive for spawning macro-borne viruses.
The advent of macro viruses have made it desirable that software developers introduce macro security features in their products, in order to fortify their applications and end-user's data from being maliciously used and compromised. In responding to these challenges, Microsoft introduced into its Office suite, a range of security features designed to provide reliable protection, without sacrificing communication and collaboration among information workers.
As a result, these features will help the end-user to apply the optimal level of security, thereby putting the user in complete control of the Office environment.
Non- Macro Virus
While these defenses aid in fortifying end-user's Office applications against malicious attacks spawned by macro viruses long written in VBA, it is deficient in securing these applications against being maliciously compromised by non-macro virus programs such as binary executables or scripts. The ability of programs to interact directly with one another in the Windows environment poses a more security threat.
An external application could automate an Office application, and manipulate virtually all of its software components, including its macro environment. Macro security restrictions need not pose a barrier to this form of exploitation, since Microsoft Office provides alternatives to adjusting macro security settings in the Windows registry.
Once a crack has been obtained, an external (non-macro) malware could actively inject hostile macros into the application's macro environment, and trigger the macro's execution
A typical non-macro virus attack on a vulnerable Office application will begin by instantiating the application's ActiveX object. Setting the application's window to be invisible will stealth the malware's activities from the victim. In Office application versions (i.e. Office XP and 2003) that permit/restrict programmatic access to Visual Basic Projects, a crack is essential, in order to provide the external program access to the macro environment. A registry exploit or a mimic of the user's selection of the associated menu item responsible for adjusting the desired macro security feature will just perform the "magic".
The next line of action will be to create/add a new Office document in the application session, and possibly add a new Visual Basic Project, in cases where there are not set by default (e.g. PowerPoint and Access). This will ensure that the malware actively manipulates the VBA coding environment.
This way, the malware could generate virulent macrocodes conforming to VBA's coding style, and then inject them as a set of strings, or import them from a file resident on the victim's machine, into the VBA coding sheet. The injected macro could be executed using any of the conventional methods employed by macro viruses.
Macrocode execution could either be by employing a VBA programmatic method that directly executes macros by parsing the macro name as a parameter to the VBA method (i.e. Run() function). Alternatively, macros could be executed by triggering an event related to an injected macro. This could be a menu item selection, key press event, or a general event such as closing an open document. In some Office applications like Word and Excel, macros could be executed like a time bomb, based on a specified system clock condition (i.e. every 10 p.m).
Finally, the malicious program could close the created document without saving it,
in order to clear up all tracks and then the automated Office application session will then be terminated.
Considering the widespread use and availability of the Office suite, a well-constructed non-macro virus attack targeted at its macro platform, will see attempts made by these programs to compromise end-user data and client application programs on a wider scope, extremely successful. These forms of attacks are relatively easy to construct, given that VBA is an extension of the popular Visual Basic language.
Besides, VBA is one very powerful language that can be used to perform anything on the computer, considering its support of ActiveX, Windows API and native Visual Basic commands. The consequences these attacks could have on the computing community could be
devastating. Unauthorized disclosure of information, disruption of program activities, denial of services, unusual system takeovers, impaired consumer confidence, abuse of user's confidentiality and privacy are amongst the consequences these attacks could have on cyberspace. Consequently, it becomes necessary to implement security policies that will mitigate against these threat forms and assure the Office user the desired level of protection against malicious invasions.
Anti-Virus software designers should embrace and encourage proactive (before-the-fact) methods of virus detection rather than reactive (after-the-fact) methods, since the latter might not just be right on time to stop a widespread infection. This will guarantee the user a reasonable containment of a potential widespread infection.
Implementing an effective protection mechanism as a direct part of the Operating System (OS), will ensure that users become completely aware of potential malicious activities before they even execute on a target machine.
Improving macro security in macro-based software platforms will prevent these features from being bypassed or defeated. Instead of implementing Office macro security in the Windows registry, restricting it to the individual Office application via dialog-based security will help prevent an attacker from performing a registry crack. However, careful placement of the dialog and implementing effective countermeasures to secure such dialog provisions, will ensure that these dialogs are not manipulated by an attacker to fufill the nefarious intents of the attacker.
An effective "Object Model Guard" protection in each individual Office application will prevent an attacker from repositioning a so-called "safe" object for malicious code execution. This way, users are completely aware each time an external application attempts to make use of an "unsafe" object, method, property or function hosted by an Office application.
The "Trust access to Visual Basic Project" setting should be improved in such as way that it not only disables programmatic access to VB Project when turned off, but it is able to identify the application or program that attempts the access, as well as notify the user.
Furthermore, users should endeavor to adopt healthy and safe computing habits in order to
guarantee their systems adequate protection against malicious exploitations in general.
BY Ojeabulu Esele George
Esele is presently serving with the National Youth Service Corps (NYSC), Kastina, Nigeria. This is the summary of the paper he delivered at the International Conference on Computer Security and Cybercrime in Africa held on March 28-30, 2006 in Lagos, Nigeria
To Drop him a line, Click this link
Link to this Content/Resource
We appreciate you notifying other webmasters about our Content and
Resources. You can even link directly to this content article!
For instance. If you like this resource or any of our resources, please add a
link to our website using the following HTML code:
<a href="http://www.jidaw.com/security/security2006/nonmacro.html">Securing the Microsoft Office Software Platform against Non-Macro Virus
: Threats Vectors, Consequences and Countermeasures .
Attend the FREE IT Career and Certification Seminar and Get More Tips and
For more coverage and
information related to this topic, head to the IT Career Resource
What Do you Have to Say? Post Your Comments about this content resource Here.
November 1, 2006
Babatunde Faluyi from Osogbo says:
Nice, but.... Write up is fine as a Proof of concept but in the real world doesn't make much sense, If I can already code exploits in native binary language, why on earth would I want to drop into a a less powerful macro environment? I could do all the damage I want to in the native binary language by making relevant API calls. Having said that though, other suggestions such as the object trust model are spot on.
May 2, 2006
Dele from Lagos says:
Great and encouraging stuff from a talented youth corper. Esele, keep it up!
May 4, 2006
Dennis A. from Abuja says:
I commend his efforts, as I learnt he provided a really powerful demo during the conference. Youth like these should be encouraged and supported.
May 4, 2006
Abu from Jos says:
Are you doing software research on Microsoft platforms alone? i recommend also Open source. Good work.
DISRUPT THE STATUS QUO!
Ideas are not enough. You must be action oriented to improve your future.
Don't just think but act. You get results not only from thinking but from acting.
You have ideas. You want to achieve. You want opportunity.
But what are you still doing in your comfort zone? The comfort zone is a dangerous place.
"I wanted to", "I was going to" cannot put on a light bulb, not to talk of moving you forward.
Aren't you tired of hoping and criticizing? Stop defending status quo that locks you down.
GO on the offensive now with IT Education and Empowerment.
What is the use of ideas without action?
Start becoming the achiever you deserve to be.
MAKE SURE THERE IS NO STANDING ROOM FOR EXCUSES.