Security and MS Office

Security and Microsoft Office

Using Microsoft Office entails a number of very significant risks.

Home

News

Topics

AAx

Microsoft's primary objectives with Microsoft Office are flashiness, user friendliness, ease of use, and a very tight integration among all Microsoft applications. Whether or not they achieve the middle two is a matter of opinion, but the tight integration supports those goals, plus it locks out other software vendors. Every move Microsoft makes has the objective of making your computing environment more uniform and more "All Microsoft".

A serious problem with these objectives is they make MS Office highly vulnerable to a number of serious security problems. Contributing factors are:

Tight integration among all Microsoft applications allowing easy linking of data (from Excel spreadsheet to Word document to email, etc.) for user convenience.
A variety of network "colaboration" features.
File formats that invisibly retain deleted material.
Tight integration of Outlook email and Internet Explorer with Windows itself and with Exchange Server (used in larger companies).
Powerful macro languages and VAA (Visual Basic for Applications) which can be embedded in documents. These can run automatically and have access to all system services.
Active X controls which are automatically downloaded from Web sites.
"Active Setup" automatic updating, which can be exploited by invaders.
The enforced homogeneous nature of the "All Microsoft" environment, where all computers run Windows and the same applications and network protocols.
Microsoft's disregard for security in the rush to market, and because it interferes with "user friendly" and "easy to use" (and because customers haven't demanded it).
The "dumbing down" of both users and administrators to "point-and-click" artists with no real knowledge of computer systems.

These factors make it possible for Microsoft Office to expose information you didn't want exposed, and make your network highly vulnerable to virus attacks, invasion from the Internet, and invasion by unauthorized people on your own network. Microsoft makes it difficult and inconvenient to turn off any features that contribute to risk and they are likely to be turned back on, either out of frustration or by reinstall.

CAUTION: Both sending and receiving Microsoft Word documents on disk or as email attachments is risky. You must be aware of these features to use Word safely.

If you use colaboration or revision control features, history will be retained in the file. Some people, when engaged in negotiations, turn off revision control in Word documents, then send them to to the other side. The recipient turns revision history back on and has a complete track of the originator's thinking. Not good.
Word documents keep text from older versions invisibly in the document. The recipient can use a plain text editor to go through the document and read deleted or revised material, possibly revealing information you didn't want him to know. "Fast save" must be turned off before the document is begun to prevent this, and it must be kept off.
Macros and VBA programs attached to documents you receive can give the sender access to your computer and even your entire network over the Internet, or can destroy information on your computer, or shut down your network.

The safest way to exchange documents created with Microsoft Word is to export them in HTML or RTF (Rich Text Format), then send those exported files. Most major word processors can import and export RTF, and everyone has a Web browser to read HTML with. You should insist that people sending you documents send them in RTF or HTML format. RTF will better preserve the formatting of the original document.

Always make sure macros are turned off before opening an unknown Word or Excel document. Even this isn't 100% effective, so it is better to open such documents in Star Office or some other non-Microsoft application.

If you must send an actual Word document, the safe thing to do is this:

Open a new Word document while holding the original document open.
Cut the desired text from the old document and paste it into the new document.
Reformat as needed.
Send the new document to the recipient.

Of course, the safest thing is to use some other office suite, perhaps Star Office, or Lotus Smart Suite, or Wordperfect Office. These can read most MS Office documents, but won't run macros, VBA scripts or Active X, so they are safe. They can export documents in both RTF and Word format (without extraneous material). And - they cost less.

©:Andrew Grygus - Automation Access - www.aaxnet.com - aax@aaxnet.com
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All linked pages are copyright © the original creator. All trademarks and trade names are recognized as property of their owners