back to article Australian spooks' email guide banishes MS Word macros, JavaScript

The Australian Signals Directorate (ASD), the sigint outfit renowned for its “don't be stupid” guide to infosec, has published its latest guidelines for e-mail admins. E-mail being what it is, its Malicious Email Mitigation Strategies carries a fair amount of detail, but the basics are easy: treat attachments like live …

  1. veti Silver badge
    WTF?

    Huh?

    "Converting attachments to another file type" - and how exactly do you do that without opening the frigging attachment first? If they just said "delete all Office documents unopened" that would at least be coherent, even if it's not very practical.

    Honestly, the best protection against macro viruses now is to be running an up to date version of Word. It won't run macros unless you, the user, explicitly enable them.

    1. MacroRodent

      Re: Huh?

      >Honestly, the best protection against macro viruses now is to be running an up to date version of Word. It won't run macros unless you, the user, explicitly enable them.

      Not sure if that helps against a good phishing attack. If the attachment comes from a plausible-looking sender, the recipient is likely to enable the macros anyway, especially if it looks like the document cannot be read otherwise.

      Really, the only solution is using document formats with no macro feature, or at most macros that are strictly limited to operating on the document contents itself, with no kind of programmable access to the file system or network at all.

    2. Anonymous Coward
      Anonymous Coward

      Re: Huh?

      "Converting attachments to another file type" - and how exactly do you do that without opening the frigging attachment first?

      It's the MTA's job, not a client activity (mail server/relay). Personally I'd set a policy of what is acceptable for email to contain and reject or strip any other content, and guard against malicious versions of that content. That way I start with a risk model I have some control over instead of being at the mercy of what comes in.

      Oh, and I'd lock out users sending 50MB Powerpoints to large mailing lists :)

    3. Christian Berger

      Yes, but...

      Yes, converting the attachments is obviously very dangerous, as that means that every attachment will be opened.

      Running an up to date version of Word will first of all not protect you from any "zero day" bugs that still lurk in there. I don't know how much of the security community is working on Word particularly since it's not really a product you cannot avoid easily in sane situations. Also have you used the latest versions of Office with those "Ribbons"? They are virtually unusable.

      We need "Think before you Office" campaigns alerting people that using Office software (no matter what vendor) means overly complex files where something can go wrong should only be used when _absolutely_ necessary. Perhaps after some time you could quarantine office files to make it hard to use them. Then ban HTML E-Mail, there really is no sane reason why you should send E-Mail in such a complex format and waste space and bandwidth with images you send with every mail.

      Seriously I've been to several jobs now. And the only reason I had to use office software was company policy. To a normal office worker it doesn't matter if they fill out a Word template or a TeX one.

    4. Anonymous Coward
      Anonymous Coward

      Re: Huh?

      And the first thing a user does when confronted with a 'Macros are disabled' requester box?

      They enable macros.

      1. phuzz Silver badge
        Gimp

        Re: Huh?

        There's Group Policies you can set to prevent any user from enabling macros.

        First you ban them everywhere, then you find the five people in your entire company that actually use them and work with those people to either remove macros completely or at least make sure only the approved ones get run.

    5. Doctor Syntax Silver badge

      Re: Huh?

      '"Converting attachments to another file type" - and how exactly do you do that without opening the frigging attachment first?'

      Bounce all mail with Office attachments with a message saying they're not accepted, convert to PDF. It'd be unpopular at first but if a few high profile organisations took the lead (say a few govts) then the message might get through.

    6. Anonymous Coward
      Anonymous Coward

      Re: Huh?

      "Converting attachments to another file type" - and how exactly do you do that without opening the frigging attachment first?

      You don't open them in the application they were meant for - especially with Word files it's easy to find alternatives such as LibreOffice. That being said, if you're aware of AND the risk AND the alternative you may want to consider switching wholesale instead*. Not only will you reduce the security risk, but also the risk of getting licensing wrong and it'll be much cheaper to boot (you save so much money you may even be able to afford to train people).

      * We did, but we have admittedly no need for complex Excel spreadsheets and frankly abhor Powerpoint so I guess we're not exactly "average" in our approach to Office software :).

  2. cantankerous swineherd
    Mushroom

    consign email to eternal oblivion, along with flash. next up, javascript.

  3. Tommyinoz

    User education needed

    We had a case recently where one of our staff opened a fake invoice Word document and managed to get their PC infected with a virus. This was an interesting case because the email was caught by our spam filter, but it was only flagged as suspect. The Kaspersky antivirus on the mail gateway did not detect the virus. Therefore users are able to release caught emails themselves from the spam filter. This user released the email and then proceeded to open the attached Word document (fake invoice), the Word document contains a message saying that you must enable macros to view the content. At this stage the Sophos antivirus on the users PC does not detect the virus either. The user dutifully follows the instructions in the Word document and enables the macro, but then doesn't see anything. At no stage does the user suspect that there is anything wrong or that they have been conned. It doesn't end there, the user then reply's to the email to tell the sender that there is something wrong with the attachment.

    A day later we detect that there was something strange in that users start up and soon confirmed that it was a virus. We didn't take any risks, we just took the PC off that user and re-imaged it.

    1. Hans 1

      Re: User education needed

      >We didn't take any risks, we just took the PC off that user and re-imaged it.

      Did you also check his share, because, well, the malware could have disguised itself in a few files on the user's network share ... just saying.

      User education is pretty much futile, they open gazillion documents every day, even enlightened people get caught by this, one day or the other ...

    2. Pascal Monett Silver badge
      WTF?

      Re: We didn't take any risks, we just took the PC off that user

      And that's all ?

      You didn't take the servers offline to scour them for virii ? No in-depth analysis of all network shares ? Just re-image the affected PC ?

      And you think you didn't take any risks ?

      Ignorance really is bliss.

  4. david 12 Silver badge

    ...but it would be nice if ..

    Sigh. What's the point of having an email system if you can't send email through it? I'm a coder, and working off site, it would be nice if I could send code snippets, scripts and patches to myself. Or to the local admin. Or to the quarintine area. Or too somewhere, anywhere, where I could retrieve it.

    And, a little bit of discrimination would be thoughtful too: ok you won't accept database macros, but do you have to block and silently discard plain text email containing short sections of C code?

    1. John G Imrie

      Re: ...but it would be nice if ..

      I'm a coder, and working off site, it would be nice if I could send code snippets, scripts and patches to myself. Or to the local admin. Or to the quarintine area. Or too somewhere, anywhere, where I could retrieve it.

      Use a text/plain MIME type then

      1. Prst. V.Jeltz Silver badge
        Trollface

        Re: ...but it would be nice if ..

        did you miss this bit John?

        "but do you have to block and silently discard plain text email containing short sections of C code?"

      2. This post has been deleted by its author

    2. Martin Gregorie

      Re: ...but it would be nice if ..

      I'm a coder, and working off site

      Why are you using e-mail to transfer "code snippets, scripts and patches" in this day and age? Doing that via e-mail is so last-century.

      Your project(s) should be using version control (git or even CVS) and a central code repository to hold patches and enhancements to permanent source code and ftp or sftp to make temporary stuff such as 'code snippets' and throw-away scripts available to the rest of the project via a common disk storage area.

      1. david 12 Silver badge

        Re: ...but it would be nice if ..

        Yes, I only use plain text for email, and yes, I support other peoples code at other locations.

  5. UnfortunateTruths

    Already being done by some...

    Check Point's Threat Extraction technology does exactly this already. Works slick. Initial PDF/Office attachment is a malware free PDF copy. If the end user requires the original they can request it but it still goes through Sandboxing(Threat Emulation). All configurable as well depending on senders and recipients if you happen to inherently trust one or the other.

    Browser plugin coming soon for Chrome that does the same.

    1. Anonymous Coward
      Anonymous Coward

      Re: Already being done by some...

      Couple of others too - Glasswall Solutions and Menlo Security also stripping out the nasties that the vast majority of users have no business requirement to interact with (flash, java, javascript in PDF, Office macros etc) whilst retaining the original where necessary. Of course there will always be some users or services that need to receive 'active' documents (typically allowable via policy) but greater vigilance and awareness can be put around them.

  6. Dave Lawton
    Holmes

    No HTML emails

    Most of the exploits require it to obfuscate what they are doing.

    So remove the ability to send them, and set the email client to only read in Plain Text mode.

    Hardly rocket science.

    1. Christian Berger

      Well... but marketing wants them

      And when there's a conflict between the wants of marketing and the needs of security... well marketing always wins.

  7. John Brown (no body) Silver badge

    Now, if only....

    ...the people in our office can be trained to only using document scripting when there;s no other option. Using scripting to give informational mouse over pop-ups, just because you can, is pointless and teaches other users to enable scripting. I quick survey of recent Excel spreadsheets and Word docs from the office shows about 80% with scripts and maybe 75% of those scripts just pointless "because we can" fluff.

    1. This post has been deleted by its author

  8. Mike 16

    Then how do I get email

    from managers and VPs?

    True story (that I may have told here before):

    Late 1990s. I get an email purportedly from the CEO to the whole division. It's sole content in an attached Word document. A bit later the head of IT (Normally a straight-shooter, literally. had a concealed carry license) asks me why the heck I didn't read it and do the requested actions. I reply that Word macros could ruin my day, and his, and that email "from" addresses are not super trustworthy. "Nonsense" he says. Then I mention that the same day I had gotten a penis-pill ad from "SteveCase@aol.com". Back then, it was not so plausible that the CEO of AOL would be running a sideline to make ends meet.

    More recently, Geoff Pullum over at the Scottish branch of Language Log posted about what happened when his university moved him to Office365. Amusing, if you are not him:

    http://languagelog.ldc.upenn.edu/nll/?p=26975

  9. Ted's Toy

    Just Banish M$

    Simple answer is to banish M$ completely.

  10. splodge

    "Honestly, the best protection against macro viruses now is to be running an up to date version of Word. It won't run macros unless you, the user, explicitly enable them."

    The better protection would be to use an OS who doesn't use the random, arbitrary last 3 characters of a file's name to determine its type

    1. david 12 Silver badge

      >an OS who doesn't use the random, arbitrary last 3** characters of a file's name to determine its type

      Anyway, just as long as you don't use an OS that opens unknown files and attempts to read the first line to find the file type. So you'll be good as long as you use a mail system that sends coded resource forks to determine the file type.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like