" arrived as a macro in a compromised Word document." - Macros are like Flash, a good idea once that has outlived its usefulness and should put out to the pasture. The one thing both are best at is being a malware vector.
The miscreants behind the Nymaim malware dropper have updated their code to include better obfuscation and blacklisting against security software. Analytics outfit Verint, which discovered the latest version and offers its analysis here, says the new code base targets phishing rather than the drive-by-download approach …
" Word macros are STILL spreading malware"
But only if you are stupid enough to override the default settings and click the warning message to enable macros. If you do that with a random document from the internet then I don't have much sympathy....
"A text document has absolutely no right to reach that deeply into an OS to be able to inflict malware upon the unsuspecting user"
These are not text documents. These are XML containers that can by design include application code (that is disabled from executing by default)...
"Shit coding practices from MS are to blame"
Microsoft generally are better than their peers - for instance far fewer known vulnerabilities than an equivalent enterprise Linux install, or OS-X...
A text document has absolutely no right to reach that deeply into an OS to be able to inflict malware upon the unsuspecting user.
Shit coding practices from MS are to blame, and it's about time their products were deemed "not fit for purpose", and banned from sale until such a time as they can prove they can prevent this whole clusterfuck from occurring.
Any competent admin can prevent this from occurring. You've been able to for decades. Just set a GPO to forcibly disable Macro's, unless they have a digital signature on your exceptions list.
The problem is that most people in IT don't get any training, and then don't do any reading or thinking about security. This is largely because their management doesn't care about security, and does demand security measures are removed which interfere with the end users making money.
Using nothing but the tools built into Windows it's possible to harden a windows network into something approaching immunity to the majority of threats within a few hours. Disable Macros from running, stick a SRP in to prevent programs from executing from outside %programfiles% and lock down Adobe products using the group policy extensions that Adobe offers free of charge. And preferably strip any dodgy file formats at the gateway, in most environments it's quite safe to strip files like "invoice.txt.exe", as they are invariably viruses.
Inconvenience for users, pretty much zero. Chances of getting infected by a user opening some form of ransomware? Also pretty much zero because it's likely been stripped before they get it, and if they did get it then they couldn't open it.
Biting the hand that feeds IT © 1998–2022