Well, Woody has been reporting this publicly for a couple weeks now. It is a pretty serious hole and the problem with it is what the black hats will develop to take advantage of it, not the flaw itself. The thing that ticks me most about it, though, is that I (and Dian was there to hear it) told MS Word engineers that something like this was going to show up and that it would allow hackers to even steal 'signed' credentials. So when I digitally sign a Word template for distribution and the safety tag is there that says "Greggie's signature is on this template, do you trust him?" someone else can steal that sig and use it to pass unsage code. Suddenly, those keyed signatures are valueless and we're right back where we started on this Word macro virus problem. This passage is not reassuring: "An additional element of the report suggested a scenario where this issue could be used to forge a document which has been digitally signed. Microsoft has evaluated this scenario and found that if this attack vector was followed, the digital signature on the forged document would be invalidated and this would be evident from inspecting the digital signature. Even if the attacker were to somehow manage to find a way to present the user with a valid digital signature, as discussed above, there would still be a clear evidence trail that could be followed and handed over to law enforcement agencies if necessary." That's from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ topics/secword.asp . The reason it's not reassuring, is much more serious than what the news bunnies are reporting and invalidates the whole idea of signed macros is the fact that it can be done and that the trail to the attacker will not be distinct because the key to making the whole thing work is the same old solution; social engineering. Enticing people to view a document, accept the changes, ad infinitum is actually the simplest part of making a viral payload go. Here's an example from the "I love you" virus. One of the admins I work with was checking his shared family account from the office one day. He noticed a piece of mail intended for his wife from one of the family's close female friends. When he saw the subject (I love you!), his curiosity meter pegged ("Why is this woman suddenly telling my wife she loves her?!?!). As he clicked on the message, his co-workers heard his loud, too late, cry of "Oh Sh**!". Yes the finger is faster than the mind, once distracted.<g> He knew better and he even knew before his finger arose from the mouse that he'd been had. The damage had already been done, though. They can play with includetext fields all they want, but I want the built in security measure to be solid. There's no way this sig should ever be able to be stolen/forged and, despite warnings from little geeks like me, the ball has been dropped across all versions of Word, post ver 97. Greg ----- Original Message ----- From: "Charles R. Buchanan" <crbgfblab@xxxxxxxxxxxxx> To: "MS Office Mailing List" <mso@xxxxxxxxxxxxx> Sent: Friday, September 13, 2002 2:12 PM Subject: [mso] Microsoft Word flaw may allow file theft > > I'm not certain this pertains to MS Word within MS Office, if not then > forgive the off topic post! > > > > > http://www.cnn.com/2002/TECH/ptech/09/13/microsoft.word.bug.ap/index.html > --- > Look OUT you varmits, This msg is Virus Free! > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.386 / Virus Database: 218 - Release Date: 9/9/2002 > > > ************************************************************* > You are receiving this mail because you subscribed to mso@xxxxxxxxxxxxx or MicrosoftOffice@xxxxxxxxxxxxxxxx > > To send mail to the group, simply address it to mso@xxxxxxxxxxxxx > > To Unsubscribe from this group, send an email to > mso-request@xxxxxxxxxxxxx?Subject=unsubscribe > > Or, visit the group's homepage and use the dropdown menu. This will also allow you to change your email settings to digest or vacation (no mail). > //www.freelists.org/webpage/mso > > To be able to use the files section for sharing files with the group, send a request to mso-moderators@xxxxxxxxxxxxx and you will be sent an invitation with instructions. Once you are a member of the files group, you can go here to upload/download files: > http://www.smartgroups.com/vault/msofiles > ************************************************************* > ************************************************************* You are receiving this mail because you subscribed to mso@xxxxxxxxxxxxx or MicrosoftOffice@xxxxxxxxxxxxxxxx To send mail to the group, simply address it to mso@xxxxxxxxxxxxx To Unsubscribe from this group, send an email to mso-request@xxxxxxxxxxxxx?Subject=unsubscribe Or, visit the group's homepage and use the dropdown menu. This will also allow you to change your email settings to digest or vacation (no mail). //www.freelists.org/webpage/mso To be able to use the files section for sharing files with the group, send a request to mso-moderators@xxxxxxxxxxxxx and you will be sent an invitation with instructions. Once you are a member of the files group, you can go here to upload/download files: http://www.smartgroups.com/vault/msofiles *************************************************************