I just recieved some generic work related mail with word file attached that was requesting to Enable Editing in order to view its content. I'm not going to fall for it but it got me wondering. What could possibly happen to my PC if i enabled the editing there?
Asked
Active
Viewed 460 times
0
-
Remote code execution – yeah_well Aug 05 '19 at 12:58
-
I cannot post an answer because of reCaptcha, so will try to answer here. The main danger of office documents is not VBA. VBA can be disabled. Fairly low count of word and excel docs use VBA: clerks and secretaries are not programmers and cannot create them. Though there are some templates created by programmers, but it's fairly safe to disable VBA. – KOLANICH Aug 05 '19 at 20:10
-
The problem is in another place. Office documents can embed and link blobs of other formats (this is called OLE objects), and the code processing the embedded stuff is often vulnerable. * The most dangerous are ... embedded fonts. They are (or at least were) passed to kernel, so if the kernel has a vulnr, an attacker immediately gets one of the highest privilege levels. From this level he can reflash firmwares, including bios, to get persistence making impossible to clean the malware with software means only. – KOLANICH Aug 05 '19 at 20:11
-
* the next dangerous are embedded objects processed by Office itself. Lot of obsolete image formats you have hever heard about. Compromise user level, an attacker needs more exploits to escalate further. Or doesn't need, often it is enough to just collect the valuable info and exfiltrate it. This info is usually available from users level of privileges. Passwords databases, crypto keys, cryptocurrency wallets, trade secrets, stuff like that. – KOLANICH Aug 05 '19 at 20:11
-
* the next dangerous are OLE servers by third-party apps. Can be mitigated by purging the info from registry. – KOLANICH Aug 05 '19 at 20:12
-
* spreadsheets have issues with formulas. Formulas in csv and tsv are also evaluated by Excel and LO and this antifeature cannot be removed because it would enfuriate corporate users. – KOLANICH Aug 05 '19 at 20:12
-
All of these have made documents a weapon of choice of APTs. So, you generally should never open docs sent by email, and especially old `doc`, `ppt` and `xls` documents. Instead demand their conversion to `pdf` or `markdown`. If your webmail has convertor, use it. For `docx` and `xslx` and other OOXML you can also use `pandoc` or convert them manually - they are just zip archives with XML. For non-sensitive docs it is possible to use online converters. – KOLANICH Aug 05 '19 at 20:13
1 Answers
1
When you Enable Editing or Enable Content, you enable any macros embedded in the document to run.
An attacker can embed VBA (Visual Basic for Applications) macros in the document, which is really just a generic programming language. With it they can access information about your computer, access resources like the network, and get malicious code like a backdoor or an remote access agent to run. That code can use privilege escalation attacks to gain administrator access, if you weren't already running as an admin, and have full control over the computer.
So, good thing you didn't fall for it.
Note that newer versions of Word have bifurcated the format into .docx and .docm, where .docx files may not contain macros and .docm files may. This is to make it easier to treat a file as 'safe' as opposed to having every file be a potential macro carrier.
gowenfawr
- 71,975
- 17
- 161
- 198
-
VBA isn't the only attack vector, you can also potentially have Macro 4.0 or DDE planted in the file. – Raimonds Liepiņš Aug 05 '19 at 14:13