Macro Viruses are back

In 1999, CERT has released a notification about vulnerability in Microsoft Office Suite which can be exploited by a worm named Melissa. This worm actually used the Macros available in MS Office. In the advisory, CERT suggested to disable the macros to avoid any outbreak of Melissa.

Recently, the threats of exploit of Macros surfaced again and CERT highlighted the risks in a post dated June 8, 2016.  Microsoft Office macros can help automate repetitive tasks but they can also be used to run a malicious program which can infect the system. Malicious Microsoft Office documents that leverage macros are exploiting capabilities that are provided by Microsoft Office by design. To avoid the impact of the macros, Microsoft has provided some level of warning to the users about the threat but unfortunately, the default Microsoft Office settings for macros are not secure. Users of newer versions of Office (2010 or 2013) are even more likely to enable macros without understanding the consequences of doing so. This phenomenon is known as "dialog fatigue" problem that could lead users to give in and make a poor decision.

In an organization, a security administrator needs to identify the sanctioned use of macros and they should allow executing the macros only to those users who really need to. The question of who needs this access must be answered with considering the business requirement.

Solution: Disable the macros without notification by default if it is not required and enable them for only a certain group who requires it. This will reduce the attack vector and surface area of the exploit.

Only allow the signed macro which can reduce the fraction of attack. This might not be as effective if the signing keys are compromised.

And finally, use the Trusted Location feature of MS Office to configure the trusted locations from where the document can be loaded with macros enabled by default.

The advisory was published by CERT which suggests a review of the Macro settings in MS Office products in wide organizations.

Authored by Punit Dwivedi

Rate this article: 
No votes yet
Article category: