Safer alternative to handling office documents

[Deleted member 65228]

Hello all.

This is a very short tip I wanted to express, it may help many of you stay more secure when handling office documents (e.g. Microsoft Word documents).

Even if you have Microsoft Office, throw it away unless you really need it. If you don't want to throw it away, then make sure macro's are disabled.

A majority of the time you won't need software to handle office documents, you can use web-based alternatives which will be much more secure, such as Google Drive. If you are paranoid about privacy then simply make a backup Google account to use Google Drive with, using non-personally identifiable information, with a Virtual Private Network (VPN) enabled.

Using web-based alternatives will mitigate every attack I know of which surrounds around zero-day exploitation with office documents, as well as macro-based malware attack deployment. When you upload a document to a service like Google Drive, anything malicious which is embedded within like a macro or custom native shell-code which is supposed to be executed via exploitation of an unknown vulnerability will simply be mitigated; it's all handled on the cloud servers owned by Google and such won't be able to occur on their servers in the first place!

Of course you can still find malicious URLs within documents (e.g. phishing or a URL to a malicious download), that's pretty obvious. However attacks through native code execution injected into office documents (via an exploit) or macro attacks and the alike will be mitigated by using an online service to view and edit the documents.

Microsoft Office and many similar software-based solutions have been a high-priority target by attackers for a very long time now. This is due to how many people use such software. A lot of malware is pushed through e-mail spreading, and using office documents as an attack vector for deployment of malicious software, because more people may be convinced it is safe because it's an office document as opposed to an executable.

Use web-based services when applicable instead, remove attack vectors like Microsoft Office if you don't truly need it. Not to mention that web-based services will be cheaper/free for use, and you can take measures to protect your privacy if you're concerned.

This is an opinionated post so take it with a grain of salt, I just wanted to express this opinion because it can help some people who may not have considered doing this before.

Thanks for reading.

 

[upnorth]

Great tips! I agree and it's good to see companies move more and more to web-based ( better word then cloud-based, easier to understand ) solutions not just for the obvious security resons. Microsofts web-based Outlook.com nowdays include more or less everything basic in the Office suite so no reson to pay for that anymore unless you have to. A win-win situation.

 

[Windows_Security]

Yep moving office into the sandbox of Chrome or Edge is quantum leaping security for office to this century, great tip @Opcode

 

[Handsome Recluse]

What about third world countries? They won't have reliable internet and even the smart ones don't even know Google Docs exist.

 

[HarborFront]

Use Google services and let it take more of my privacy.......as far as possible that's no for me

I rather use LibreOffice

 

[HarborFront]

People are "stuck" in their minds using Microsoft Office because businesses and organizations - most notably educational institutions of the university type - still specify and push Microsoft Office, Adobe Acrobat, Windows, and such pretty hard. For shame, brainwashing the world's youth with Microsoft's garbage. I thought academic institutions were supposed to be institutions of higher learning and the last bastions of wisdom and saviors of mankind and all that. Or is that the church ? Microsoft's mighty dollar obviously prevails over all that. Sorry, you all know it's all true - no matter how offensive.

For the average Joe there are cheaper, better alternatives than Microsoft Office - and Windows I might add.

For one, let's start with Chrome OS. Average Joe is much better served using Chrome OS than Windows.

Ok so you get garbage from MS.

What about your privacy with Goggle, its hardware and software services?

BTW, does Chrome OS offers as many 3rd-party software as Windows? If no, then is using Windows 3rd-party software on Chrome OS a breeze without issues?

 

[HarborFront]

Regarding Google's security far outweighs its privacy.

It's true but I know Google's hardware listens and may even records your videos. I know not of MS hardware doing this.

 

[HarborFront]

See my edited post above.

No software is a breeze. Therefore the solution is to keep it as simple as possible and not try to make it overly complicated by adding more. Adding more is when problems begin. With Chrome OS I would:

1. Not use Android apps
2. Add VPN
3. Stick with stock features and options

No one uses Chrome OS because there are a lot of 3rd party options and software. In fact, they use it exactly because there isn't.

Just like with Windows, less is more. For your sanity, for your security. Add stuff, you lose your peace of mind, problems start, and you can lose security in some respects.

My Windows is awesome, reliable, and essentially problem free because I add next to nothing to it, but instead remove as much as I can from it. The problems I do experience with Windows is due to the stuff that Microsoft itself introduces into Windows.

Chrome OS maybe safe for now and not subject to the same kind of attacks as Windows but as it grows to be like Windows in the future it will. And then all the problems associated with the OS will come in just like Windows

It's just a matter of time

 

[509322]

Chrome OS maybe safe for now and not subject to the same kind of attacks as Windows but as it grows to be like Windows in the future it will. And then all the problems associated with the OS will come in just like Windows

It's just a matter of time

That is not a rational reason not to use Chrome OS - not on a Windows device, but a standalone Chromebook. The security is too good not to use it.

 

[AtlBo]

Microsoft Office and many similar software-based solutions have been a high-priority target by attackers for a very long time now. This is due to how many people use such software. A lot of malware is pushed through e-mail spreading, and using office documents as an attack vector for deployment of malicious software, because more people may be convinced it is safe because it's an office document as opposed to an executable.

Macros are very useful. MS already uses the file designations for macro enabled files like .xlsm and so on. So why hasn't there been more invested in securing macro use? For example, security programs could easily identify and alert when a file could potentially run a macro, especially easy with MSO. Yet open document files created with Libre Office (I suppose Open Office too) could have macros.. too, .just not using a language designed for them like VB is for Office. Also, Office could be configured to allow macro files one by one instead of macros on or macros off. If there were a system from MS for Office for controlling which macro files were openable (i.e. only this whitelist) for a work station network, then there wouldn't ever be a problem with Office in companies.

For now at least, I like the idea of running Office in the sandbox. Won't tell me if I get something really horrible in the box I guess like a banking trojan or whatever, but at least maybe it won't run from the sandbox. One of these days, maybe I will find a way to test to see if 360 sandbox would block a macro from running script outside. I know an Office macro will run inside their sandbox...just don't have a file containing one that attempts to reach out to a location outside of the single file containing the macro.

 

[509322]

The best solution is not to use Microsoft Office to start with. If you don't want to accidentally shoot yourself in the foot, don't carry a loaded weapon pointed at your foot. It's so stupid (because it is such basic common sense that it should require 0 mental effort) that it is absolutely brilliant (because people cannot see the basic common sense solution even with 100 % mental exertion at 100 % mental capacity).

For a single example, Kingsoft WPS offers the typical Windows user everything they need for text editing for a fraction of the price ($49 at Cyberweek) for a Lifetime license. It uses a fraction of the system resources of Microsoft Office and it is a fractional security risk of Microsoft Office.

A person can find an alternative to Microsoft Office out there that will meet there needs and they can live with personally.

 

[Danielx64]

While it nice to dump Microsoft Office, that's not always possible. For those who must use Microsoft Office (and why is not really part of this topic), I'm sure that there are GPO options that you can set that will disable macros and other harmful features that you may not need. Yes, it does take some work to get those options working, at least it will reduce the attack vector.

 

[Windows_Security]

Libre Office facilitates plugins, has Visual Basic, runs beanshell, Python and Javascript. So it actually has more threat vectors than Microsoft Office, It is only "safer" because malware writers don't target it as much.

With Microsoft Office: use Hard configurator, Harden or simply disable add-ons, plug-ins and macro's in the Microsoft Office Trustcenter. System admins can disable them through Group Policy.

 

[509322]

Libre Office facilitates plugins, has Visual Basic, runs beanshell, Python and Javascript. So it actually has more threat vectors than Microsoft Office, It is only "safer" because malware writers don't target it as much.

With Microsoft Office: use Hard configurator, Harden or simply disable add-ons, plug-ins and macro's in the Microsoft Office Trustcenter.

That's the whole point. Change attack surface - because they are not targeted. It's a more sound risk reduction strategy than playing dice with Microsoft Office in an office full of average Joes that barely know how to turn their workstations on when they arrive to work in the morning. Because people don't listen too good - and don't disable macros - even if you tell them a million times - don't enable the macro !!

I advise all business to get rid of Microsoft Office once and for all - or to disable macros completely and never ever use them again - among a bunch of other things to neutralize the Microsoft Office threats if they insist on using it (basically what you suggest with other things).

Microsoft is way behind the security 8-ball.

 

[_CyberGhosT_]

Libre Office facilitates plugins, has Visual Basic, runs beanshell, Python and Javascript. So it actually has more threat vectors than Microsoft Office, It is only "safer" because malware writers don't target it as much.

With Microsoft Office: use Hard configurator, Harden or simply disable add-ons, plug-ins and macro's in the Microsoft Office Trustcenter. System admins can disable them through Group Policy.

Spot on, and dealing with the Macro's is a must for sure

 

[HarborFront]

MS Word & Excel macros are disabled by default so what's the concern.....unless you have a malware that turns it on, right?

 

[Windows_Security]

Well the advice of this thread running Office in a Low Level Rights (or even better in AppContainer sandbox with Edge and Chrome) sort of makes most security discussion about Office something of the past. When a browser is capable of sandboxing plug-ins and javascript on a html page, why would that browser fail when confronted with VBS or macro's in a document? Remember HTML stands for Hyper Text Markup Language

KEY POINT MADE: @Opcode advice is sound advice.

 

[509322]

KEY POINT MADE: @Opcode advice is sound advice.

That's the problem. People, average Joe, people on forums, don't follow sound advice. People that pay very handsomely per hour for sound advice, don't follow sound advice. Make software "automagical" as someone recently put it, and those very same people turn off automagic or find a way to mess it up.

LOL... it's true.

But @Opcode's suggest is spot on. I don't even bother to put a office productivity suite on my personal system as I don't need one. So I don't have to worry about it on my dedicated banking system.

 

[Deleted member 65228]

Thanks all we got an interesting discussion going on

@AtlBo I agree with you mate don't worry but what I meant is that it should be avoided unless it is really needed in my view my friend also someone might enable it once or twice and then forget and leave it enabled so I also think that Office should enable only for documents it was enabled on by default at the least. And maybe some sort of "behavior overview" based on the macro code to be displayed before it can run

As for Chromebooks, I agree with Lockdown on this one, it is much safer and usually appropriate for an average Joe most of the time I would say.

 

[Danielx64]

MS Word & Excel macros are disabled by default so what's the concern.....unless you have a malware that turns it on, right?

Last time I checked I'm sure that they are on, and it also comes down to the fact if a document had docx or docxm as the file extion (I may have that bit messed up). Even then we still got doc to worry about.