Safer alternative to handling office documents

[Andy Ful]

Last time I checked I'm sure that they are on, and it also comes down to the fact if a document had docx or docxm as the file extion (I may have that bit messed up). Even then we still got doc to worry about.

Normally, the MS Word files *.docx cannot be created with embedded macros (starting from MS Office 2007). But, If you change the extension of the file with embedded macro *.docm --> *.docx , then it will be still opened with macro as if it would be *.docm. So every Microsoft Office file can be dangerous.
@Opcode my friend, thanks for pointing out the safer possibilities to manage MS Office documents.
This is the first thing I do while making the setup for the average user.
I can only add that there is a free addon for Edge browser: Office Online (Microsoft addon), as an alternative to Google Drive.
Also as @Lockdown said, the best alternative for the home users is not using MS Office at all, and start using office applications without macros. I am not sure if this can always save people, because of other possibilities like embedded active controls and some non-macro vulnerabilities. Maybe I should test it some day.
Personally, I use Word Mobile, Excel Mobile and PowerPoint Mobile (Universal Applications for Windows 10, AppContainer sandbox) for document viewing, and Office Online (rarely) when I need to create documents.
There is also a PDF document problem. I can recommend STDU Viewer, I contacted the developer, and he affirmed that it does not open active components embedded in PDF files.

 

[Deleted member 65228]

@Andy Ful Great points my friend

The reason I think online web services for viewing/managing documents is safer from a security point of view in regards to malicious code is going to be clear to you and others who research these sorts of things. Imagine the difference between attacking someone via a macro for malicious code execution, and then having something similar done using a document accessed and used on a web-service by Google. The only thing a normal criminal would be able to do is trick the viewer into clicking a link on the document to do a drive-by-download/get them to download and run a malicious program, or the alike. The chances of a criminal being able to have an Office document accessed via a service like Google Drive to perform exploitation to execute malicious code under the context of the browser/gain control over the Host in any shape or form is extremely unrealistic, especially in a normal environment. I really would not be surprised if even a government agency failed to do such a thing in a reasonable period of development time.

I think that sandboxing Microsoft Office is perfectly fine because this also covers other attack vectors separate from macro's, such as exploitation of the file format for arbitrary code execution when the document is opened and then loaded within the Microsoft Office process(es), but I think the best option overall is simply to avoid software like that with a high-demand for attacks which is filled with holes. We can see from the amount of vulnerabilities over the last decade which have actually been successfully exploited and abused through real live samples in the wild for both an average home user as well as businesses, that Microsoft Office among many other software such as Adobe PDF Reader, are full of holes... Every software will have many vulnerabilities, it is only a matter of time of them being discovered and then abused, but the demand for attack on popular software like Microsoft Office is just too big. While sandboxing is great, you still give the attacker a chance to over-power the sandbox; unless it is real virtualisation like with Comodo Sandbox or the new Windows Defender Application Guard, I won't lean towards the sandboxing method so much because I know that non-virtualisation techniques like injecting code and setting hooks is just unreliable.

I think the easiest way to stay safe in terms of what software you use is to make sure the software is regularly updated to patch security vulnerabilities, but whilst avoiding software with a massive demand for attack (especially if research proves it has been successfully attacked a superior amount of times since the origin) and keeping it simple. This note is explicit regarding this topic, of course to stay safe there is much more to it than about how you use Office documents, haha.

I have Google Chrome and Firefox installed because I switch between the two every now and again, and Microsoft Edge is always there as a rare backup scenario (I don't worry about it being abused because Microsoft Edge is superior to both Google Chrome and Firefox when it comes to attacks coming from the Host, and I've manually verified this through weeks of manual testing). It is a lot more elegant and responsible for me to simply use a service like Google Drive, the need for Microsoft Office which opens more attack vectors (and potential for dangerous mistakes such as allowing a macro) vanishes because of this.