macros and security

[Lara]

I have a more general macro distribution question than a specific vba
programming problem.

I just read some articles touting WordPerfect over Word, largely because of
how they say Word handles macros and security. They say that you can't use
macros in Word without fearing that they might contain a virus. They also
say that Word requires that macros be signed and trusted before they are run
(unless security is set to low which you wouldn't want to do), therefore
making macros worthless for anyone but the author, and therefore making
commercially available macro systems/packages difficult to come by.

Is this true? My understanding is that as long as your vba code is stored
properly (i.e., not in Normal.dot, and in the appropriate startup or
template folders) that macros will run fine with security set to High, and
should not be prone to corruption from the distribution of malicious code,
even if they are not signed. I created an add-in like this for our
organization that works fine and is not a security concern. Is there any
truth to the issues noted above? Is there more risk in Word of getting
malicious code distributed to and executed on our computers than in any
other program?

 

[Lara]

Thank you Jonathan.

That explains what I needed to know, but begs another question. Why would
one ever bother creating her own signature to sign macros with if the macros
are already considered trusted when installed properly. What's the point? I
would be even more suspect of doing so if users will get that "you might
have a fake certificate" message. And regarding "official" (paid for)
certificates, I have the full version of Adobe Acrobat on my machine, and I
notice that even Adobe's macros are not signed. So why bother with either?

Lara

 

[Jonathan West]

Thank you Jonathan.

That explains what I needed to know, but begs another question. Why would
one ever bother creating her own signature to sign macros with if the macros
are already considered trusted when installed properly. What's the point?

They are only trusted if installed properly if that box in the Trusted
Sources tab is checked. By default, it isn't if I recall correctly.

I
would be even more suspect of doing so if users will get that "you might
have a fake certificate" message. And regarding "official" (paid for)
certificates, I have the full version of Adobe Acrobat on my machine, and I
notice that even Adobe's macros are not signed. So why bother with either?

A proper signature becomes more useful if your distribution mechanism is
unclear. If you are distributing macros within your own organisation, or
emailing templates direct to customers, then they can be confident enough
that the templates are coming from you ,and a selfcert certificate is
sufficient for the purpose IMO. Selfcert is what I use for my own templates,
and my customers have been perfectly happy with them.

Where templates might be downloaded from a third-party web site, then
arguably a proper cert from Thawte might be justified.

--
Regards
Jonathan West - Word MVP
MultiLinker - Automated generation of hyperlinks in Word
Conversion to PDF & HTML
http://www.multilinker.com