Malicious scripts

Well for browser based scripts theres always noscript and FF.

For js and vbs you can just disable WSH right?

The real problem is scripts embedded into word docs and pdfs. Is there a solution to this?

 

It depends on what the script does. Anything is possible, but in all known attacks I've seen documented,
the payload is a malware executable, which of course is easily blocked.

This recent Adobe Reader .pdf attack:

http://isc.sans.org/diary.html?storyid=3958

A write up last year of an MSWord attack:

http://www.eweek.com/article2/0,1895,1965042,00.asp

Here is a nice analysis of how a payload is inserted into a Word document:

http://www.securityfocus.com/infocus/1874

It is very difficult to find such attacks to test, because

1) In case of a .pdf file, the attack is often directed at a particular version of the Reader, and may not work.
Also, every URL I've seen listed in an analysis has been taken down by the time it's posted.

2) In case of a Word attack, these are pretty much targeted to companies and organizations as email attacks, and no more information is forthcoming. I asked one Security Vendor for a copy of a malicious Word file they tested, and was told that it was propriatory property of the company.

Another thing to consider... these attacks require the user to click-to-open a malicious file. Ask yourself, Under what circumstances are you likely to encounter such a file, that is, what social engineering techniques would tempt you to open such a file?

If you are concerned about opening what you think is a legitimate .pdf or .doc file on a web site, or one received from a known source (the person may not know the document is infected), there are some other solutions:


1) pdf:

Alternate PDF readers are not a sure thing any more, as shown in the recent Foxit Reader vulnerability.

You can disable all but the necessary Plugins (Open and Print) in Acrobat Reader, so that no embedded code will run.

2) Word.doc:

==> using an older version of MSWord that won't run VBS code

==> open the documents in a text editor which will not run any code.



----
rich

 

what happens if you open the .doc (or .xls or other office document) in open office?

 

Hello,
Nothing happens.
Mrk

 

You can disable scripting in both of these programs.

 

Software Restriction Policies can block standalone scripts. There are a number of extensions in my SRP Designated File Types, including .bat, .chm, .cmd, .hta, and .vb. You can add file extensions to this list.

 

A VBScript script embedded in a program document, such as a Word document, has the capability to create a .DLL that is then loaded into the program. Thus, you might wish to make sure your anti-executable solution can also deal with DLLs. SRP can handle this by using an Enforcement setting of 'All software files'. I have read that this may slow down your system though.

Source: http://blog.didierstevens.com/2008/06/09/quickpost-embedding-an-executable-in-a-vbscript/

 

Will this solution disable all malicious js and vbs scripts even in pdf and word?

Found at Microsoft Technet

Also what are the potential side effects?

 

I don't believe doing this will affect pdf or office scripts, because they don't depend on WSH. If you don't wish to disable scripting in these programs, I believe that HIPS settings for Adobe Reader and the Office products could constrain what the embedded scripts can do, but I didn't personally test this.

 

Yes. The script will instruct what the program (office/adobe) should do.

 

I've found the JS options in adobe.

It is under Edit --> Preferences --> Javascript

However what about other scipts like vbs in PDFs? Is that possible?

What about in office 2007? Where are the settings?

 

Not that I know of.

If you get .chm files from untrusted sources, there are steps that can be taken to mitigate possible damage from opening them. Let me know if you want more details....

For Word, you can look at Tools->Macros->Security. This is for Word 2003 however.