Microsoft Word Security FAQ
92 percent of all desktop computers
Microsoft Word is the dominant force in word processors.
As a popular target for the computer bad guys, it has had
a reputation for having
numerous security problems
What to Do
- Upgrade, upgrade, upgrade -- if you can. Microsoft has released
security upgrades and fixes for its Word product. Fixes should be
applied when they are made available, however it isn't always possible
to perform an upgrade without high costs.
Newer versions of Word require newer versions of Microsoft Windows,
which in turn require newer hardware to run. A security update could
mean a whole new computer, a whole new version of Word, and a whole
lot of expense.
- Always run anti-virus software. The eSecurityGuy's article on configuring your
new computer contains great information and links.
- Don't allow macros to run. Macros are small programs embedded
into the Word document itself, and are intended to make the word
processing experience easier. The bad guys, however, use macros to
make life much more difficult.
Whenever Word asks if you should trust a macro contained in a document
from another person you should tell it to not trust the macro. In
fact, you should configure Word to not run macros by selecting High
for the macro security level in the Macro Security dialog.
- ActiveX is a security nightmare. In addition to Macros, Word has
the ability to run what Microsoft calls ActiveX controls. These
controls are actually full programs that can cause major havoc with
your computer. ActiveX security settings should be set to either not
run ActiveX, or to prompt the user before a control is run.
- Signed Macros and ActiveX Controls should be carefully
scrutinized. Microsoft has recently included signature technology
into Word so that Macros and Controls can be digitally signed in an
attempt to authenticate these potentially malicious programs. These
signatures are created through the use of Public Keys so that Word can
display a screen saying that the particular Macro was signed by
Microsoft, or some other entity.
It is important to note that Microsoft, and most other entities, do
not verify precisely what a signed programs does. They only
certify that they have seen it, which doesn't do much for the security
of your computer.
- Password Encryption Provides Minimal Security. The encryption
performed by Word, when enabled, provides very little real security.
Numerous programs, such as Word
Password are guaranteed to be able to crack the password used on
any Word document. Consult a security expert if you need strong