When I do penetration tests I think macros are a useful tool. Most organizations now have strong perimeter defenses. So the initial foothold onto the network is a substantial challenge. For larger networks you can anticipate stupid (unknowning) users that will launch a macro. Everyone has their favorite set of excel macros after all. It's not a clever attack, but it gets the job done. The challenge of getting a foothold may increase the pressure to use macro attacks. However, overall I think there will be a slight decline
<br><br>In favor of not using macros is Web 2.0. Via web "defacement", XSS, DNS attacks, and social networking sites that I can fairly confidently find a secondary target that I know my primary target will visit. I can then attack IE/Firefox. I think it's a fair bet to say there's always an exploit for IE/Firefox/Flash/libjpeg/libpng/wmv/mpeg/etc that's standard content for web pages. Further, Office 2007 is now on the scene. While I have no expertise on Office software is generally more prone to bugs (and thus attacks) earlier in it's life cycle. Therefore, Office attacks might focus more on direct exploitation rather than using a macro.
<br><br>The above is just my opinion. I have no hard data supporting it one way or another, so take it as you will. <br><br>-Matt<br><br><br><div><span class="gmail_quote">On 6/5/07, <b class="gmail_sendername">Muscarella, Sebastian (IT)
</b> <<a href="mailto:Sebastian.I.Muscarella@morganstanley.com">Sebastian.I.Muscarella@morganstanley.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div>
<div dir="ltr" align="left"><font face="Tahoma"><font size="2">Wanted to ask <span>this forum's </span>opinion on the state of macro
threats. While we have not seen too many this past year which were
actively exploited, we wanted to know if <span>there are any</span> indications on whether this
threat would increas<span>e, </span>decrease<span>, become more sophisticated</span> in the next
year or two.</font></font> </div>
<div>
<div>
<p><span style="font-size: 10pt;">Any information
would be very helpful. We're currently looking at enhancing some security
features in-house around Microsoft Office, and want as much intelligence on the
topic as possible.</span></p><span style="font-size: 10pt;"></span></div>
<div><span style="font-size: 10pt;"></span><span style="font-weight: normal; font-size: 7.5pt;">
<p><span></span><font face="Tahoma"><font size="2">T<span>hanks,</span></font></font></p>
<p><font size="-0"><font size="2"><span></span></font></font><span></span><font face="Tahoma"><font size="2">S<span>ebastian
Muscarella</span></font></font><br></p></span></div></div>
<div> </div></div>
<div>
<hr>
</div>
<p style="margin: 0in 0in 0pt; text-indent: 0in;"><span style="font-size: 8pt; color: gray;"><font color="gray" face="Arial" size="1">NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
</font></span></p>
<div>
</div></div>
<br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Matthew Wollenweber<br><a href="mailto:mwollenweber@gmail.com">mwollenweber@gmail.com</a> | <a href="mailto:mjw@cyberwart.com">mjw@cyberwart.com</a><br><a href="http://www.cyberwart.com">
www.cyberwart.com</a>