Evil Clippy Is Bad News For Word Users

Word macros have been a security problem ever since the days of Melissa, one of the first widespread computer viruses. Since then, Microsoft has made Word more secure and many organizations lock down the macro capabilities of Word so that users either can't use them or explicitly have to enable macros.

However (Isn't there always a however?), security researchers have developed a new tool, Evil Clippy, that's capable of bypassing all of Word's current security controls to insert malicious code. Here's the TL;DR from BoingBoing:

Evil Clippy comes from Dutch security researchers Outflank: "a tool which assists red teamers and security testers in creating malicious MS Office documents. Amongst others, Evil Clippy can hide VBA macros, stomp VBA code (via p-code) and confuse popular macro analysis tools. It runs on Linux, OSX and Windows." Evil Clippy's magic depends in part on some awesomely terrible undocumented Office features, including "VBA Stomping": "if we know the version of MS Office of a target system (e.g. Office 2016, 32 bit), we can replace our malicious VBA source code with fake code, while the malicious code will still get executed via p-code. In the meantime, any tool analyzing the VBA source code (such as antivirus) is completely fooled."

It's notable that Evil Clippy relies on undocumented VBA features. From the authors' post:

Evil Clippy only scratches the surface of issues resulting from the gap between official Microsoft specifications on VBA macros (MS-OVBA) and its actual implementation in MS Office. Since malicious macros are one of the most common methods for initial compromise by threat actors, proper defense against such macros is crucial. We believe that the lack of adequate specifications of how macros actually work in MS Office severely hinders the work of antivirus vendors and security analysts. This blog post serves as a call to Microsoft to change this for the better.

As far as I can tell from reading the post, the techniques that Evil Clippy uses can bypass most current security tools. That may change as vendors update their products. In the meantime, the authors suggest several techniques for mitigating the danger. One of them is disabling macros in documents downloaded from the Internet. I am not sure how this would affect users of web-based tools like Sharepoint and Google Drive.

In any case, it's a dangerous world out there, and it just got more dangerous. And maybe harder for technical writers using Word macros.