Excel4 Security issues

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 11706
Joined: 24 Jan 2010, 23:23
Location: paused.undefined.exposed

Excel4 Security issues

Post by ChrisGreaves »

It is interesting to see that technology from 1992 can be abused to circumvent the most recent Office security features. This blog post only scratches the surface of what is possible with Excel 4.0 XLM macros. I am very curious to see what other interesting things our community can find with regard to this ancient technology.

Old school: evil Excel 4.0 macros (XLM)

Cheers
Chris
More than the minimum is less than enough

User avatar
Jay Freedman
Microsoft MVP
Posts: 1120
Joined: 24 May 2013, 15:33
Location: Warminster, PA

Re: Excel4 Security issues

Post by Jay Freedman »

Incredible. I just tried the sample to run calc.exe in the latest Excel version from Office 365 Pro, and it works. I don't understand why any current version of Excel still supports XLM macros at all.

User avatar
Rudi
gamma jay
Posts: 25194
Joined: 17 Mar 2010, 17:33
Location: Cape Town

Re: Excel4 Security issues

Post by Rudi »

It's quite nostalgic to write an XLM macro again.
(Never wrote many in the past, but I dabbled in the day and then VBA came about! Never got into XLM again!)
Regards,
Rudi

If your absence does not affect them, your presence didn't matter.

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 11706
Joined: 24 Jan 2010, 23:23
Location: paused.undefined.exposed

Re: Excel4 Security issues

Post by ChrisGreaves »

Jay Freedman wrote:Incredible. I just tried the sample to run calc.exe in the latest Excel version from Office 365 Pro, and it works. I don't understand why any current version of Excel still supports XLM macros at all.
I can readily understand it from the mainframe days. Every mainframe HAD to have an IBM 1401 emulator, otherwise they couldn't migrate the client's payroll suite.
I believe that COBOL survives to this day for the reason that fifty years ago management was enthralled with the idea that they could now read their staff's computer programs and appear to be as smart as their staff, and not worry about being ignorant of MVS and BXLE instructions.

Backward compatibility is critical for maintaining the comfort level of new clients.

Now it is arguable that back in the day when Excel97/VBA was being considered, perhaps as early as 1990, noone could have foreseen that the day would come when the main use of computers would be to exchange snapshots with the grandson in New Zealand, and that ordinary people (Grandmas and Grandpas) would use the computer as easily as they did an egg-whisk (remember them?).

So why should we worry about security issues? Certainly back in the early 90s I would have laughed at you had you suggested that I would walk (stone age technology) to a WiFi-equipped cafe(wot that?) to transfer $1,200 from a Toronto bank (whose servers are probably in Bolivia) to a bank in Bonavista.

Cheers
Chris
More than the minimum is less than enough

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 11706
Joined: 24 Jan 2010, 23:23
Location: paused.undefined.exposed

Re: Excel4 Security issues

Post by ChrisGreaves »

Rudi wrote:(Never wrote many in the past, but I dabbled in the day and then VBA came about! Never got into XLM again!)
Join the club. Your membership number is #5
Cheers
Chris
More than the minimum is less than enough