nisus.com

G’day, all

A friend of mine sought my opinion about the veracity of an email message purporting to come from a legitimate financial institution. I was not completely happy with the message content, but nor was I sufficiently convinced it was a scam, especially as (unlike with many fraudulent emails) the links were legitimate. So I opened the attached .doc file (in Nisus Writer which proceeded to convert it), having first taken the precaution of ensuring I was disconnected from the Net. Just as well, because here is what I saw. (Don’t worry: this is just a Capture Selection shot taken with Grab, so it’s quite safe to open it. I have edited the image to cover the legitimate name and logo with red rectangles.)
Alarming to see this sort of thing in a word processor document, is it not? The corporate security team at the financial institution has since confirmed that the whole thing is a fraud.

Since I was not online at the time, I have no idea whether the document was actually a dynamic one, transferring data between my computer and who knows where. And I wasn’t about to test it! I’ve since deleted it.

I have never seen such a document before, so I’m now seeking some clarification.

Can a word processor document contain code that automatically establishes a data channel with the Net? Or would that “Loading document…” message just be some sort of prank (a simple textual joke), with no actual behind-the-scenes dynamic import?

If a dynamic file is a possibility, can a Word document do this? Can a pure Nisus document (ie, created and viewed only in Nisus Writer) do this?

Nisus Writer’s conversion engine probably just gives you (more or less) exactly what was in the original document, but one wonders whether it needs to incorporate some sort of security mechanism to alert the user about the existence of an embedded dynamic link and offer the opportunity to abort the conversion and delete the original document.

Most worrying of all, though, is the issue of whether — in the interests of security — one should only ever open email attachments when offline.

I’ve never seen word processor documents as a security risk before, unless of course one deliberately clicked on an embedded link that led somewhere unpleasant. Have I been deluding myself?

I look forward to the Wisdom of the Forum on these issues.

Cheers,
Adrian

adryan wrote:I’ve never seen word processor documents as a security risk before, unless of course one deliberately clicked on an embedded link that led somewhere unpleasant. Have I been deluding myself?

The short answer is yes, a word processing document can be dangerous. Even just opening a document could possibly compromise your computer or your data. You should always be wary of opening suspicious documents, no matter the file format. That's true even if you receive an email that purports to be from (or is actually from) a trusted source or colleague. Email headers can be faked and friends can be infected, so as a general rule I would not open any attachments that are unexpected or otherwise seem out of place.

Generally dangerous documents are those that exploit some bug in the targeted software. For example, here's a recent Microsoft Office exploit:

the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user

That means there's a bug in Word possibly allowing the attacker's document to gain control and run any code it wants. Basically opening this kind of document could lead to any number of unwanted consequences.

As for how all this applies to Nisus Writer users: you should exercise the same caution when dealing with suspicious documents, no matter what the file format or the app you use to open them. Although we're not aware of any attacks that target Nisus Writer, that doesn't mean such a thing is impossible. All software has bugs, including Nisus Writer, and a malicious force could try to exploit them.

That said, there are some security benefits in using Nisus Writer. The biggest boon is sheer numbers. If you're an evildoer it's most appealing to target software with the biggest number of users, so you can infect as many computers as possible. Microsoft Word is simply a behemoth when it comes to its user base. It's installed on so many computers, and Word documents are emailed all the time. It's a great avenue to exploit because it's so commonplace.

Nisus Writer is also sandboxed. That means by default it doesn't have access to any of your files. Only by interacting with a file (eg: selecting it in a file dialog) will Nisus Writer obtain access to a file from the system. If a sandboxed application is compromised by some attack, the impact should be limited by macOS to just the files to which the app has access. That still means data in those files could be leaked or damaged, but at least an app can't access everything, as is the case for apps which are not sandboxed.

I hope that helps, even if it doesn't calm all your fears. Please let me know if you have any questions.

G’day, Martin et al

Thanks for that detailed reply, Martin. A very troubling situation indeed. I already have a high threshold for accepting email as legitimate; I guess now it will be even higher!

Cheers,
Adrian

I'll add in something more: Nisus does not have, as far as I know, the capability to run a macro on document open or program open. So any malicious document with a Macro in it would not run automatically, which would be in my opinion the biggest threat.