In most office environments standard software is used for typical office tasks. This includes word processing programs (Word, WordPerfect, StarOffice), spreadsheets, office communication systems, e-mail programs and databases. As these separate modules are often purchased as a single package from one supplier reference will be made here to "office packages". Because the same kind of software is widely distributed, it is possible for security weaknesses in these programs to have large effects as they can be used on many IT systems so that any malicious programs can spread very quickly. A typical example here is macro viruses (see T 5.43 Macro viruses).
In order to be able to avoid or reduce such problems, security guidelines should be specified regarding the use of standard software.
Standard software is generally not designed to deliver a high level of IT security. All staff should therefore be informed that information requiring particular protection should not be handled on a standard office workstation without additional IT security measures. Some standard products nevertheless offer a number of IT security functions which, however, generally provide significantly less security than specialist security products. Users should be informed of these security functions and their effectiveness (see also S 4.30 Utilisation of the security functions offered in application programs). It is especially important here that users should not be lulled into a false sense of security and that the use of these security functions does not open up any security loopholes. Users should be informed that office products are not suitable for every purpose.
Moreover, office packages often offer functions intended to facilitate the exchange of information, but which often by their very design bring with them major security problems.
Examples
Use of shared electronic diaries
To facilitate co-ordination within teams of workers, most electronic diaries can be networked. As well as many advantages, however, this can bring certain problems with it. For example, not everyone will want colleagues to be able to see all their appointments. The vendors have responded to this kind of objection by offering an option of only displaying to other people which time is free and which time is already booked. Many people feel on the one hand that it will create a bad impression if a lot of free time is visible while on the other hand they are afraid that every free minute will be booked by colleagues with appointments. This can then result in large periods of time being blocked in reserve.
Other problems can also occur, e.g. as a consequence of over-generous granting of rights (see also T 3.20 Unintentional granting of read access for Schedule+).
There should therefore be guidelines for the use of networked electronic diaries and the access rights that need to be considered here. These should be co-ordinated early on with the staff and works councils. When networked electronic diaries are introduced, all employees should be instructed in how to use them correctly.
CD-ROM autostart
All the more recent Windows operating systems allow CD-ROMs to be automatically detected and started. This can result in malicious programs such as viruses or Trojan horses gaining access to the computer. Automatic CD-ROM detection should therefore be disabled (see S 4.57 Deactivating automatic CD-ROM recognition).
OLE (object linking and embedding)
With OLE functions objects can be embedded in files. These are used in many office products as a means of making information available to other programs. For example, this makes it possible for a table created in Excel to be embedded in a Word document. However, the result is that not only the information visible in the spreadsheet extract is transferred to the Word file but possibly all the other information contained in the Excel file. If the Word file is then passed to someone else, the recipient will also be able to view and even alter the Excel file, even if this is read- or write-protected with a password.
To prevent this, in this example the table should be copied into the Word file as text. Only if the original Excel file contains no other information than the information whose transfer is intended should it be embedded in another file. This could be achieved, for example, by creating a new Excel file (see also S 4.64 Verification of data before transmission / elimination of residual information).
PostScript /ghostscript
In PostScript files problems similar to those encountered with macro viruses can occur. In PostScript display programs there are interpreters which process the PostScript language. From level 2.0 of the PostScript specification there are also PostScript commands for writing files. As a result it is possible to generate PostScript files which, during processing by an interpreter, can modify, delete or rename other files as soon as they are displayed on the screen.
Specific problems exist in the ghostscript (gs) program. In the UNIX versions it is possible to disable the write facilities on files with the -dSAFER option. However, this is not the default setting. This option has a similar name in versions for other operating systems.
Use of the -dSAFER option is left up to the user. The result is that numerous other programs which invoke ghostscript (gs) internally (e.g. netscape, xdvi, xfig, xv, etc.) implement this in various ways. Therefore the option should be set as a default. Descriptions of how to implement this will be found in the security bulletins of DFN-CERT DSB-95:02 and DSB-95:03 dated August 24 1995 (see also S 2.35 Obtaining information on security flaws of the system).
Older versions of ghostscript may contain other PostScript commands with which files can be modified. Only ghostscript versions in which these problems have been overcome should be used.
From version 1.5 onwards, the ghostview program, which allows PostScript files to be viewed, offers the - safer option, which activates the security functions of ghostscript. Versions earlier than 1.5 do not offer this protection, and should be replaced by the current version. A similar program for displaying PostScript files is gv. In the "Ghostscript Options" dialog box the "Safer" button should be enabled. In the PostScript viewer, GSview, which is available for Windows and OS/2, the option "Write protection for files" should be enabled.
PDF (Portable Document Format)
Similar problems can occur with PDF files if older versions of Acrobat Reader are used to display these files. Functions such as program calls can be embedded in PDF files, and can pose a security risk to the files of the local IT system. A viewer should therefore be used to display PDF files which
does not support this functionality or
provides suitable security mechanisms for the execution of macros (for example an up-to-date version of Acrobat Reader).
Otherwise there is a danger that the embedded functions can be started simply on opening a document or via action triggers as one moves through the document, without the reader being aware of this.
Fast saves under Word
In Word there is an option allowing fast saving of text that has been written. This has the result that only modifications made to a document in the present session are saved into the document. This type of save takes less time compared with a full save, in which Word saves the entire modified file. However, a full save requires less storage space on the hard disk than a fast save. The critical disadvantage of fast saving, however, is the fact that a file can contain fragments of text which the author would not want to be passed on.
The "Allow fast saves" option should therefore be disabled. The "Always create backup copy" option should be enabled. The system should regularly be cleaned up by deleting any backup copies that are no longer required.
If a user nevertheless decides to make use of the fast save option, he/she should always carry out a full save in the following situations:
when he/she has finished working on the document and is saving it for the last time;
before beginning a task that uses a lot of memory e.g. searching for text or compiling an index;
before the document text is transferred to another application;
before the document is converted to a different file format.
In order to be able to take action in good time against design weaknesses and security weaknesses that have come to light, the Administrator or IT Security Management should keep themselves informed about such problems (see also S 2.35 Obtaining information on security weaknesses of the system).
Additional controls:
Have the users been informed about the security functions in application programs and their effectiveness?
Has a check been made as to whether the -dSAFER option is enabled in the PostScript interpreters in use?
