Philip Greenspun had Let’s Bash Microsoft Day over the weekend and I couldn’t resist Scoble-baiting. Sure enough, Scoble defended the Outlook / VBA security model: “…it’s impossible to double-click on executables in Outlook 2003, so the chances you’d get a virus now are very small….” Oh dear, now I am worried that he’s drunk the Kool Aid. Less than a month after Sobig.f and they defend the VBA model?
Office 2003 allows side-by-side execution of the VBA security model and the .NET Framework security model, which strikes me as profoundly schizophrenic (as in, simultaneously promoting two obviously contradictory premises). On the one hand, Visual Studio Tools for Office not only recognizes that maliciousness must be suspected in all received documents but that such suspicion is even more appropriate with documents, those most ubiquitous and mobile bags of bits. In VSTO, permissions are reduced even for those documents whose macros / programs originate in the Intranet zone! Yes! Good! Slightly paranoid, but you know what? They are out to get you!
But you can still get a document that has the same-old brain-dead all-or-nothing “Do you trust the person who sent you this?” macro enabling dialogue and, sure enough, VBA macros can still open up the Outlook object model and iterate over Contacts. Contrast that with “”Microsoft just shipped OneNote. It doesn’t have an API. Why? Because of security issues.” Guess who said that?