RE: Programmatically Adding Digital Signature

From: Michael (m.hlavinkamsdn_at_bre.com)
Date: 11/04/04

  • Next message: Paul: "Collection-Object" 
    Date: Thu, 4 Nov 2004 11:43:05 -0800

    None of those would be problems if an API were available to perform the
    signature that required the password to the private key of the certificate.

    Michael

    "Wei-Dong XU [MSFT]" wrote:

    > Hi Michael,
    >
    > Based on my research, Office does not provide a way to do this
    > programmatically, because it would constitute a security hole.
    >
    > There would actually be two ways to exploit a hypothetical method or
    > property for digitally signing VBA macros.
    >
    > 1) Malicious code could make a change to VBA code that had been digitally
    > signed and then resign it with the same signature, so the user would never
    > know a change had been made. The danger in this should be obvious. (What
    > if the macro calculates exchange rates, or opens connections to a secure
    > server?)
    >
    > 2) Malicious code could inject a macro into an Office document using code
    > like in:
    >
    > Q219905 - HOWTO: Dynamically Add and Run a VBA Macro from Visual Basic
    > http://support.microsoft.com/support/kb/articles/q219/9/05.asp
    > It could then digitally sign that code and distribute it. If the recipient
    > had trusted the signature, then the macros would run when opened in Office
    > without any warnings, even if macro security was set to High.
    >
    > So this functionality is not available from Office products. For your
    > sceanrio, you will need to update the certificate manually.
    >
    > Please feel free to let me know if you have any question.
    >
    > Best Regards,
    > Wei-Dong XU (WD)
    > Microsoft Product Support Services
    > Get Secure! - www.microsoft.com/security
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >

  • Next message: Paul: "Collection-Object"

    Relevant Pages

    • Re: hide/protext auto_open code so user cant prevent it from runn
      ... digitally sign a file or a macro project by using a digital certificate. ... certificate used to create this signature confirms that the macro or document ... When you set the macro security level, you can run macros based on ...
      (microsoft.public.excel.programming)
    • Re: hide/protext auto_open code so user cant prevent it from running
      ... digitally sign a file or a macro project by using a digital certificate. ... certificate used to create this signature confirms that the macro or document ... When you set the macro security level, you can run macros based on ...
      (microsoft.public.excel.programming)
    • Re: Soft signatures
      ... now, digital signature, typically just represents that you (in ... For some time there were arguments that if a certificate contained the ... certificate with your public key and the non-repudiation flag in it. ... for a number of different business purposes. ...
      (sci.crypt)
    • RE: "This file may not be safe" messaage after converting db from access 97 to 2003.
      ... You may see the following warning when opening a file, if the macro ... Access cannot open the file due to security restrictions. ... You may also see other similar warnings about your file not being safe. ... The source of the macro and the status of the signature (digital signature: ...
      (microsoft.public.access.conversion)
    • Re: electronic signature in Microsoft Word
      ... you need a digital certificate. ... status bar with a tooltip that says "This document has been digitally ... Double-clicking the icon opens the Digital Signature dialog again. ... but be asked for a password before inserting ...
      (microsoft.public.word.docmanagement)