How does MS Office’s protected view… protect?

358 viewsOtherTechnology

Why would locking editing stop a virus or malware that is already on my device from executing?

In: Technology

4 Answers

Anonymous 0 Comments

It doesn’t just prevent editing. Office files can also include “macros” which are small programs that can do useful tasks within the document. The legitimate use case for macros is for things like generating complex charts based on data. But the macros can do a lot of things that could be considered malicious, too.

So when Office doesn’t trust a file it opens it in Protected Mode and refuses to let any macros run. This may not display the file properly. There is a process you can go through to open the file without protected mode. Presumably you do that after you decide you trust the file, and after you’ve had a look to verify if it has macros you do not trust.

There was a period where Office was a great way to spread viruses, because programs like Outlook would cheerfully auto-load content and execute macros. This feature’s designed to prevent that, and by default makes you jump through hoops to get out of protected mode when it knows you downloaded the file from the internet.

You can still open a bad file and get wrecked by it, but the feature means MS feels like they warned you about the possibility first.

Anonymous 0 Comments

Its not just stoping you from editing, its stoping the file from doing anything. You not being able to edit is just a side effect from that and not the purpose. Viruses like any programm need to execute code and edit things in your computer if the file cant change anything the virus in that file cant change anything aswell.

Anonymous 0 Comments

Office’s Protected View does more under the hood than you think.

One step is stopping macros, which is basically code that executes within Word to, say, make custom tables or layouts. This code can also sometimes contain commands that go outside of the program scope and into the system (it can delete files, change system settings, etc.) which can have some legitimate uses (say, taking hundreds of Word documents and merging them into one, then deleting the originals afterwards) but are often used for doing Bad Things to your computer.

It also opens the file in a low-integrity process, basically Word telling Windows “let’s open this weird file but it may hack me and make me do crazy dangerous stuff, so don’t trust anything I say from now on”; for context, processes can only see and change data from other programs in the same integrity level or below, so a low-integrity process can only access other low-integrity programs (basically none, most programs run in normal or high-integrity mode, with low-integrity being used exclusively for preventing potentially bad programs from interacting with the rest of the system).

Anonymous 0 Comments

> virus or malware that is already on my device

Here’s the point you missed. Stuff that is only on the hard drive is harmless, no matter what it is. It’s like having hermetically sealed packages in your cupboard. They won’t give you food poisoning unless you open them and eat their contents.

This even is true for your computer’s memory (RAM). If something malicious only sits there as *data*, it can’t do anything.

For it to become alive, it needs to be executed. (Now that’s a paradoxical sentence, isn’t it?) Or, in other words, the CPU must read it as instructions and follow those instructions. At this point, it can then change the list of stuff that will be read from the disk and executed automatically when a computer starts.

The protected view is a way of treating the whole document as data, even the parts that normally would be treated as instructions.

Here’s a very simple example:

rm -rf /

This ^ is malicious code. If it were executed (with the help of a sh-compatible shell program, as it is not compiled into machine code itself), it would delete all files from your computer.

Yet, it now exists safely on your computer. It’s in memory, in temporary files your web browser uses, and on your screen. That’s because it is treated as data, so it can’t do anything.