The destructive potential of macros has forced IT
professionals to extend their security focus to commonly distributed documents.
To protect against this threat without curtailing distribution and use of
macros, many organizations implement digital signatures, which allow
verification that macros and other electronic content come from a trusted
source.

Digital signatures on macros tell users who placed the
signature in the document. The signature can be verified with a certificate
root authority or using an internal mechanism within your organization. You can
implement digital signatures with your macros by:

  • Using SelfCert.exe, the native Microsoft signing
    tool.
  • Using a PKI implementation.
  • Purchasing a package to give you a digital
    signature that is verified by a root certificate authority.

In this article, we will focus
on Microsoft Excel, but other macro-enabled Office applications behave in a
similar manner.

SelfCert.exe tool

Microsoft Office distributions include the SelfCert.exe tool
as part of the default installation. This tool is distributed as a personal-use
mechanism for creating digital signatures. It does not actually verify the
identity of the author of the signature; instead, it writes a signature that it
explicitly notes as not authentic. It is important to discuss this tool first,
as fraudulent digital signatures may use it.

By default, the SelfCert tool is installed in C:\Program
Files\Microsoft Office\Office\Selfcert.exe. Running the tool is fairly
straightforward, and some basic safeguards are in place to ensure that
certificate authorities are not spoofed. For example, you can’t use Verisign,
Inc., in the Name field of the SelfCert tool, although you can use similar
variants of that name. (In other words, Verisign is rejected; Veri Sign is not.)
SelfCert-created signatures don’t have an actual certificate, but only a header.
When you look at a certificate created with SelfCert, you’ll see that it’s
“empty.” Figure A shows an
example.

Figure A

If a macro project contains a digital signature, users need
to be able to distinguish a SelfCert-created certificate from a certificate
authority-issued one. With Office installations using High or Medium security
settings, running a macro will bring up the familiar security message to enable
or disable macros. But as Figure B
shows, SelfCert-created signatures appear with a warning.

Figure B

It’s important to click the Details tab to get more
information, because looking at the name of the macro issuer is not enough to
determine whether a signature is valid. The Details tab will give the official
information on any digital signature.

What about a PKI infrastructure?

If your organization uses PKI, and you have an imported
certificate, this certificate can function as a mechanism to sign macros. However,
having a PKI infrastructure and a key installed will not automatically assign a
digital signature to all authored content (macros). Further, if the PKI
implementation did not issue the signatures through one of the root certificate
authority organizations, the digital signature may not transport well out of
your organization.

Digital signature example

Let’s look at a macro that has a validdigital signature and see how Microsoft Excel recognizes it. When
you first open a signed Excel document, it may not to appear any different from
an unsigned document. Therefore, as a matter of practice, users should always view
the details of a signature and check the Digital Signature Information field
for the signature. In our sample digitally signed document, this signature was
issued by SSNS (Sample Security Name Systems—a fictitious organization). Clicking
on the Details tab of the macro security prompt (which, again, appears only
with High or Medium security settings) shows the information in Figure C.

Figure C

Notice that unlike the SelfCert example, where the status
was marked as Not Trusted, this signature is marked as OK. When the status is
marked as OK or as Verified with a root certificate authority, you can be sure
that the macros are from the organization or individual(s) listed on the macro
startup screen. This does not mean that the contents of the electronic material
are safe; digital signatures ensure only that the material was indeed digitally
signed by the person specified as the signer.

Certification authority

Issuing certificates should be done by certificate authority
for the most widespread acceptance of an authentic digital signature. Microsoft
publishes a list of trusted
commercial organizations that provide digital certificates
. Approximately
15 of these companies can provide digital certificates for macros and other
types of code. Among the other offerings are PKI, VPN, e-commerce, and SSL
products. Costs for these products vary. Some packages start at $200 for
digital signatures, and the prices go up from there. Microsoft’s list of
trusted companies includes some of the most popular and well-known names in
this space, including VeriSign, eSign, and RSA Security.

Web resources

Microsoft offers additional details on macro signing in “Using SelfCert to Create a Digital Certificate for VBA
Projects”
and “Add a
Digital Signature to a Custom Macro Project in an Office Program.”

The ZDNet white paper “Microsoft
Office 2000 and Digital Macro Signatures”
provides a look at
both the strengths and shortcomings of Office 2000’s digital signature
mechanism.