Great stuff! I get that Microsoft can't just remove macro capabilities. However, given any enterprise network, I have to question what percent of workstations *need* macros to be enabled, operationally. insights.sei.cmu.edu/cert/2016/06/w… pic.twitter.com/ILhP6ZricD

If it's a small number, then I suspect that macros disabled by default (and I mean actually disabled, not that silly "Enable Content" button that anybody can click) might go a long way in protecting people. I'm not an real sysadmin, so perhaps there are factors I'm not aware of?

Wow, lots of good info packed into this pdf. Will this presentation be available to watch later ?

I think so, but it will take time before public release of all the Blackhat videos.

great presentation and research! Did you extract / analyse the SRP streams for the documents as well and made an attempt to classify the attachment?

Thanks 🙂 My tools do not parse SRP streams, I don't think their format is documented. Do you know any good reference about that? And what do you mean by "classify the attachment"?

Regarding the idea to split VBA functions into safe and unsafe - Office did have something like this once. There used to be programs for viewing (but not editing) Office documents - WordView, etc. They could run only macros that didn't modify the environment.

Interesting, I thought those viewers didn't have a VBA engine at all.