Security Concerns using interop excel

C

chriscap

I am writing a service that picks up spreadsheets from an FTP drop location
uploaded by customers. I am leary of security problems because a customer
could unknowingly upload a spreadsheet with some malicious VBA. I am using
excel interop to open the spreadsheets via C#. Macro security will be set to
high, but I am wondering if this is enough. The customer is not willing to
sign their documents with a certificate.

Does anyone have any further suggestions for securely opening the
spreadsheet. I was thinking of decorating the asssembly or certain methods
with extra code access security declarations, but I'm not sure where to
start. It is important for this to be secure because the next request is to
allow sending spreadsheets via e-mail which means there isn't even a username
/ password preventing submission.

Thanks
 
J

Jim Rech

When you run Excel through automation (which is what I assume 'interop'
does) the user's security setting has no effect. Security is 'low'. I
don't know what you're doing or if you want the user to see a macro warning.
Assuming you want to open the workbook and not show a warning and not run
its open code you would just have to turn events off. In a VBS script it
would look like this:

Dim XL
Set XL = CreateObject("Excel.Application")
XL.EnableEvents=False
XL.Workbooks.Open "c:\openme.xls"
XL.Visible = True ''else XL will not be visible

--
Jim
|I am writing a service that picks up spreadsheets from an FTP drop location
| uploaded by customers. I am leary of security problems because a customer
| could unknowingly upload a spreadsheet with some malicious VBA. I am
using
| excel interop to open the spreadsheets via C#. Macro security will be set
to
| high, but I am wondering if this is enough. The customer is not willing
to
| sign their documents with a certificate.
|
| Does anyone have any further suggestions for securely opening the
| spreadsheet. I was thinking of decorating the asssembly or certain methods
| with extra code access security declarations, but I'm not sure where to
| start. It is important for this to be secure because the next request is
to
| allow sending spreadsheets via e-mail which means there isn't even a
username
| / password preventing submission.
|
| Thanks
 
C

chriscap

The spreadsheet will never be presented to the user. It will be parsed and
its data will be stored into a database. I am opening the excel document
using C# via .NET. To interact in .NET with the COM objects you have to use
interoperability. So, while I'm parsing this document I want to make sure
that malicious code cannot be executed. I always want the security to be
high. Furthermore, I want to take more precautions than just having security
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Excel 2003 Macro Certificate Failure - Help! 3
Editing Excel Worksheets Online 2
Data Connection Security in Excel 2007 5
External Content Security in Excel 2007 2
A little OT - Quite a rant on microsoft.public.sqlserver.olap 1
How to find entry level work? 3
Windows Defender Chat Transcript 6
FWT Newsletter - Weekly - August 9, 2004 1

Top