A member of the VSTO team just came to my office and asked, "Is it bad to trust all Office documents on the Local Intranet?"
That's a good question, and after answering it for him I thought it was also worth blogging about (plus I'm hanging around the office waiting until I have to leave to take a friend to the airport ;-) ).
From a pure technical standpoint, yes it is bad. You are increasing the risk to your systems and your network by allowing operations that were not previously allowed. If there is ever a vulnerability discovered in VSTO that allows a malicious Office document to take unauthorised actions on a user's PC then being susceptible to documents hosted anywhere on the local network (versus just documents on the local machine) is A Bad Thing.
But the world is not that black-and-white.
And just as an aside, the "absolute" risk involved in trusting Office documents to run VSTO solutions is actually fairly low; without an already-trusted assembly to somehow exploit through malformed document content, there isn't much a malicious document could do save spin up the runtime and create an AppDomain with no user-supplied code inside it, or possibly take advantage of some parsing errors in the VSTO loader or the CLR loader (both of which, fingers crossed, are robust against such attacks). So what we're talking about here is actually a fairly low-risk activity to begin with.
But back to the story at hand.
The purpose of security is not to avoid risk, but to manage it. A computer that is unplugged, sealed in concrete and glass, and then dumped at the bottom of the ocean has very little risk of being infiltrated by a hacker, but it also has very little value to the owner. We want to enjoy the benefits of putting the computer on a desk, turning it on, and jacking it in to the internet, but at the same time we want to do what we can to avoid attacks whilst not unreasonably cramping our style.
More importantly, if I expect to make more money with a computer turned on and plugged into the internet than I expect to lose due to malicious attacks, common sense says that I should plug it in. This is the way business works.
So, is it a bad idea to trust all the documents on the local intranet? I can't answer that for any given person, because their specific scenarios and their attitudes towards risk and their cost structures and so many other things can come into play, but I can help someone make a decision that is right for them.
The real question though is "Why would someone want to trust the entire network -- every single machine behind the firewall, possibly including random laptops from vendors, contractors, customers, etc. -- instead of just a small set of well-managed and secure servers?"
It comes down to cost.
Let's say that you decide to only trust documents from the server http://officedocs/ and you roll out policy to your organisation for that purpose. Things are going well, but after a few weeks everyone realises how cool your VSTO solutions are and they want to put them up on http://anotherserver/. So you update policy to include the new server, and roll that out. A week later it's http://finance/, then it's http://marketing/public/docs/, then it's \\randomserver\ and pretty soon you're getting a new request every week. How much is this costing you (and your business)?
·Lost productivity from end users who are unable to do their work until the servers are trusted
·Lost time due to management approval process to get a formal request through
·Time spent evaluating the request, updating policy, and testing it
·Time taken to actually deploy the policy and get all users (including remote / offline users) updated
·The risk of making a mistake with the new policy either opening up a security hole or breaking existing applications
·And so on
When you look at the potential costs involved trusting documents on a server-by-server basis in a large organisation, it might start to approach (or even exceed) the potential costs involved in their being a successful attack launched from some rogue laptop.
For example, let's say you estimate the cost of adding each additional server to policy to be $1,000 (an imaginary figure, of course -- it would probably be at least an order of magnitude higher in real life!). And you estimate (with 80% probability) that over the next few years there are going to be about 10 sites that you expect to want to host documents. So the expected cost of this approach is:
$1,000 x 10 x 80% = $8,000
Now, let's also assume that you estimate the cost of a successful VSTO document-based exploit document is $100,000 (again, a completely arbitrary number) but that there is only a 1% chance of it happening inside the intranet. This gives an expected cost of trusting the whole intranet as:
$100,000 x 1% = $1,000
Which would you go for?
Even if you factor in a "risk multiplier" of 5 (ie, you're risk averse and want to up the numbers a bit "just in case") it's still $3,000 "cheaper" to trust the entire intranet than it is to deal with each server on a case-by-case basis. Obviously these numbers are completely made up and you'd have to do the math on your own for your particular organisation, but the point is that just because something increases risk, it doesn't necessarily make it a bad thing.