We have presented a few proof-of-concepts at the Hack.lu 2010 conference (one of the best hacking conferences indeed). The aim was to exploit the concept of trusted macros and trusted locations in both Office and OpenOffice documents (here are the technical paper and the slides; videos of our demos are here and here). Through a two-step attack, it is possible to execute macros automatically without triggering any alert or confirmation (from the application and of course from the AV). The only condition is to first create a simple (malicious) registry key during the first step. This kind of attack is very interesting and may have a dramatic impact when considering environments where executing sophisticated binaries is impossible (see our Hack.lu paper).
Well this news (and also this one) sheds a new, interesting light on our proof-of-concepts. This extract is quite explicit:
"What’s interesting is that the vulnerability exist in a function that queries the registry so in order to exploit this the attacker has to be able to create a special (malicious) registry key. Author of the PoC managed to find such a key that can be created by a normal user on Windows Vista and 7 (so, a user that does not even have any administrative privileges)."
Do still have any doubt about the fact that Microsoft Windows is a wonderful world indeed? But for who?