VSTO Security Model Principles

  • Article

VSTO takes a very strong stance on security to prevent the spread of macro viruses or worms.  VSTO's security model involves the trust of two things: 1) the assembly associated with the document must be trusted and 2) the location the document is coming from must be trusted.   VSTO's default security model for assemblies is that no assembly is trusted by default.  VSTO's default security model for documents is that only documents on the local machine are trusted by default.  When a VSTO customized document is loaded both assembly trust and document location trust are checked to determine whether to load.  No matter where the assembly is, you must have .NET policy in place to trust the assembly.  If the customized document resides locally on your computer this is sufficient.
 
But if the customized document is being opened from the intranet or internet zone (such as from https://myserver/myvstodoc.xls) then you must add additional .NET policy to trust the location the document is coming from.  This is to prevent a repurposing attack where a document from an untrusted intranet or more likely internet zone tries to repurpose a VSTO document customization that the attacker knows is trusted within an organization.  It is also to protect from an attack where a repurposed document comes in through e-mail--any document opened directly from e-mail is in the internet zone and won't be trusted until you "save it to disk" e.g. copy it to your local computer.
 
One solution is to the document location trust problem is to copy the document to your local machine which puts it in the "Local Machine" zone and VSTO will then trust the document location (since the document is now copied to Local Machine) and will load the customization if there is .NET policy to trust the associated assembly.  The other option is to add .NET security policy to trust customized documents coming https://myserver

I will provide more detail in a future post on how to configure .NET security policy to trust assemblies and how to configure .NET security policy to trust documents.