In a new article, heise.de has drawn attention to a blatant security hole in Microsoft Office 365. At the moment, it even looks as if this vulnerability were deliberately created.
Office 365 business products might be vulnerable to Emotet. This malware intercepts banking data and can load additional packages with additional harmful functionalities. Emotet often gets to the devices via so-called macros, and authorities are often the target of these attacks. Office 365 Business Premium is among the affected applications. In this version, the execution of macros can not be prohibited centrally via group policy, thus providing a gateway for malicious code like Emotet. In the article, Heise mentions that this gap may have been left intentionally to lure customers to more expensive enterprise versions, because the missing functionality is documented in the description.
According to the article, disabling macros does not work for subsequent versions:
- Office 365 Business
- Office 365 Business Essentials
- Office 365 Business Premium
- Office 365 Enterprise E1
- Office 365 Enterprise F1
- Microsoft 365 Business
The fact that such an important function for companies is missing in enterprise and business versions is, in our view, absolutely intolerable and negligently exposes companies and authorities to the risk of an Emotet infection.
Another security risk is the hosting of MS Office 365 in general. Although Microsoft guarantees storage on servers within the EU and compliance with the Safe Harbour Agreement, it cannot defend itself against the US Cloud Act. Microsoft is an US American company and no matter where its servers are located, all data must be made available to the security authorities on request.
It is therefore essential for authorities and businesses to consider safer options. Only those who are aware of all access options and entries to their IT infrastructure are able to generate the most secure system possible. The creation of a completely secure system is almost impossible with the rapid progress of hardware and software, but open source applications can provide a valuable contribution here. With proprietary software, “black boxes” are created in the IT infrastructure, i.e. areas that are not open for inspection by users and administrators. In these areas, it is sometimes unclear which and how much data is transmitted to the manufacturer, for example.
We have set ourselves the goal of creating a product stack that is auditable for customers and that not only shines through its flexibility: VNClagoon. Users of VNClagoon decide themselves which modules of the software stack they want to use:
VNCmail: Customizable and expandable groupware solution (e-mail, calendar, contacts)
VNCtalk: Messenger with chat & group chat, audio and video conferences, screen sharing, etc.
VNCproject: All-in-One solution for your project management
VNCtask: Professional task management & To-Do lists
VNCcontacts: Contact and address management
VNCsafe: Securely share files, folders, galleries and other information
VNCoffice: Powerful and customizable online office suite
You can find an overview of all our products on our VNClagoon website.
Advantages of the VNClagoon Business Software Stack:
- open standards, open source software – and thus security, auditability
- state-of-the-art user interfaces (web clients and apps)
- technological lead
- comprehensive functional range
- Operation in own data center (private cloud), at a certified data center in Germany or at VNC data center in Switzerland possible
- easy adaptability to future requirements
- Integration with other systems thanks to open interfaces
- Investment reliability for years
- Economic advantages over the competition (TCO)
Many VNC products are available for desktop PCs as well as for smartphones and tablets, on Windows, Mac, Linux, iOS and Android.
For further information please visit our website.