I'm grading lab reports. Each time I download a MS Word file to my computer and open the file, it is in a protected mode against attacks (macros etc.). But occasionally I get students using very generic file names like lab2.docx. I will be asked to overwrite existing file. Sure, who needs the older file that's been graded already. Overwrite! Then when I open this newly downloaded file, it's no longer in protected mode. I guess it's a security hole. If a file with generic name is downloaded and an existing file with the same name gets overwritten, there is no protection. The new file opens normally.
liudr:
I guess it's a security hole.
Not really. When a file is downloaded it gets tagged as "came from the internet". It is up to the application / operating system to decide what to do with that flag. In the case of Microsoft applications / operating systems they get persnickety. Essentially it is Microsoft's attempt to push the burden to the user. Instead of building secure operating systems and secure applications they tag the file then make you decide if the file is safe to open.
The tagging only happens on NTFS file systems. If you save the file to a FAT drive (like a typical USB drive) it does not get tagged (it actually cannot get tagged because of the way tags are stored).
There are some operating system settings that give the user some control over what happens. Sometimes they even work correctly.
It's not working because overwriting a local file that has this bit toggled off with an internet file will not toggle the bit back on. I'm not trying to blame Windows for not doing enough security or patching Office to be impervious.