Tuesday, August 21, 2012

AutoLISP and VBA Security Controls in AutoCAD 2013 SP1

AutoCAD 2013 was just updated with AutoCAD 2013 Service Pack 1 and here are more details from Autodesk Knowledge Base TS20327810:

Due to the appearance of malicious applications that use AutoLISP® and VBA, Autodesk is providing controls for several new security measures with Service Pack 1 for AutoCAD® 2013. Equivalent service packs for AutoCAD-based vertical applications will also be released.

These new controls affect the following products when Service Pack 1 is installed:

  • AutoCAD 2013
  • AutoCAD® 2013 for Mac®
  • AutoCAD 2013-based vertical applications

AutoCAD LT® does not run AutoLISP or VBA applications and does not require these security measures.

What the New Controls Do

The new controls provide the following security measures:

  • Minimize the possibility of loading and running unauthorized or malicious AutoLISP and VBA applications by controlling the folder location from which AutoLISP and VBA applications are automatically loaded (AUTOLOADPATH system variable).
  • Limit the impact of malicious AutoLISP and VBA applications by disabling autoloading of default AutoLISP and VBA applications (AUTOLOAD system variable).
  • Facilitate the cleanup process by completely disabling AutoLISP at startup (/nolisp startup switch).

Control AutoLoading by Specifying a Folder Location

The AUTOLOADPATH system variable controls the folders from which AutoCAD automatically loads the following AutoLISP and VBA files:

  • acad.lsp
  • acad.fas
  • acad.vlx
  • acaddoc.lsp
  • acaddoc.fas
  • acaddoc.vlx
  • acad.dvb

The default value of AUTOLOADPATH is the empty string ("") or period (.). When set to either of these values, autoloading follows legacy behavior. It automatically loads the listed files without restrictions in the following order:

  1. The AutoCAD startup folder
  2. The folder of the current drawing
  3. The folders in the AutoCAD Support Files search path

This default setting is not recommended, because malicious applications can anticipate the folders listed above.

To minimize the possibility of loading a malicious application, always set the AUTOLOADPATH system variable to the unique folder where your authorized applications are located.

To specify multiple folders, use a semicolon as the separator. The value of AUTOLOADPATH is saved in each named profile.

Note: To enable the autoloading changes to acad.dvb, uninstall the original AutoCAD 2013 VBA Enabler, and download and install the latest AutoCAD 2013 VBA module that was updated for the changes made in Service Pack 1 for AutoCAD 2013.

Control Autoloading of AutoLISP and VBA Applications

To control whether AutoLISP applications and acad.dvb is automatically loaded at startup, use the AUTOLOAD system variable:

  • Setting AUTOLOAD to 0 prevents the previously listed AutoLISP files and acad.dvb from being automatically loaded, which is useful for debugging.
  • Setting AUTOLOAD to 1 restores the autoloading behavior, which now depends on the value of the AUTOLOADPATH system variable.

Disable Loading All AutoLISP Applications

To prevent loading any AutoLISP applications, use the /nolisp startup switch to disable AutoLISP in the current AutoCAD session, including all LSP, FAS, and VLX files.

If your system has already been impacted by a malicious application, this option helps you debug and clean up your installation and any impacted files.

The read-only LISPENABLED system variable reports whether AutoLISP is enabled in the current AutoCAD session. If LISPENABLED is 0, AutoLISP has been disabled by the /nolisp startup switch.

Note: Disabling AutoLISP also prevents the Express Tools and some AutoCAD command tools from functioning and should only be used in emergency situations.

For more information on how to use startup switches refer to the solution, Startup switches for AutoCAD.

Changes to acad2013.lsp and acad2013doc.lsp Autoloading Behavior

The acad2013.lsp and acad2013doc.lsp files will now be loaded only from their default installation folders:

<installation folder>\Support
<installation folder>\Support\<language>

Changes to the Options Dialog Box

The “Load acad.lsp with every drawing” checkbox on the System tab of the Options dialog box (ACADLSPASDOC system variable) is disabled when AUTOLOAD or LISPENABLED has a value of 0.

For more information about these controls see the readme forAutoCAD 2013 Service Pack 1.

Recommended Setup and Repair Workflow

For the best protection from malicious AutoLISP and VBA applications set AUTOLOADPATH to a unique folder location and set AUTOLOAD to 1.

If your installation has already been impacted by a malicious application that runs on startup, following these general steps:

  1. Start your AutoCAD-based product with the /nolisp switch.
  2. Find and remove all malicious code.
  3. Repair any affected files.
  4. Set AUTOLOADPATH to a unique folder location and set AUTOLOAD to 1.

After taking these steps, you can remove the /nolisp startup switch from the shortcut properties of the program’s desktop icon, and resume the normal operation of your AutoCAD-based application.

See also ACAD/Medre.A Malware AutoCAD AutoLISP Malware!

UPDATE: AutoCAD 2013 Service Pack 1.1

No comments:

Post a Comment