As reported by Tom Stoeckel over on Without a Net, AutoCAD 2013 Service Pack 1 is now available for download. I’ve been waiting for this release with some impatience… in my new role I’ve been increasingly involved in discussions around the security of AutoCAD and our customers’ data, and this Service Pack makes significant progress in this area.
As Tom notes, malware attacks in AutoCAD typically† take advantage of the fact that when a drawing is loaded, AutoCAD tries automatically to load various types of acad.* files (acad.dvb, acad.lsp, acad.fas, acad.vlx, …) from the drawing’s folder. Which means that when projects are zipped and passed around, viruses can spread.
This Service Pack helps address this kind of threat in a couple of ways. The first is to introduce the idea of trusted paths from which files may be auto-loaded (and when I say this it refers to the legacy auto-loading mechanism mentioned above, not to the newer Autoloader). This will allow much finer control by users and CAD managers to secure systems against this type of virus.
The trusted locations are assigned via the AUTOLOADPATH system variable and controlled by its sibling AUTOLOAD. I expect this mechanism to broaden, over time, to cover other aspects of application loading inside AutoCAD, but this is certainly a helpful first step.
The second way in which the Service Pack helps is when a system has actually been infected. Once that happens – and this does depend greatly on the specific malware infection – it can be pretty tricky to work out what needs to be done to stop the infection from spreading. As most viruses currently spread via auto-loaded LISP files, the /nolisp command-line switch will help users on infected systems get back up and running more quickly, as AutoCAD will be loaded without the possibility of running LISP code. From here it should be more straightforward to at least export the relevant drawing data without that particular breed of virus being able to copy itself along to the project. Again, this is mostly a reaction to the way malware currently – and most commonly – infects AutoCAD systems, and I’d expect this also to need to broaden, over time.
† There is an exception to this: not long after the Melissa virus attacking Microsoft Office hit the news in 1999 (remember that, anyone? :-) there was a similar virus targeting AutoCAD named ACAD.Star that took advantage of the same loop-hole related to embedded VBA macro security. But that’s so far the only other headline-making AutoCAD virus I can remember that doesn’t fit the above mold.