Over the last few years there has been an increasing number of malware attacks on AutoCAD. These attacks typically leverage the legacy autoloading process of the stock customization files (acad.lsp, acad.dvb, etc.) that come with AutoCAD. Modified versions of these files end up getting automatically loaded into AutoCAD and can cause data loss, corruption, and general annoyance. Here is a typical scenario…
A customer receives a ZIP file containing a variety of files including drawings, fonts, and a modified version of a stock customization file such as acad.lsp. The customer unzips that archive to a folder and double-clicks on one of the drawings to launch it. Launching the drawing this way makes that folder the current working directory–check DWGPREFIX to see for yourself–and because the current folder contains anacad.lsp file, it gets loaded automatically and begins doing whatever malicious tasks it was modified to do. To make matters worse, that file might be flagged as hidden so the customer may not even know that it's in the zip file.
Service Pack 1 for AutoCAD 2013 introduces new controls that enable you to do the following:
- Restrict autoloading of default customization to a specified location ONLY.
- Disable autoloading of default customization files.
- Disable the ability to load any AutoLISP file, automatically or manually.
Note: These same controls will also be added to AutoCAD 2013 for Mac and AutoCAD 2013-based verticals when their respective service packs are released. AutoCAD LT does not run AutoLISP or VBA applications and does not require these security measures.
For a more detailed explanation of these new controls and recommended setup and repair workflow, refer to AutoLISP and VBA Security Controls in AutoCAD 2013 SP1.