This month we released an update for Microsoft Word that fixed issues relating to loading RTF files (CVE-2008-1091) and HTML files (CVE-2008-1434). Office applications like Microsoft Word can load a large variety of different file formats, and some people may want to reduce their attack surface by disabling the formats they don’t typically use. As of May 2007, Office 2003 and 2007 have had a feature in place called File Block which allows you to do exactly that via the registry.
It’s important to note that the file extension doesn’t tell you what format a file is. For example, you can rename an .RTF or .HTM file to .DOC, and Microsoft Word will load it. File Block doesn’t key off the file extensions; these format “kill switches” are actually checked in each of the file format parsers, so the restriction can’t be bypassed by simply changing a file’s extension. That means that simply disabling the file association between .RTF and Microsoft Word will not prevent Word from loading potentially malicious RTF files, since they can end with a .DOC extension.
Microsoft Word, Excel, and PowerPoint can each load a number of different formats which you can individually disable with File Block. You can also specify a trusted (Office 2007) or exempt (Office 2003) folder, so that files loaded from that location are always allowed through.
Here are some links that explain how to enable File Block and also how to configure trusted/exempt folders:
For general information about File Block and MOICE see this advisory: http://www.microsoft.com/technet/security/advisory/937696.mspx.
We talk about File Block and MOICE with customers as often as we can. Our team has presented this information at FIRST 2007, BlueHat 2007, CanSecWest 2008, and on several customer visits. We are hoping the Black Hat selection committee will accept our talk for the 2008 Vegas conference. Let us know (firstname.lastname@example.org) if you have questions about File Block or MOICE, and we can either answer them or put you in touch with someone who will have the answer.
- Security Vulnerability Research & Defense Bloggers
*Postings are provided "AS IS" with no warranties, and confers no rights.*