We’ve gotten questions from security researchers and malware protection vendors about the binary file format used by Microsoft Word, PowerPoint, and Excel. The format specification is open and we have spoken at several conferences (1, 2, 3) about detecting malicious docs but we wanted to do more to help defenders. So earlier this year we started working on an Office Visualization Tool called “OffVis”. We first shared the tool with our MAPP partners in May and have now released it as a no-charge download from the Microsoft Download Center for everyone to benefit from this work. We have also recorded a 30-minute training video that describes the file format. We will announce the video here on the blog when it is ready to be released.

OffVis displays an OLESS-based binary files in two ways. It shows a hex view of the raw file contents on the left side of the window and the tree of objects built up from parsing those raw file contents on the right side of the window. You can see an example below.

(click to expand)

Double-clicking on a specific byte in the hex view will navigate the tree view to the object that byte belongs to. Double-clicking an object in the tree view navigates the hex view to the bytes that make up the object (and any of its child objects).

OffVis also detects eight Office file format vulnerabilities that we have seen exploited over the past couple years. We chose these specific CVE’s to detect based on prevalence of attacks in the wild. As was discussed in our last Security Intelligence Report, most attacks use vulnerabilities for which a security update has been available for months. We hope this “known-bad” detection will help you analyze suspicious documents that arrive into your network. And if you find malicious samples exploiting product vulnerabiltiies that are not detected , please send them to us so we can consider adding detection to OffVis for more vulnerabilities. We want to keep the correct balance between giving defenders more information to help them detect attacks and keeping vulnerabilities away from attackers. Here’s the initial list of CVE detection included:

CVE Product Bulletin
CVE-2006-0009 PowerPoint MS06-012 (March 2006)
CVE-2006-0022 PowerPoint MS06-028 (June 2006)
CVE-2006-2492 Word MS06-027 (June 2006)
CVE-2006-3434 Word MS06-062 (October 2006)
CVE-2007-0671 Excel MS07-015 (February 2007)
CVE-2008-0081 Excel MS08-014 (March 2008)
CVE-2009-0238 Excel MS09-009 (April 2009)
CVE-2009-0556 PowerPoint MS09-017 (May 2009)

In the screenshot below, you can see an OffVis CVE-2009-0556 detection. The PST_OutlineTextRefAtom atom at file offset 766378 has a Type value of 3998 (0xf9e), triggering the detection.

You can find out more about OffVis by downloading it from the Microsoft Download Center and viewing the readme file. Please email us at switech at Microsoft.com if you have questions, comments, or malicious samples that are not detected.

Thanks to Kevin Brown, Dan Beenfeldt, and the rest of the MSRC Engineering team who worked on this project!

Update Sept 18, 2009: This initial version of OffVis requires .Net framework 3.5.  If you encounter errors about being unable to load assembly System.Core version 3.5, please install .Net framework 3.5.  The next public release of OffVis will be linked against .Net framework 2.0 which we expect is more widely deployed.

- Jonathan Ness, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*