In July, we released a beta Office file format viewer application called OffVis as a downloadable tool. We are pleased today to announce an updated version of OffVis and a 30 minute training video to help you understand the legacy Office binary file format.

OffVis 1.1

The community response to the release of the OffVis tool on July 31st has been great. Thank you for the feedback! We are releasing this new version 1.1 of OffVis in response to that feedback. This release introduces several requested new features and fixes bugs. Here are the highlights:

  • Now requires only .Net Framework 2.0 (1.0 Beta required 3.5, preventing some people from using it)
  • Addressed OLESS loading logic bugs that was leading to false negatives (detection logic misses)
  • Added the detection logic for several more Word and PowerPoint CVE’s, detecting files sent in by customers.
  • Added a “Reallocate” feature (under Tools menu) that makes some corrupted files parse-able
  • Clarified some error message text
  • Prevented OffVis from appearing in a saved location off-screen
  • Cleared highlighting after the parser changes
  • Removed limit on number of parsing notes displayed

Here is the new list of detected CVE’s:

CVE

Product

Bulletin

CVE-2006-0009

PowerPoint

MS06-012 (March 2006)

CVE-2006-0022

PowerPoint

MS06-028 (June 2006)

CVE-2006-2492

Word

MS06-027 (June 2006)

CVE-2006-3434

PowerPoint

MS06-062 (October 2006)

CVE-2006-3590

PowerPoint

MS06-048 (August 2006)

CVE-2006-4534

Word

MS06-060 (October 2006)

CVE-2006-4694

PowerPoint

MS06-058 (October 2006)

CVE-2006-5994

Word

MS07-014 (February 2007)

CVE-2006-6456

Word

MS07-014 (February 2007)

CVE-2007-0515

Word

MS07-014 (February 2007)

CVE-2007-0671

Excel

MS07-015 (February 2007)

CVE-2007-0870

Word

MS07-024 (May 2007)

CVE-2008-0081

Excel

MS08-014 (March 2008)

CVE-2008-4841

Word

MS09-010 (April 2009)

CVE-2009-0238

Excel

MS09-009 (April 2009)

CVE-2009-0556

PowerPoint

MS09-017 (May 2009)

Please email us any undetected malicious samples that exploit vulnerabilities for code execution. We will evaluate whether we can add detection that can help everyone detect malicious files.

You can learn more about OffVis from our original blog post about the tool or an article written by Russ McRee in the ISSA journal.  You can download the tool at http://go.microsoft.com/fwlink/?LinkId=158791

Office legacy binary file format training video

Bruce Dang and Nick Finco from the MSRC Engineering team put together a 30 minute training that describes the legacy binary Office file format and describes how to parse it. Our Bluehat team agreed to record it and host it on the Bluehat technet site. You can view the video at http://research.microsoft.com/en-us/UM/redmond/events/BH09/lecture.htm. In less than thirty minutes, they provide in-depth technical guidance, including full-screen demos. This video is geared toward security analysts, virus researchers, IDS signature authors, and security professionals.

Direct video link: http://research.microsoft.com/en-us/UM/redmond/events/BH09/lecture.htm

Summary

Thanks to the many people who made this possible. Kevin Brown and Dan Beenfeldt for the development of OffVis. Robert Hensing and Bruce Dang for tireless hours testing the tool and building and refining detection logic. The MSRC Engineering team for technical investigations leading to these detections. Bruce and Nick Finco for recording the video. Damian Hasse and Matt Thomlinson for the support to release this tool. Celene Temkin and the Bluehat team for the logistical magic to make the video happen. Thanks everybody!

- Jonathan Ness, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*