Are .DOC, .XLS Attachments Really So Dangerous?
Symantec thinks so and recently banned these attachments internally as a result. Russ has another take.
According to official communication from Symantec Corp., the security vendor
recently decided to strip all inbound e-mails of any attachments of .XLS and
.DOC file types.
The reason? Several recent disclosures of vulnerabilities in various Microsoft
Office formats that could permit a criminal to cause a buffer overflow when
such a document is opened, thereby compromising the victim's system.
Clearly, when an anti-virus vendor communicates such a decision to its partners,
it will generate significant discussion. I feel the decision is inappropriate
as there are a number of reasons why the threat is less than the proposed mitigation:
- This latest spate of disclosures indicates vulnerabilities in the latest
versions of Microsoft products, not all prior versions. Excel document viruses
and worms have never been able to get "legs," even when all users
were vulnerable to them (as was the case typically with Excel Macro viruses,
for example.) Therefore, having a smaller subset of the world vulnerable makes
a widespread infection much less likely than before.
- Macro and/or heuristic controls in standard anti-virus products are likely
to work (though there are probably scenarios where a new kind of worm exploiting
this new vulnerability could get around these, but some components of "macro"
protection are likely to be triggered anyway). Therefore, even with an anti-virus
product installed but not updated with signatures for a new attack, the anti-virus
product would probably provide protection.
- Outlook controls and browser controls warn of Microsoft Office documents
as potentially dangerous before rendering. The user can still click "yes,"
but the document is still likely coming from an unexpected source. Therefore
this control will provide synergistic effectiveness.
- Anti-virus signatures will "work" when a worm or virus is discovered.
Of course these signatures will have to wait until an actual piece of malcode
is either shared pre-release, or discovered upon release. This timing typically
takes eight to 24 hours to gain enterprise protection, but such a worm would
likely have a relatively slow growth half time compared with other methods,
and therefore, anti-virus signatures would provide synergistic protection
early, and full protection later. The Microsoft Word vulnerability, for example,
already has signatures with most major anti-virus vendors.
Symantec is recommending that its partners prefer compressed .ZIP files to
these Microsoft Office documents' native formats. Zipped malware represents
significantly more (71 percent, as of last week) of the entire malware spectrum
than any other file type -- and is on the rise. It is beyond our comprehension
why such a suggestion would be made as a countermeasure to the extremely low
volume (virtually non-existent in the wild) of malicious Microsoft Office
documents. I continue to recommend blocking .ZIP documents. Those you communicate
with regularly should be instructed to replace .ZIP file extensions with another,
pre-determined extension name, or other similar method.
column was originally published in our weekly Security
Watch newsletter. To subscribe, click here.
- Symantec further recommends renaming Microsoft Office documents to something
other than their native names. So, .DOC or .XLS file extensions should be
renamed to .TXT, for example. Renaming of such documents does nothing to prevent
these documents from being rendered by their native authoring product. Any
file renamed .TXT, found to actually be a Microsoft Office document, will
be opened by its native editor, be that Microsoft Word or Microsoft Excel.
Therefore, it is difficult to understand the ultimate value of this recommendation.
I continue to believe the risks of the vulnerabilities Symantec based its decision
on are overblown and I do not assess them to be a significant risk to companies
practicing reasonable security techniques. If you have a problem, the culprit
within your organization is likely already known to you...they will be the person
or persons who regularly experience problems with spyware or other malware.
The solution is to focus on those people with stricter controls and more education,
rather than disrupt the entire organization with draconian measures such as
blocking Office document types.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.