Security Watch

Are .DOC, .XLS Attachments Really So Dangerous?

Symantec thinks so and recently banned these attachments internally as a result. Russ has another take.

• By Russ Cooper
• 07/31/2006

The reason? Several recent disclosures of vulnerabilities in various Microsoft Office formats that could permit a criminal to cause a buffer overflow when such a document is opened, thereby compromising the victim's system.

Clearly, when an anti-virus vendor communicates such a decision to its partners, it will generate significant discussion. I feel the decision is inappropriate as there are a number of reasons why the threat is less than the proposed mitigation:

1. This latest spate of disclosures indicates vulnerabilities in the latest versions of Microsoft products, not all prior versions. Excel document viruses and worms have never been able to get "legs," even when all users were vulnerable to them (as was the case typically with Excel Macro viruses, for example.) Therefore, having a smaller subset of the world vulnerable makes a widespread infection much less likely than before.
2. Macro and/or heuristic controls in standard anti-virus products are likely to work (though there are probably scenarios where a new kind of worm exploiting this new vulnerability could get around these, but some components of "macro" protection are likely to be triggered anyway). Therefore, even with an anti-virus product installed but not updated with signatures for a new attack, the anti-virus product would probably provide protection.
3. Outlook controls and browser controls warn of Microsoft Office documents as potentially dangerous before rendering. The user can still click "yes," but the document is still likely coming from an unexpected source. Therefore this control will provide synergistic effectiveness.
4. Anti-virus signatures will "work" when a worm or virus is discovered. Of course these signatures will have to wait until an actual piece of malcode is either shared pre-release, or discovered upon release. This timing typically takes eight to 24 hours to gain enterprise protection, but such a worm would likely have a relatively slow growth half time compared with other methods, and therefore, anti-virus signatures would provide synergistic protection early, and full protection later. The Microsoft Word vulnerability, for example, already has signatures with most major anti-virus vendors.

5. Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

   Symantec is recommending that its partners prefer compressed .ZIP files to these Microsoft Office documents' native formats. Zipped malware represents significantly more (71 percent, as of last week) of the entire malware spectrum than any other file type -- and is on the rise. It is beyond our comprehension why such a suggestion would be made as a countermeasure to the extremely low volume (virtually non-existent in the wild) of malicious Microsoft Office documents. I continue to recommend blocking .ZIP documents. Those you communicate with regularly should be instructed to replace .ZIP file extensions with another, pre-determined extension name, or other similar method.
6. Symantec further recommends renaming Microsoft Office documents to something other than their native names. So, .DOC or .XLS file extensions should be renamed to .TXT, for example. Renaming of such documents does nothing to prevent these documents from being rendered by their native authoring product. Any file renamed .TXT, found to actually be a Microsoft Office document, will be opened by its native editor, be that Microsoft Word or Microsoft Excel. Therefore, it is difficult to understand the ultimate value of this recommendation.

I continue to believe the risks of the vulnerabilities Symantec based its decision on are overblown and I do not assess them to be a significant risk to companies practicing reasonable security techniques. If you have a problem, the culprit within your organization is likely already known to you...they will be the person or persons who regularly experience problems with spyware or other malware. The solution is to focus on those people with stricter controls and more education, rather than disrupt the entire organization with draconian measures such as blocking Office document types.