Microsoft Security Advisory (2501584)

Why was this advisory revised June 30, 2011? 
Microsoft revised this advisory to announce that as of June 28, 2011, the Office File Validation Add-in described in Microsoft Knowledge Base Article 2501584 is available through the Microsoft Update service.

Customers can install the Office File Validation Add-in by checking online for updates from Microsoft Update or by using the Microsoft Update service. Customers who have already installed the Office File Validation Add-in manually will not be offered the add-in and do not need to take additional action.

What is the scope of the advisory? 
To announce the availability and detail in depth the purpose of the Microsoft Office File Validation feature for Microsoft Office 2003 and Microsoft Office 2007.

Are there any known issues with the Microsoft Office File Validation feature? 
Microsoft Knowledge Base Article 2501584 documents the currently known issues that customers may experience when utilizing the Office File Validation feature.

How does Office File Validation protect? 
Office File Validation helps detect and prevent a kind of exploit known as a file format attack. File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code. Usually the malicious code is run remotely and is used to elevate the privilege of restricted accounts on the computer. As a result, an attacker could gain access to a computer that was not previously accessible. This could enable an attacker to read sensitive information from the computer’s hard disk drive or to install malware, such as a worm or a key logging program. The Office File Validation feature helps prevent file format attacks by scanning and validating files before they are opened. To validate files, Office File Validation compares a file’s structure to a predefined file schema, which is a set of rules that define what a readable file looks like. If Office File Validation detects that a file’s structure does not follow all rules described in the schema, the file does not pass validation.

Files that fail validation do not automatically open. Instead, the user has to click through a warning indicating that opening the file could be dangerous in order to open the file.

How do the security updates released on April 12, 2011 relate to the Office File Validation feature? 
The security updates released for supported 2003 and 2007 editions of Microsoft Excel, Microsoft PowerPoint, and Microsoft Office respectively in MS11-021, MS11-022, and MS11-023 are prerequisites for enabling the Office File Validation feature.

There were no security updates released on April 12, 2011 for Microsoft Word and Microsoft Publisher. Where are the updates for Microsoft Word and Microsoft Publisher? 
The updates to support Office File Validation in Microsoft Word 2003, Microsoft Word 2007, Microsoft Publisher 2003, and Microsoft Publisher 2007 are available as separate downloads and are prerequisites for enabling the Office File Validation feature. For download links, see the TechNet article, Office File Validation for Office 2003 and Office 2007.

What is the Office File Validation add-in? 
The Office File Validation add-in provides the framework and the definition files for the Office File Validation feature. The Office File Validation feature works for specific Office applications when the Office File Validation add-in is installed in addition to all prerequisite updates for Microsoft Office and the respective Office applications.

How can I install the Office File Validation add-in and prerequisite updates? 
For information on how to manually install the Office File Validation Add-in and prerequisite updates, see the TechNet article, Office File Validation for Office 2003 and Office 2007.

As of June 28, 2011, the Office File Validation Add-in can also be installed by checking online for updates from Microsoft Update or by using the Microsoft Update service.

Can I use this new feature with Microsoft Office XP? 
No. The architecture to properly support Office File Validation does not exist on Microsoft Office XP, making it infeasible to build the feature for Microsoft Office XP products. To do so would require rearchitecting a significant amount of Microsoft Office XP. The product of such an effort could sufficiently introduce an incompatibility with other applications that there would be no assurance that these Microsoft Office products would continue to operate as designed on the updated system.

How does this advisory relate to Office File Validation for Microsoft Office 2010? 
Even though this advisory does not apply to the Office File Validation feature for Microsoft Office 2010, Microsoft has released automated Microsoft Fix it solutions that can be used to configure Office File Validation for supported editions of Microsoft Office 2003, Microsoft Office 2007, and Microsoft Office 2010. These automated Microsoft Fix it solutions are available in the knowledge base article associated with this advisory, Microsoft Knowledge Base Article 2501584.

How can I change Office File Validation settings? 
A registry key setting is available that allows administrators to change how documents behave when a file fails validation. By modifying the registry setting, one of the following options can be selected:

• Block files and prompt user (default) 
  Files that fail validation do not open; however, the user is provided the choice to open the file anyway.

  Note The above behavior is in Microsoft Office 2003 and Microsoft Office 2007 and is different than the behavior in Microsoft Office 2010. In Microsoft Office 2010, files that fail validation open in Protected View; the user then must click through several warning messages before the file can be opened for editing.

• Block files completely 
  Files that fail validation are prevented from opening.

  Note The above behavior is in Microsoft Office 2003 and Microsoft Office 2007 and is different than the behavior in Microsoft Office 2010. In Microsoft Office 2010, files that fail validation open in Protected View; the user is then prevented from opening the file for editing.

For more information on Office File Validation settings and to use the automated Microsoft Fix it solutions to configure Office File Validation settings, see Microsoft Knowledge Base Article 2501584.

How can I disable Office File Validation? 
You can turn off Office File Validation by setting specific registry keys to disable Office File Validation. The registry keys must be configured on a per-application basis for Excel 2003, PowerPoint 2003, Word 2003, Excel 2007, PowerPoint 2007, and Word 2007. These registry keys prevent files that are stored in the Office binary file format from being scanned and validated. For example, if you disable Office File Validation for Excel 2007, Office File Validation does not scan or validate Excel 97-2003 Workbook files, Excel 97-2003 Template files, or Microsoft Excel 5.0/95 files. If a user opens one of those file types, and the file contains a file format attack, the attack will not be detected or prevented unless some other security control detects and prevents such an attack.

For information on disabling the Office File Validation feature, see TechNet article, Office File Validation for Office 2003 and Office 2007.

Microsoft does not recommend disabling Office File Validation. Office File Validation is a key part of the layered defense strategy in Microsoft Office and should be enabled on all computers throughout an organization. In Microsoft Office 2007, for customers that want to prevent files from being validated by the Office File Validation feature, Microsoft recommends using the Trusted Locations feature. Files that are opened from trusted locations skip Office File Validation checks.

How does the Office File Validation feature change the user experience when opening and inserting files in to Microsoft Publisher? 
When opening Publisher files, the Office File Validation feature does not change the behavior of Microsoft Publisher 2003 and Microsoft Publisher 2007 because Microsoft Publisher already scans and validates Publisher files when opened regardless of whether or not the Office File Validation feature is enabled. However, the behavior when inserting Word documents in to Microsoft Publisher is changed by the Office File Validation feature. When attempting to insert binary formatted Word files in Microsoft Publisher 2003 or Microsoft Publisher 2007, files that fail validation are not inserted in to Microsoft Publisher. Instead, the user has to click through a warning indicating that opening the file could be dangerous, in order to insert the file.

Consult TechNet article, Office File Validation for Office 2003 and Office 2007, for information on deployment, installation, and configuration of the Office File Validation feature for Microsoft Office 2003 and Microsoft Office 2007.