Microsoft Security Advisory (2501584)
Release of Microsoft Office File Validation for Microsoft Office
Published: | Updated:
Microsoft is announcing the availability of the Office File Validation feature for supported editions of Microsoft Office 2003 and Microsoft Office 2007. The feature, previously only available for supported editions of Microsoft Office 2010, is designed to make it easier for customers to protect themselves from Office files that may contain malformed data, such as unsolicited Office files received from unknown or known sources, by scanning and validating files before they are opened.
The Office File Validation feature described in this advisory applies when opening an Office file using Microsoft Excel 2003, Microsoft PowerPoint 2003, Microsoft Word 2003, Microsoft Publisher 2003, Microsoft Excel 2007, Microsoft PowerPoint 2007, Microsoft Word 2007, or Microsoft Publisher 2007.
Office File Validation helps detect and prevent a kind of exploit known as a file format attack. File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code. Usually the malicious code is run remotely and is used to elevate the privilege of restricted accounts on the computer. As a result, an attacker could gain access to a computer that was not previously accessible. This could enable an attacker to read sensitive information from the computer’s hard disk drive or to install malware, such as a worm or a key logging program. The Office File Validation feature helps prevent file format attacks by scanning and validating files before they are opened. To validate files, Office File Validation compares a file’s structure to a predefined file schema, which is a set of rules that define what a readable file looks like. If Office File Validation detects that a file’s structure does not follow all rules described in the schema, the file does not pass validation.
File format attacks occur most frequently in files that are stored in Office binary file formats. For this reason, Office File Validation scans and validates the following kinds of files:
- Excel 2.0, Excel 3.0, Excel 4.0, Excel 5.0, Excel 97-2003 Workbook files. These types of files have an .xls extension and include all Binary Interchange File Format 2 (BIFF2), BIFF3, BIFF4, and BIFF8 files.
- Excel 2.0, Excel 3.0, Excel 4.0, Excel 5.0, Excel 97-2003 Template files. These types of files have an .xlt extension and include BIFF2, BIFF3, BIFF4, and BIFF8 files.
- PowerPoint 97-2003 Presentation files. These files have a .ppt extension.
- PowerPoint 97-2003 Show files. These files have a .pps extension.
- PowerPoint 97-2003 Template files. These files have a .pot extension.
- Word 6.0, Word 7.0, and Word 97-2003 Document files. These files have a .doc extension.
- Word 6.0, Word 7.0, and Word 97-2003 Template files. These files have a .dot extension.
By default, files that fail validation generate the following warning message:
Office File Validation detected a problem trying to open the file. Opening it may be dangerous.
Files that fail validation do not open; however, by default, the user is provided the choice to open the file anyway. Choosing to open a file that has failed validation is not recommended as the file could be malicious.
This advisory discusses the following software.
|Microsoft Office 2003 Service Pack 3|
|Microsoft Office 2007 Service Pack 2|
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (April 12, 2011): Advisory published.
- V2.0 (June 30, 2011): Announced that the Office File Validation Add-in described in Microsoft Knowledge Base Article 2501584 is available through the Microsoft Update service.