Microsoft Pushes Out Two New Security Tools

In parallel with its release of 17 bulletins on Patch Tuesday this month, Microsoft also unveiled two new tools that are meant to help make a couple of common exploitation scenarios more difficult for attackers.

The company released a tool called Office File Validation for some older versions of Office, including Office 2003 and 2007. The feature is specifically designed to give users information about whether there's a potentially malicious component in an Office file that the user is trying to open. When the user attempts to open a file, the Office File Validation tool will inspect it and look for any signs of malicious behavior. If there's a problem, the user will get a warning dialog box giving him the opportunity to cancel the operation.

Attackers in the past few months have taken to embedding malicious Flash files inside Word and Excel documents as part of spear phishing campaigns. This was the primary attack vector used to compromise RSA last month.

"Office File Validation helps detect and prevent a kind of exploit known as a file format attack. File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code. Usually the malicious code is run remotely and is used to elevate the privilege of restricted accounts on the computer. As a result, an attacker could gain access to a computer that was not previously accessible," Microsoft said in its advisory on the validation tool.

"This could enable an attacker to read sensitive information from the computer’s hard disk drive or to install malware, such as a worm or a key logging program. The Office File Validation feature helps prevent file format attacks by scanning and validating files before they are opened. To validate files, Office File Validation compares a file’s structure to a predefined file schema, which is a set of rules that define what a readable file looks like. If Office File Validation detects that a file’s structure does not follow all rules described in the schema, the file does not pass validation."

The second enhancement Microsoft pushed out on Tuesday is an update to winload.exe, the component that loads Windows. The update is designed to help prevent some techniques that rootkits use to evade detection and remain persistent on infected machines.

"For a rootkit to be successful it must stay hidden and persistent on a system. One way we have seen rootkits hide themselves on 64-bit systems is bypassing driver signing checks done by winload.exe. While the update itself won't remove a rootkit, it will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit," Microsoft's Dustin Childs said.

Commenting on this Article is closed.