In parallel with its release of 17 bulletins on Patch Tuesday this month, Microsoft also unveiled two new tools that are meant to help make a couple of common exploitation scenarios more difficult for attackers.
The company released a tool called Office File Validation for some older versions of Office, including Office 2003 and 2007. The feature is specifically designed to give users information about whether there’s a potentially malicious component in an Office file that the user is trying to open. When the user attempts to open a file, the Office File Validation tool will inspect it and look for any signs of malicious behavior. If there’s a problem, the user will get a warning dialog box giving him the opportunity to cancel the operation.
Attackers in the past few months have taken to embedding malicious Flash files inside Word and Excel documents as part of spear phishing campaigns. This was the primary attack vector used to compromise RSA last month.
“Office File Validation helps detect and prevent a kind of exploit
known as a file format attack. File format attacks exploit the integrity
of a file, and occur when the structure of a file is modified with the
intent of adding malicious code. Usually the malicious code is run
remotely and is used to elevate the privilege of restricted accounts on
the computer. As a result, an attacker could gain access to a computer
that was not previously accessible,” Microsoft said in its advisory on the validation tool.
“This could enable an attacker to
read sensitive information from the computer’s hard disk drive or to
install malware, such as a worm or a key logging program. The Office
File Validation feature helps prevent file format attacks by scanning
and validating files before they are opened. To validate files, Office
File Validation compares a file’s structure to a predefined file schema,
which is a set of rules that define what a readable file looks like. If
Office File Validation detects that a file’s structure does not follow
all rules described in the schema, the file does not pass validation.”
The second enhancement Microsoft pushed out on Tuesday is an update to winload.exe, the component that loads Windows. The update is designed to help prevent some techniques that rootkits use to evade detection and remain persistent on infected machines.
“For a rootkit to be successful it must stay hidden and persistent on
a system. One way we have seen rootkits hide themselves on 64-bit
systems is bypassing driver signing checks done by winload.exe. While
the update itself won’t remove a rootkit, it will expose an installed
rootkit and give your anti-malware software the ability to detect and
remove the rootkit,” Microsoft’s Dustin Childs said.
