MS09-010: Reducing the text converter attack surface

MS09-010 addresses vulnerabilities in Word converters used by WordPad and by Office to load files saved in old file formats. Some of you probably saw this bulletin and thought “I never open documents from versions of Word prior to Word XP,” and you may be interested in reducing your attack surface. In this post we’ll show you how to disable any converters that you might have on your machine that you don’t anticipate using, as well as how to prevent a particular converter from being inadvertently installed (this can be handy if you manage a number of computers and you want to reduce their attack surfaces).

How to disable a converter that’s already installed

The idea is to alter the Access Control List (ACL) so that the Everyone group is denied every permission on the file the converter lives in. This is reversible by the owner of the file, since the owner can always change the ACL of a file regardless of what the ACL currently says.

A quick note about the difference in the XP and Windows Vista steps: In XP we don’t have icacls, so we can’t backup the ACL before locking it down. However, this should not be a problem for these converters since they don’t typically have an Access Control Entry (ACE) for the Everyone group. If they did have such an ACE, it would be overwritten by our everyone:N ACE, and subsequently removed entirely during the re-enable steps below. Thus, if using Windows XP and in doubt, please double check the ACL and perform a manual backup of it. You can do this by using the /S switch of cacls.exe to export and re-import the SDDL representation of the permissions.

Note: You will need administrator privileges to set these file restrictions.

For Windows XP

cacls CONVERTER_PATH_AND_FILE_NAME /E /P everyone:N

For Windows Vista (from an elevated command prompt)

takeown /f CONVERTER_PATH_AND_FILE_NAME
icacls CONVERTER_PATH_AND_FILE_NAME /save PATH_AND_NAME_OF_FILE_TO_BACKUP_ACL_STATE_TO
icacls CONVERTER_PATH_AND_FILE_NAME /deny everyone:(F)

NOTE: CONVERTER_PATH_AND_FILE_NAME refers to one of the converters on the table below.

How to re-enable a converter that you’ve disabled

Note: You will need administrator privileges to set these file restrictions.

For Windows XP

cacls CONVERTER_PATH_AND_FILE_NAME /E /R everyone

For Windows Vista (from an elevated command prompt)

icacls CONVERTER_PATH /restore PATH_AND_NAME_OF_FILE_TO_RESTORE_ACL_STATE_FROM

How to prevent a converter from being inadvertently installed

If a system doesn’t have a particular converter installed, we can prevent users of that system from accidentally installing it. We’ll do that by creating a placeholder file in the same folder and with the same name as the converter in question. Then we’ll restrict the ACL just like we did for an installed converter. This prevents the setup program from installing the converter.

Note: You will need administrator privileges to set these file restrictions.

For Windows XP

md CONVERTER_PATH
echo Placeholder > CONVERTER_PATH_AND_FILE_NAME
cacls CONVERTER_PATH_AND_FILE_NAME /E /P everyone:N

For Windows Vista (from an elevated command prompt)

md CONVERTER_PATH
echo Placeholder > CONVERTER_PATH_AND_FILE_NAME
icacls CONVERTER_PATH_AND_FILE_NAME /deny everyone:(F)

How to allow a converter to be installed after going through the steps to disable its installation

Note: You will need administrator privileges to set these file restrictions.

For Windows XP

cacls CONVERTER_PATH_AND_FILE_NAME /E /R everyone
echo y| del CONVERTER_PATH_AND_FILE_NAME

For Windows Vista (from an elevated command prompt)

icacls CONVERTER_PATH_AND_FILE_NAME /remove everyone
echo y| del CONVERTER_PATH_AND_FILE_NAME

A list of converters

Here is a list of some converters with their filenames in case you decide to reduce your attack surface by disabling some of them:

Note: multiple paths are given for these converters – which one applies to your computer depends on what OS version and architecture you are running on, as well as your OS upgrade history.

An example to work from

Disabling the wpft532.cnv converter on Windows Vista:

C:\>takeown /f "C:\Program Files\Common Files\microsoft shared\TextConv\WPFT532.CNV"

SUCCESS: The file (or folder): "C:\Program Files\Common Files\microsoft shared\TextConv\WPFT532.CNV" now owned by user "Foo\Bar".

C:\>icacls "C:\Program Files\Common Files\microsoft shared\TextConv\WPFT532.CNV" /save %admintemp%\WPFT532_ACL_BACKUP.txt
processed file: C:\Program Files\Common Files\microsoft shared\TextConv\WPFT532.CNV
Successfully processed 1 files; Failed processing 0 files

C:\>icacls "C:\Program Files\Common Files\microsoft shared\TextConv\WPFT532.CNV" /deny everyone:(F)
processed file: C:\Program Files\Common Files\microsoft shared\TextConv\WPFT532.CNV
Successfully processed 1 files; Failed processing 0 files

Re-enabling the converter (note that we don’t supply the filename, just the path, to where wpft532.cnv is stored):

C:\>icacls "C:\Program Files\Common Files\microsoft shared\TextConv" /restore %admintemp%\WPFT532_ACL_BACKUP.txt
processed file: C:\Program Files\Common Files\microsoft shared\TextConv\WPFT532.CNV
Successfully processed 1 files; Failed processing 0 files

A note about Group Policy

You can also disable converters that are already installed via group policy, and re-enable them again as well. The idea is the same as the manual steps listed above:

• To disable the converter, add a Deny Everyone Full Control access control entry to the file for the converter you wish to disable.
• To re-enable the converter, remove the entry for the Everyone group.

You can find specific instructions on how to apply these changes via group policy here: http://technet2.microsoft.com/windowsserver/en/library/1687ef1d-b382-49c7-b184-a4cc888be5251033.mspx?mfr=true

MOICE

After locking down converters on your system, if you decide you want to open a file from an old program – consider using MOICE to open it instead. It converts the file to the Office 2007 format, and does so in an isolated environment which makes it less likely that malicious file could cause harm. Read more about MOICE and download it from here: http://support.microsoft.com/kb/935865

We hope you’ve found this post helpful in reducing the attack surface of your machines.

- Kevin Brown, MSRC Engineering

*Postings are provided “AS IS” with no warranties, and confers no rights.*