In July, we released a beta Office file format viewer application called OffVis as a downloadable tool. We are pleased today to announce an updated version of OffVis and a 30 minute training video to help you understand the legacy Office binary file format.
OffVis 1.1
The community response to the release of the OffVis tool on July 31st has been great. Thank you for the feedback! We are releasing this new version 1.1 of OffVis in response to that feedback. This release introduces several requested new features and fixes bugs. Here are the highlights:
- Now requires only .Net Framework 2.0 (1.0 Beta required 3.5, preventing some people from using it)
- Addressed OLESS loading logic bugs that was leading to false negatives (detection logic misses)
- Added the detection logic for several more Word and PowerPoint CVE’s, detecting files sent in by customers.
- Added a “Reallocate” feature (under Tools menu) that makes some corrupted files parse-able
- Clarified some error message text
- Prevented OffVis from appearing in a saved location off-screen
- Cleared highlighting after the parser changes
- Removed limit on number of parsing notes displayed
Here is the new list of detected CVE’s:
| CVE | Product | Bulletin |
|---|---|---|
| CVE-2006-0009 | PowerPoint | MS06-012 (March 2006) |
| CVE-2006-0022 | PowerPoint | MS06-028 (June 2006) |
| CVE-2006-2492 | Word | MS06-027 (June 2006) |
| CVE-2006-3434 | PowerPoint | MS06-062 (October 2006) |
| CVE-2006-3590 | PowerPoint | MS06-048 (August 2006) |
| CVE-2006-4534 | Word | MS06-060 (October 2006) |
| CVE-2006-4694 | PowerPoint | MS06-058 (October 2006) |
| CVE-2006-5994 | Word | MS07-014 (February 2007) |
| CVE-2006-6456 | Word | MS07-014 (February 2007) |
| CVE-2007-0515 | Word | MS07-014 (February 2007) |
| CVE-2007-0671 | Excel | MS07-015 (February 2007) |
| CVE-2007-0870 | Word | MS07-024 (May 2007) |
| CVE-2008-0081 | Excel | MS08-014 (March 2008) |
| CVE-2008-4841 | Word | MS09-010 (April 2009) |
| CVE-2009-0238 | Excel | MS09-009 (April 2009) |
| CVE-2009-0556 | PowerPoint | MS09-017 (May 2009) |
Please email us any undetected malicious samples that exploit vulnerabilities for code execution. We will evaluate whether we can add detection that can help everyone detect malicious files.
You can learn more about OffVis from our original blog post about the tool or an article written by Russ McRee in the ISSA journal. You can download the tool at http://go.microsoft.com/fwlink/?LinkId=158791
Office legacy binary file format training video
Bruce Dang and Nick Finco from the MSRC Engineering team put together a 30 minute training that describes the legacy binary Office file format and describes how to parse it. Our Bluehat team agreed to record it and host it on the Bluehat technet site. You can view the video at http://research.microsoft.com/en-us/UM/redmond/events/BH09/lecture.htm. In less than thirty minutes, they provide in-depth technical guidance, including full-screen demos. This video is geared toward security analysts, virus researchers, IDS signature authors, and security professionals.
Direct video link: http://research.microsoft.com/en-us/UM/redmond/events/BH09/lecture.htm
Summary
Thanks to the many people who made this possible. Kevin Brown and Dan Beenfeldt for the development of OffVis. Robert Hensing and Bruce Dang for tireless hours testing the tool and building and refining detection logic. The MSRC Engineering team for technical investigations leading to these detections. Bruce and Nick Finco for recording the video. Damian Hasse and Matt Thomlinson for the support to release this tool. Celene Temkin and the Bluehat team for the logistical magic to make the video happen. Thanks everybody!
- Jonathan Ness, MSRC Engineering
*Posting is provided “AS IS” with no warranties, and confers no rights.*