File Block now available in Office 2003
Many attackers are targeting the Office file formats. Microsoft has shipped several patches to address specific issues. Last week as part of Patch Tuesday updates, Microsoft added the ability to block specific file formats from being opened in Office 2003. This feature was already available in Office 2007. This feature allows registry keys to restrict specific types of files that should be opened for a specific Office application. For example, to prevent Microsoft Word 2003 from opening the .doc and .dot file formats the following DWORD name can be added with the value 1.
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock\RtfFiles
More information on File Block is available here - http://support.microsoft.com/kb/922850. When an attempt is made to open a blocked file type, the load is aborted and the user is told, "You are attempting to open a file type that is blocked by your registry policy setting." I suspect Microsoft will provide File Block as mitigation in future security bugs against specific file formats.
Later this week, I'll post more information about how this plays together with the upcoming Microsoft Office Isolated Conversion Environment (MOICE) tool.
Cool testing note - Try blocking .doc files (BinaryFiles key) with File Block. Then rename a .doc file to .rtf and try to open the file in Word. File is still blocked! That’s right – the check is on the contents not the file extension.
Many attackers are targeting the Office file formats. Microsoft has shipped several patches to address specific issues. Last week as part of Patch Tuesday updates, Microsoft added the ability to block specific file formats from being opened in Office 2003. This feature was already available in Office 2007. This feature allows registry keys to restrict specific types of files that should be opened for a specific Office application. For example, to prevent Microsoft Word 2003 from opening the .doc and .dot file formats the following DWORD name can be added with the value 1.
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock\RtfFiles
More information on File Block is available here - http://support.microsoft.com/kb/922850. When an attempt is made to open a blocked file type, the load is aborted and the user is told, "You are attempting to open a file type that is blocked by your registry policy setting." I suspect Microsoft will provide File Block as mitigation in future security bugs against specific file formats.
Later this week, I'll post more information about how this plays together with the upcoming Microsoft Office Isolated Conversion Environment (MOICE) tool.
Cool testing note - Try blocking .doc files (BinaryFiles key) with File Block. Then rename a .doc file to .rtf and try to open the file in Word. File is still blocked! That’s right – the check is on the contents not the file extension.
Labels: FileBlock, Microsoft Office, mitigation, MOICE, wringer
0 Comments:
Post a Comment
<< Home