Microsoft Releases Office File Validation Tool, Windows Loader Update

Microsoft released two security advisories that included solutions yesterday as part of its massive April security update.

Along with the 17 security bulletins in the April patch, Microsoft released a tool to help protect older versions of Office, as well as an update to the winload.exe program.

The Office File Validation tool scans and validates Word files in Office 2003 and Office 2007, checking for malformed files employed by hackers to spread malware. This feature, which installs as an Office add-in, already comes standard in Microsoft Office 2010.

According to Microsoft, the Office File Validation tool is designed to thwart so-called "file format attacks" that could lead to elevation-of-privilege exploits.

"File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code," according to Microsoft's explanation. "Usually the malicious code is run remotely and is used to elevate the privilege of restricted accounts on the computer."

The feature works by comparing an Office document with a set of predefined rules that determine what is a readable file. If the file fails to meet those criteria, it doesn't pass the validation process and cannot be opened.

To use the Office File Validation tool, first make sure all Office updates have been installed; next, download the tool here.

The second security advisory item contains an update to the Windows loader program that affects systems running Windows 7, Vista and Windows Server 2008 R2. The update fixes a potential security issue that can occur in which "unsigned drivers could be loaded by winload.exe," according to Microsoft's security advisory.  Malware such as rootkits in infected systems typically use this method to "stay resident" in systems, Microsoft explained.

The details are described in Security Advisory 2506014, which includes access to the updated winload.exe.

"For a rootkit to be successful it must stay hidden and persistent on a system," wrote Dustin Childs, senior security program manager of the MSRC. "One way we have seen rootkits hide themselves on 64-bit systems is by passing driver signing checks done by winload.exe. While the update itself won't remove a rootkit, it will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit."

About the Author

Chris Paoli is the site producer for and

comments powered by Disqus

Reader Comments:

Fri, Aug 19, 2011 smokehouse automotive

i noticed a problem with this tool. i don't know if microsoft is aware of it or not. i noticed it for a few months now and blamed it on older computers but there is a problem of using excel over an IFS on an as400. it takes an excel file like 20 minutes to open. i removed the tool and it comes up like it should. if you are having the same problem remove the tool and it will most likely work.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.