News

Microsoft Releases Office File Validation Tool, Windows Loader Update

Microsoft released two security advisories that included solutions yesterday as part of its massive April security update.

Along with the 17 security bulletins in the April patch, Microsoft released a tool to help protect older versions of Office, as well as an update to the winload.exe program.

The Office File Validation tool scans and validates Word files in Office 2003 and Office 2007, checking for malformed files employed by hackers to spread malware. This feature, which installs as an Office add-in, already comes standard in Microsoft Office 2010.

According to Microsoft, the Office File Validation tool is designed to thwart so-called "file format attacks" that could lead to elevation-of-privilege exploits.

"File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code," according to Microsoft's explanation. "Usually the malicious code is run remotely and is used to elevate the privilege of restricted accounts on the computer."

The feature works by comparing an Office document with a set of predefined rules that determine what is a readable file. If the file fails to meet those criteria, it doesn't pass the validation process and cannot be opened.

To use the Office File Validation tool, first make sure all Office updates have been installed; next, download the tool here.

The second security advisory item contains an update to the Windows loader program that affects systems running Windows 7, Vista and Windows Server 2008 R2. The update fixes a potential security issue that can occur in which "unsigned drivers could be loaded by winload.exe," according to Microsoft's security advisory.  Malware such as rootkits in infected systems typically use this method to "stay resident" in systems, Microsoft explained.

The details are described in Security Advisory 2506014, which includes access to the updated winload.exe.

"For a rootkit to be successful it must stay hidden and persistent on a system," wrote Dustin Childs, senior security program manager of the MSRC. "One way we have seen rootkits hide themselves on 64-bit systems is by passing driver signing checks done by winload.exe. While the update itself won't remove a rootkit, it will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit."

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Secured-Core PCs Promise To Stop Malware at the Firmware Level

    Microsoft and its hardware partners recently described new "Secured-core" PCs, which add protections against firmware-based attacks.

  • How To Ransomware-Proof Your Backups: 4 Key Best Practices

    Backups are the only guaranteed way to save your data after a ransomware attack. Here's how to make sure your backup strategy has ransomware mitigation built right in.

  • Microsoft Buys Mover To Aid Microsoft 365 Shifts

    Microsoft announced on Monday that it bought Mover to help organizations migrate data and shift to using Microsoft 365 services.

  • Microsoft Explains Windows 7 Extended Security Updates Setup Process

    Microsoft this week described installation instructions for volume licensing users of Windows 7 Service Pack 1 to get Extended Security Updates (ESU) activated on PCs.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.