Microsoft Releases Office File Validation Tool, Windows Loader Update
Microsoft released two security advisories that included solutions yesterday as part of its massive April security update.
Along with the 17 security bulletins in the April patch, Microsoft released a tool to help protect older versions of Office, as well as an update to the winload.exe program.
The Office File Validation tool scans and validates Word files in Office 2003 and Office 2007, checking for malformed files employed by hackers to spread malware. This feature, which installs as an Office add-in, already comes standard in Microsoft Office 2010.
According to Microsoft, the Office File Validation tool is designed to thwart so-called "file format attacks" that could lead to elevation-of-privilege exploits.
"File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code," according to Microsoft's explanation. "Usually the malicious code is run remotely and is used to elevate the privilege of restricted accounts on the computer."
The feature works by comparing an Office document with a set of predefined rules that determine what is a readable file. If the file fails to meet those criteria, it doesn't pass the validation process and cannot be opened.
To use the Office File Validation tool, first make sure all Office updates have been installed; next, download the tool here.
The second security advisory item contains an update to the Windows loader program that affects systems running Windows 7, Vista and Windows Server 2008 R2. The update fixes a potential security issue that can occur in which "unsigned drivers could be loaded by winload.exe," according to Microsoft's security advisory. Malware such as rootkits in infected systems typically use this method to "stay resident" in systems, Microsoft explained.
The details are described in Security Advisory 2506014, which includes access to the updated winload.exe.
"For a rootkit to be successful it must stay hidden and persistent on a system," wrote Dustin Childs, senior security program manager of the MSRC. "One way we have seen rootkits hide themselves on 64-bit systems is by passing driver signing checks done by winload.exe. While the update itself won't remove a rootkit, it will expose an installed rootkit and give your anti-malware software the ability to detect and remove the rootkit."