OffVis updated, Office file format training video created


In July, we released a beta Office file format viewer application called OffVis as a downloadable tool. We are pleased today to announce an updated version of OffVis and a 30 minute training video to help you understand the legacy Office binary file format.


OffVis 1.1


The community response to the release of the OffVis tool on July 31st has been great. Thank you for the feedback! We are releasing this new version 1.1 of OffVis in response to that feedback. This release introduces several requested new features and fixes bugs. Here are the highlights:



  • Now requires only .Net Framework 2.0 (1.0 Beta required 3.5, preventing some people from using it)

  • Addressed OLESS loading logic bugs that was leading to false negatives (detection logic misses)

  • Added the detection logic for several more Word and PowerPoint CVE’s, detecting files sent in by customers.

  • Added a “Reallocate” feature (under Tools menu) that makes some corrupted files parse-able

  • Clarified some error message text

  • Prevented OffVis from appearing in a saved location off-screen

  • Cleared highlighting after the parser changes

  • Removed limit on number of parsing notes displayed

Here is the new list of detected CVE’s:









































































CVE


Product


Bulletin


CVE-2006-0009


PowerPoint


MS06-012 (March 2006)


CVE-2006-0022


PowerPoint


MS06-028 (June 2006)


CVE-2006-2492


Word


MS06-027 (June 2006)


CVE-2006-3434


PowerPoint


MS06-062 (October 2006)


CVE-2006-3590


PowerPoint


MS06-048 (August 2006)


CVE-2006-4534


Word


MS06-060 (October 2006)


CVE-2006-4694


PowerPoint


MS06-058 (October 2006)


CVE-2006-5994


Word


MS07-014 (February 2007)


CVE-2006-6456


Word


MS07-014 (February 2007)


CVE-2007-0515


Word


MS07-014 (February 2007)


CVE-2007-0671


Excel


MS07-015 (February 2007)


CVE-2007-0870


Word


MS07-024 (May 2007)


CVE-2008-0081


Excel


MS08-014 (March 2008)


CVE-2008-4841


Word


MS09-010 (April 2009)


CVE-2009-0238


Excel


MS09-009 (April 2009)


CVE-2009-0556


PowerPoint


MS09-017 (May 2009)


Please email us any undetected malicious samples that exploit vulnerabilities for code execution. We will evaluate whether we can add detection that can help everyone detect malicious files.


You can learn more about OffVis from our original blog post about the tool or an article written by Russ McRee in the ISSA journal.  You can download the tool at http://go.microsoft.com/fwlink/?LinkId=158791


Office legacy binary file format training video


Bruce Dang and Nick Finco from the MSRC Engineering team put together a 30 minute training that describes the legacy binary Office file format and describes how to parse it. Our Bluehat team agreed to record it and host it on the Bluehat technet site. You can view the video at http://research.microsoft.com/en-us/UM/redmond/events/BH09/lecture.htm. In less than thirty minutes, they provide in-depth technical guidance, including full-screen demos. This video is geared toward security analysts, virus researchers, IDS signature authors, and security professionals.


Direct video link: http://research.microsoft.com/en-us/UM/redmond/events/BH09/lecture.htm


Summary


Thanks to the many people who made this possible. Kevin Brown and Dan Beenfeldt for the development of OffVis. Robert Hensing and Bruce Dang for tireless hours testing the tool and building and refining detection logic. The MSRC Engineering team for technical investigations leading to these detections. Bruce and Nick Finco for recording the video. Damian Hasse and Matt Thomlinson for the support to release this tool. Celene Temkin and the Bluehat team for the logistical magic to make the video happen. Thanks everybody!


– Jonathan Ness, MSRC Engineering


*Posting is provided “AS IS” with no warranties, and confers no rights.*

Comments (0)