Office files can be used to sneak malicious code past security using macro-malware. The new infection method was reported by Cisco’s security team. The troubling part of the story is how easy it is to disguise the malicious macros just by renaming the infected file.
More Details About the Macro Exploit
Malicious macros are a security concern since the 90s. One notable example of a macro virus is Melissa. Macro viruses work like this: the virus hijacked the file’s automation to write itself into existence. The study shows that some formats from Microsoft Office 2007 can run an automatic macro while others can’t. To be more precise, DOCX and DOTX don’t allow macros while DOCM and DOTM do.
Renaming of Macro Enabled Files
If the DOTX and DOCX files are renamed to DOCM and DOTM, then opening the files would give an error. However, if the roles are reversed, then the potential macro hiding in the DOCM or DOTM files would still be there if they’re renamed to DOTX or DOCX. An error wouldn’t be show in that case.
The error message given when opening a file containing an unauthorized macro. Picture by Cisco.
The Problem is caused by the WWLIB.DLL
The Cisco security team informs:
“In general, MS Word opens files based on the file data, not based on the file name extension. So long as MS Word can identify the data structure, it will open the file correctly. If a file is identified as a MS Office 2007 file, the file must internally present with the proper MIME type or it will cause a validation failure and the file will not open.
OOXML file types are validated by the MS Office component WWLIB.DLL, which confirms the MIME type of the file is as expected. When the file extension does not hint at a OOXML file type this step of validation always passes, even if the MIME type is actually OOXML. This means an OOXML document with macros included (DOCM or DOTM) will load successfully if it has a different filename extension. This is true even if OOXML files have non-OOXML file extensions, so long as MS Word is registered to handle the format.
Hence, DOCM files containing embedded macros can be disguised as other file formats by changing the file extension. For example, the RTF file format does not support MS Office macro code, but a DOCM file renamed to RTF will open within MS Office and can run embedded macro code.”
Users should be extra cautious while using files that include macro capabilities until the issue is resolved.