January 5th, 2008

Office 2003 SP3 and CorelDraw .CDR files

Posted by Adrian Kingsley-Hughes @ 6:11 am

Categories: Microsoft, Security, Software

Tags: Security, Mechanism, Microsoft Office 2003, Microsoft Corp., Microsoft Office, Office Suites, Software, Adrian Kingsley-Hughes

[UPDATE 01/05/08 09:20am - David LeBlanc has some more information on his blog about this issue.  Here are some Highlights:

• "Attack surface reduction is something we [Microsoft] spend a lot of energy on – the canonical example is IIS 5.0 vs. IIS 6.0. IIS 5.0 had enabled everything by default. “
• “We’ve been doing some of the same things with Office – there are converters that didn’t get installed by default in Office 2003. We noticed that the attackers seemed to be preferentially hitting the parsers for the older formats, and if the great majority of you don’t need the older format, its risk without reward.”
• “To put things in perspective, many of these formats are very old, with some dating back over 15 years since the app that created them by default shipped.”
• “I want to be very clear about – we are not removing your ability to read these files. If you need them, the parsers are still there.”
• “Some of the formats blocked are from products built by companies other than Microsoft, and we apologize for implying that there were any problems in those companies file formats.”

The bottom line seems to be that Office 2003 has, or at least could have, some baked-in vulnerabilities relating to these file formats and that playing with these formats, especially files from untrusted sources, could be dangerous.  Again, I’m still trying to get clarification here, but the feeling I’m getting is that there is a deeper issue here but that it’s being smokescreened behind blocking these file formats.]

Since I do have a few CorelDraw .CDR files hanging about the place, and have Office 2003 installed on a couple of system, I was interested in getting to the bottom of why Microsoft blocked access to .CDR files with Office 2003 SP3.

For some answers I contacted Microsoft, and here’s what i got back from a spokesperson.  First off, some background:

As part of the recently released Office 2003 SP3 we took a number of the security improvements from the 2007 release of Office and applied those to Office 2003, specifically, we disabled a number of older file formats where we saw very low usage, and a high security risk in our code that loads these files. From the security standpoint, this was the right thing to do. We are not removing support for these file types – we’re making the default safer.

But my concern was more to do with why Microsoft decided to block access to a select number of file formats, in particular the CorelDraw .CDR file format.  Does this file format pose a risk?  It appears that it doesn’t:

We, however, did a poor job of describing the auto-blocking of older file formats. In an earlier KB article we stated that it was the file formats that were insecure, but this is not correct. A file format or the app that wrote the format isn’t insecure – it’s the app that reads the format that’s more or less secure. [emphasis added]

So it seems that the issue isn’t so much to do with the file format, but related to the way that Microsoft Office 2003 interacts with these files and that rather than plug up whatever vulnerability exists, access to the files are instead blocked.  However, this still leaves the specific details of whatever vulnerability exists within Office 2003 a mystery.  Is this maybe an example of a vulnerability discovered in-house by Microsoft not being properly documented?  I have approached Microsoft again for clarification.

However, there is some good news for those who rely on the blocked format:

There was methodology in place providing a mechanism to unblock the files by system administrators. In order to make it easier for anyone to override the security setting and unblock the different file types, we are updating the KB article and providing the following files that anyone can download and run. The updated KB article and files to unblock these file types can be located at http://support.microsoft.com/kb/938810. A mechanism has also been put in place so that customers can re-block the file types late if they choose.

Thoughts?