June 20th, 2008
Free Sourcefire tool pinpoints hostile MS Office files
Sourcefire, the company behind the popular Snort intrusion detection system, has released a freeware utility to help identify potentially threatening Microsoft Office files.
The tool, called OfficeCat, can be used to process Microsoft Office documents — Word, PowerPoint, Excel and Publisher — determine if possible exploit conditions exist.
Unlike products that detect attempts to exploit known Microsoft vulnerabilities, Sourcefire said OfficeCat can determine if a file contains hostile content before it is opened.
From the Sourcefire announcement:
OfficeCat provides reference information on discovered vulnerabilities so users can remediate risks. By detecting these hostile files before they are opened, OfficeCat enables users to proactively increase the effectiveness of their security efforts.
…To create effective rules, the VRT conducts ongoing research into Microsoft Office vulnerabilities and will regularly update OfficeCat with the latest vulnerability information.
The command-line utility ships with rules for a total of six Microsoft Office bulletins and about 45 CVE entries related to Microsoft Office vulnerabilities.
There has been a noticeable surge in attacks exploiting critical security vulnerabilities in the Microsoft Office software suite. Here’s a small sample of previous reporting on these attacks.
- MS Word exploit generator circulating?
- Microsoft slaps bandaid on IE, MS Word
- MS Word zero-day attack video
- A fifth MS Word zero-day?
In addition to using Sourcefire’s OfficeCat, I strongly recommend Microsoft Office users to run Microsoft Office Update to ensure installations are fully patched.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
