.ISO Files With Office Maldocs & Protected View in Office 2019 and 2021
source link: https://blog.didierstevens.com/2022/04/04/iso-files-with-office-maldocs-protected-view-in-office-2019-and-2021/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Monday 4 April 2022
.ISO Files With Office Maldocs & Protected View in Office 2019 and 2021
We have seen ISO files being used to deliver malicious documents via email. There are different variants of this attack.
One of the reasons to do this, is to evade “mark-of-web propagation”.
When a file (attached to an email, or downloaded from the Internet) is saved to disk on a Windows system, Microsoft applications will mark this file as coming from the Internet. This is done with a ZoneIdentifier Alternate Data Stream (like a “mark-of-web”).
When a Microsoft Office application, like Word, opens a document with a ZoneIdentifier ADS, the document is opened in Protected View (e.g., sandboxed).
But when an Office document is stored inside an ISO file, and that ISO has a ZoneIdentifier ADS, then Word will not open the document in Protected View. That is something I observed 5 years ago.
But this has changed recently. When exactly, I don’t know (update: August 2021).
But when I open an Office document stored inside an ISO file marked with a ZoneIdentifier ADS, Office 2021 will open the document in protected view:
With an unpatched version of Office 2019, that I installed a year ago, that same file is not opened in Protected View:
After updating Office:
Word’s behavior has changed:
The file is now opened in Protected View.
If you want to test this yourself, you can use my ZoneIdentifier tool to easily settings a “mark-of-web” without having to download your test file from the Internet:
Or you can just add the ZoneIdentifier ADS with notepad.
I did the same test with Office 2016, I updated an old version and: the document is not opened in Protected View.
I don’t know exactly when Microsoft Office 2019 was updated so that it would open documents in Protected View when they are inside an ISO file marked as originating from the Internet. But if you do know, please post a comment.
Update: this change happened in August 2021. See comments below. Thanks Philippe.
Related
.ISO Files With Zone.IdentifierTuesday 18 July 2017In "maldoc"
Malicious Documents: The Matryoshka EditionThursday 20 April 2017In "maldoc"
Introducing oledump.pyWednesday 17 December 2014In "Forensics"
2 Comments »
-
Hi Didier, it looks like the change was introduced around August 2021, but it was not documented:
Would your team happen to have info/documentation about the change made around Aug21 that forces Office docs inside ISOs into Protected View mode?
Reference: https://t.co/TRCf4K6idn
— Jim Sykora (@JimSycurity) February 7, 2022
And that protection is only implemented in MS Office, not in Windows itself – so file types other than Office can still be embedded in ISO files:
How many *end users* need the ability to double click an ISO to mount it? I'll wait…
While Microsoft silently added a feature to Office that treats downloaded ISO contents as if they had a MotW, Windows itself does not.
That LNK file didn't come from the internet in its view.— Will Dormann (@wdormann) March 25, 2022
-
Thanks a lot Philippe! This is indeed only in Microsoft Office, not in Microsoft Windows.
Comment by Didier Stevens — Monday 4 April 2022 @ 20:48
RSS feed for comments on this post. TrackBack URI
Leave a Reply (comments are moderated)
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK