6

Sometimes I have to download some Word or Excel documents from uncredible sites. I need not only to read but also to edit them. I heard that the Microsoft Office suite is a very popular attack vector. Although I patch my Windows and Office regularly I guess there must be many 0day vulnerabilities in them.

In order to mitigate the risk, after downloading a Word document, I would upload it to Google Docs, make some small changes and download it with a different format (for example, if the original file is a *.doc file then I would download it as a *.docx file and vise versa). My guess is that such conversion may "sanitize" (or at least break) the malicious code (if any) in the suspicious file.

Does anyone know whether it works?

Anders
  • 64,406
  • 24
  • 178
  • 215
  • FYI, the most common way Office files are successfully being used as to deliver attacks these days is via malicious macros embedded in them. (Well, at the very least where your Office installation is fully-patched against known exploits.) Why spend the resources to buy or develop an Office zero-day when a well-crafted social spearphishing email or (maybe more relevant to your case) an enticing document posted somewhere on a seemingly legit site can, more often than not, get a victim to click through two security warnings and run the attacker's code by victim's own hand? – mostlyinformed Nov 01 '16 at 04:26
  • But, to be helpful on your actual situation, if you're willing & able to go through some inconvenience you could (of course) limit yourself to editing the documents in the cloud on Google Docs or Office Online. You could try using the Print as PDF functionality in your browser to save an open Word file as a pdf, then open that document in Word and edit it as a pdf. (If you have Word 2013 or 2016, anyways.) Not sure there are any great options. But I definitely would not rely on opening & re-saving a doc in G Docs/Office365/etc. alone to strip out any bad stuff. – mostlyinformed Nov 01 '16 at 05:11
  • Hi @halfinformed regarding macros I guess it is not a big deal for educated users since as I know macro is disabled by default. As long as one does not enable it expressly, macros should not be a problem. –  Nov 01 '16 at 08:47

2 Answers2

2

The strategy you propose might indeed break malicious code, but with 0 day exploits there is no way to be sure.

If it is just the flat text that you want, the safest way to go might be to open the raw file with a different program. .docx can be opened as a zipped file (using unzip, 7zip or similar) and then you can open word/document.xml with your favorite text editor.

user7091295
  • 76
  • 3
  • Yes I agree with you. In fact, when it comes to Excel files I would download them as csv files, which, as far as I am concerned, is plain text documents. However, in terms of Word documents, in many circumstances the format matters and thus it is practically impossible to apply this strategy. –  Oct 31 '16 at 15:49
1

Google policy

Security

Virus scanning: Google Drive scans a file for viruses before the file is downloaded or shared. If a virus is detected, users can't share the file with others, send the infected file via email, or convert it to a Google Doc, Sheet, or Slide, and they'll receive a warning if they attempt these operations. The owner can download the virus-infected file, but only after acknowledging the risk of doing so.

Google saves the files exactly as you upload them, so there is no service from Google to remove the virus from a file. The only service Google offers you is to notify if the file is infected. Your point is if you will have a clean file after you make changes in the file from Google Docs?

It depends from the kind of the virus you have in the file, anyhow you will know if the file is sanitized when you download the file after making changes, and see if Google will notify you if it's infected.

Vini7
  • 659
  • 6
  • 15
  • Thanks @Vini7! But what I am worried about is not viruses: If the Google's AV engine can find the virus then I guess my AV may probably find it as well. What I am worried the most is 0day exploits, just like one mentioned here: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf. I have to open and edit unknown word and excel documents very often (in fact I guess many people have to do that as well) and thus I think I am just fully exposed to the risks of new vulnerabilities. –  Oct 31 '16 at 15:45
  • With 0day exploits we can never be confident, nor with our AV nor with Google's AV. It depends on the time the AV updates the signatures. But in my opinion, considering Google's resources against our personal AV I would choose Google. – Vini7 Oct 31 '16 at 16:01