4

Recently, when opening a Microsoft Word document that came from a trusted source, I received the following warning message:

Security Alert - Office File Validation

The warning message is titled "Security Alert - Office File Validation". It says "WARNING: Office File Validation detected a problem while trying to open this file. Opening this is probably dangerous, and may allow a malicious user to take over your computer. - Contact the sender and ask them to re-save and re-send the file. For more security, verify in person or via the phone that they sent the file. Additional actions - Protect your computer with these: Safer options"

Given that the file came from a trusted source, and that I am confident it came from them, my first inclination is to suspect that this might be a false positive. How should I decide whether to proceed or not?

(Clicking on "Safer options" does not provide anything useful.)

This is a classic instance of a user being asked to make a security decision, where there are two possible choices: proceed (and get your work done), or cancel (and don't get your work done). We know how many users will act. How should one act, in this sort of situation? What information or criteria should one use to determine whether to proceed or not, when receiving this particular warning message?

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • There is some evidence that [Office File Validation is useful at catching potentially exploitable bugs](https://www.cert.org/blogs/certcc/2011/05/effectiveness_of_microsoft_off.html), so hopefully the correct answer is not "always ignore the warning and proceed if you want to get your work done". – D.W. Aug 01 '12 at 07:11

2 Answers2

2

If the document comes from a trusted source delivered to you in a secure manner, I would proceed with opening the document. In this scenario, I would consider the chance of it being a false positive to be high enough to warrant proceeding with getting your work done.

However, if the document comes from an untrusted source, or is delivered through a manner that might have the potential for a malicious attacker to modify the file, I would try to work out a solution with the party that provided the document, or just not open the file.

There is also a chance that the source, although trusted, might have been infected with malware that is trying to propogate via the document. Thanks @Polynomial for pointing that out.

A way to check if the document is really malicious would be to execute the document in a sandboxed environment like a virtual machine, which should prevent malware from spreading into your host operating system, if any is present. This is quite troublesome though, and involves highly technical skills such as malware analysis - which the average user does not have.

A lot of it comes down to your risk appetite. How much do you trust the person who provided the document? How much do you trust the delivery mechanism?

In your case - I would proceed, but it is difficult to provide a general answer as different situation requires different actions.

  • 4
    Also keep in mind that a trusted source may have been infected with malware, and that it may be trying to propagate via these documents. Try uploading it to [VirusTotal](https://www.virustotal.com/) or a similar service for analysis. – Polynomial Aug 01 '12 at 08:23
  • @Polynomial Thanks, edited my answer to account for that situation. –  Aug 01 '12 at 10:13
  • If the file ends up crashing, and WinDbg or similar shows the memory address being accessed was equal to or greater than 0x1000, please send the file to MSRC. – Yuhong Bao Apr 16 '13 at 06:03
1

From what I know about Office File Validation - it helps detect and prevent file format attacks or file fuzzing attacks by scanning Office binary file formats against a predefined file schema.

If the file has come to you from a trusted source, you can open it. Sometimes the predefined file schema goes awry when your document is created with third-party applications. Other than that, you could try looking at the file meta data to verify if it has been tampered with and is not malicious.

Just to be sure, you could reconfirm by asking the person who sent you the file if he/she really sent you the file. If you are really paranoid, execute the file under a sandboxed environment. I would not really recommend uploading the document to VirusTotal and the likes if the document is of sensitive nature.

Metahuman
  • 493
  • 1
  • 5
  • 12