Office 2003 may pose antivirus dilemma

Security experts say that Microsoft's upcoming XML format for Office documents could inadvertently give virus writers the upper hand
Written by Patrick Gray, Contributor

Microsoft's latest Office 2003 beta version is set to cause problems for antivirus companies because the XML-based format it supports will bog down scanning software, according to security experts.

The dilemma revolves around macros embedded in Office 2003 documents. When saved as an XML file, the macros can more or less wind up anywhere. This means that scanners must search the entire contents of a file rather than examining a part of the file where macros are always positioned.

Although a simple solution has been put forward by the antivirus industry, the software giant has yet to address the issue.

This change is fairly straightforward. The antivirus companies want a header placed into the file which tells the scanning engine where to look for the macros. In order to ensure that viruses don't slip through the cracks, Office applications should only run macros that are identified by the header.

Jan Hruska, founder and joint chief executive of antivirus firm Sophos, said that while Microsoft has come a long way in terms of security over the years, the XML issue isn't making life easy.

"Traditionally, when Microsoft had a choice between functionality and security, it has gone for functionality every time," he told ZDNet Australia.

So whilst a more open format such as XML can be very useful, it doesn't make it easier for AV companies to deal with, Hruska said. "The looser the format, the harder it is to parse," he added.

Because an entire file needs to be scanned, the scanning agent will require more resources, and in the case of mail gateway filtering, may even become susceptible to denial of service attacks if bombarded with a great number of (large) XML files.

Computer Associates manager of virus research Jakub Kaminski agreed with Hruska. Although he didn't want to "get into the politics of it all", he said the technical challenges to the antivirus industry that the issue presents could be huge.

Kaminski also pointed out that once the format has been released, all future office products will support it, thus antivirus software will have to support it as well.

"Microsoft is certainly willing to cooperate with the antivirus industry," Kaminski said, but noted, "there's a huge argument going on right now... people you talk to have knowledge but don't have the authority."

Kaminski said the problem stems from the header of the file not containing enough information about macros. "You can identify by a couple of hundred bytes that it's a Word document... however, the problem is to identify that the document contains macros," he said.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.

Editorial standards