Office 2003 may pose antivirus problem

Security experts say that Microsoft's upcoming XML format for Office documents could inadvertently give virus writers the upper hand.
Written by Patrick Gray, Contributor
The latest test version of Microsoft Office 2003 could cause problems for antivirus companies because the XML-based format it supports will bog down scanning software, according to security experts.

The problem centers on macros embedded in documents in the Office 2003 beta, or test, version. When saved as an XML (Extensible Markup Language) file, the macros can more or less wind up anywhere. This means that scanners must search the entire contents of a file, rather than examine the part of the file where macros are always positioned.

Although a simple solution has been put forward by the antivirus industry, Microsoft has not yet introduced any changes. A Microsoft spokesperson said the problem is an issue for XML documents in general and not specific to Office 2003.

This change is fairly straightforward. The antivirus companies want a header placed into the file that tells the scanning engine where to look for the macros. In addition, in order to ensure that viruses don't slip through the cracks, the applications in the Office productivity suite should run only macros that are identified by the header, the companies say.

Jan Hruska, founder and co-CEO of antivirus software maker Sophos, said that while Microsoft has come a long way in terms of security over the years, the XML issue isn't making life easy.

"Traditionally, when Microsoft had a choice between functionality and security, it has gone for functionality every time," he told ZDNet Australia.

So while a more open format such as XML can be very useful, it doesn't make it easier for antivirus companies to deal with, Hruska said. "The looser the format, the harder it is to parse," he added.

Because an entire file needs to be scanned, the scanning agent will require more resources. In the case of mail gateway filtering, systems may even become susceptible to denial of service attacks if bombarded with a great number of (large) XML files.

A Microsoft spokesperson acknowledged the issue, but said it affects all XML-based data formats and is not specific to Office.

"The challenge of stopping viruses in XML documents is (an) industry-wide (issue), and not (limited to) Microsoft Office 2003," the representative said. "In fact, Office 2003 it is not any more prone to macro viruses than any previous version."

The software giant's representative stressed that Office 2003 is compliant with the World Wide Web Consortium (W3C) standards, but added the company is willing to work with antivirus software makers on the problem.

Jakub Kaminski, manager of virus research at Computer Associates, said the technical challenges to the antivirus industry that the issue presents could be huge. He pointed out that once the format has been released, all future Office products will support it--thus antivirus software will have to support it as well.

"Microsoft is certainly willing to cooperate with the antivirus industry," Kaminski said. Nevertheless, he noted, "There's a huge argument going on right now. People you talk to have knowledge, but don't have the authority."

Kaminski said the problem stems from the header of the file not containing enough information about macros. "You can identify by a couple of hundred bytes that it's a Word document. However, the problem is to identify that the document contains macros," he said.

ZDNet Australia 's Patrick Gray reported from Sydney.

Editorial standards