Office Apps Security on Windows

With Microsoft Office being one of the most popular and commonly installed document solutions for Windows systems, it has been a favorite target for hackers. Well, maybe not the Office Apps themselves, but rather the documents used in the Office applications.

VBA Vulnerability of Office Apps

Ever since macros were replaced by Visual Basic for Application to enable automation of tasks in Office applications, VBA has been a method of introducing vulnerabilities in Windows devices running Office. VBA is a popular method in both Excel and Word to automate things. It is a good thing that protection from such attacks has been improved. In most cases, the user still requires action to enable the execution of malicious code. And Microsoft has changed the default method of handling macros from the Internet (namely blocking them in Office).

Excel Add-ins Security

Excel and Word are two of the most popular targets for hackers since these are the most used applications in the Office suite. Besides the VBA option, hackers also target systems using the Excel add-in feature. An add-in is another way of extending the standard Excel functionality. Add-ins can be downloaded and need to be installed before they can be used.

But there are many add-ins available for Excel, so it is tempting to install one if a specific feature is needed that is not available in Excel. Some add-ins are free and some are not. If an installer is used for installing the add-in, a digital certificate or signature can be checked to ensure the add-in is safe. Checking if the add-in is downloaded from a trusted source is also good practice.  Microsoft AppSource is an example of a trustworthy origin.

A special case is the Excel document type XLL. Files with the .XLL extension will result in a warning when loaded that the file contains add-ins and might be a security risk. Since XLL files are like DLL files and contain executable code, it is possible that they contain malicious code. More in-depth information on this type of threat is available on the Talos blog.

OneNote Documents with Malware

OneNote is an Office App that is less commonly used. But in many cases, the app is still installed on Windows systems that have Office installed. As a result, the OneNote file extension .one is associated with the OneNote app. Opening or executing a .one file will automatically open the OneNote app which will load the file.

This can result in a security threat when the .one file contains malicious code. And that is exactly what has been happening more and more. OneNote files infected with the AsyncRAT malware have been distributed from seemingly trusted sources to infect Windows systems. A recent analysis by BitDefender shows an increase in this type of infection with this trojan spyware. Since the AsyncRAT malware has been around for quite a few years, most security protection solutions will protect against the known variants. But with the code for the malware being available, variations are possible that are not detected.Another

OneNote type of malware uses templates that trick the user into clicking on a button to view something. In reality, the button hides embedded files that execute macode.

Protect Office Apps

Microsoft has taken steps to ensure the security of the Office Apps. Disabling macros, not loading macros from the Internet, and showing warnings when loading something potentially dangerous, all help prevent the execution of malicious code.

Apart from this the most important other things users can do is:

• Ensure you have an up-to-date antivirus solution.
  This should be more than just a file scanner. An AV solution should check all files from the Internet, but ideally also integrate with your email client to check attachments before they can be opened. With the frequency of threats being found, it is recommended to have the daily update for virus definitions active (most SV solutions have this by default).
• Only use Office files that you know to originate from a trustworthy source. Free stuff is obviously more likely to contain bad code than a commercial solution. Email attachments are a favorite method of attack by hackers. Don’t open anything that you are not familiar with.
• When you have doubts, or see a warning, don’t ignore it. With online privacy policies and cookie banners, people tend to easily click the Accept or OK option, simply to move on to the website content. With macros or add-ins, a warning message should be taken seriously. Once executed, malicious code can easily affect a Windows installation, often without the user’s knowledge. It is better to check and be safe and not be in a hurry to complete a task!
• For specific file types, block the file extension in email servers or firewalls. If you do not use a specific Office app, you can also consider removing the file association so the extension does not automatically open the app.
• For corporate users, or better, administrators, it is important to block the .one extension in the email servers, so it can not be included as an attachment. An alternate option is to use the Group Policy Administrative Templates files for Office 365. Once installed, a group policy can be created to disable embedded files or block embedded files by extension. End-users will then recevie a warning message informing them that the attachement cannot be openened.