Is RTF in Word still prone to viruses?

  • Thread starter Thread starter Piotr Makley
  • Start date Start date
P

Piotr Makley

(1) If I use MS Word to create an RTF document then would I avoid
including any viruses, worms and malicious stuff in my documents?

(2) If I open an RTF document using MS Word then could any viruses,
macros or other malicious stuff in the document run on my PC?
 
(1) If I use MS Word to create an RTF document then would I avoid
including any viruses, worms and malicious stuff in my documents?
Click to expand...
Can't be depended on for that
(2) If I open an RTF document using MS Word then could any viruses,
macros or other malicious stuff in the document run on my PC?
Click to expand...

The .rtf extension just tells the OS that it is an office document. Word
will ignore the extension once the file is passed to Word to open. An
infected file renamed with the .rtf extension would infect you just as fast
as a .doc. The extension is no real indicator of file contents, and is no
guarentee of how the file will be processed.

JT
 
Piotr Makley said:
(1) If I use MS Word to create an RTF document then would I avoid
including any viruses, worms and malicious stuff in my documents?
Click to expand...

That is more or less the case. But if your system is comprimised by a virus
then nothing is really "safe". A RTF document processesed as RTF is not a
virus carrier.

A file might have a .rtf extension but it might actually be a doc or
something else and some programms will examine the contents of files and
decide how to process them on that basis. - like MS word for instance.
(2) If I open an RTF document using MS Word then could any viruses,
macros or other malicious stuff in the document run on my PC?
Click to expand...

Make sure it's really a RTF file and not a file with an .rtf extension. It's
not safe to assume it's safe if you use MS word.
 
JT said:
Can't be depended on for that
Click to expand...

Indeed.

Depending on the version of Word you are using, there are macro viruses
that deliberately usurp the Save As... function to ensure that infected
documents are saved in document format but with the .RTF extension if
the RTF format is selected...
 
Piotr Makley said:
(1) If I use MS Word ...
Click to expand...

What version?

Configured how?

What service packs/security hotfixes, etc applied?
... to create an RTF document then would I avoid
including any viruses, worms and malicious stuff in my documents?
Click to expand...

If you're really good at this stuff you can be pretty darn sure
that Word will produce "safe" .RTF files that are RTF format.

My "really good" hurdle is set pretty high though and only a few
dozen to a few hundred folk outside of AV would likely clear it...
(2) If I open an RTF document using MS Word then could any viruses,
macros or other malicious stuff in the document run on my PC?
Click to expand...

What version of Word?

Configured how?

What service packs, etc??

Older/unpatched versions of Word will follow URL links in true RTF
format documents to offsite template files and _silently_ open them
and "appropriately" (i.e. by typically shoddy Redmond standards)
execute any "auto macros" therein and enable any system macros.

Older/unpatched version of Word (and several other of the Office
applications) have incomplete checks for the existence of macros in
their native document formats. Opening such documents will cause
the early "are there macros" tests to fail, thereby bypassing the
actual "macro security" mechanisms for that document and later
processes will go on to discover and enable macros in specially-
prepared documents. If these documents are renamed with the .RTF
extension, Word will still happily open them and treat just as if
they had .DOC extensions.

True RTF format documents can contain embedded objects that may be
able to launch "unsafe" code (not necessarily Word macros though)
just as native Word document files may.

Earlier versions of various RichEd* DLLs have exploitable buffer
overflows. These DLLs are intimately involved in processing RTF
format files whether they are opened by Word or Write (or Wordpad
or whatever the latter is called in your version of Windows).
Thus, depending on the version and service pack level of your OS
and/or version of Word, various arbitrary code execution exploits
may be possible against you, initiated by an "attacker" sending
you a specially prepared RTF file and you opening it in an
appropriately out-of-date version of Word/Write/etc.

There are probably other things I'm forgetting for now, but that's
a tidy list for you start from...
 
Nick said:
Depending on the version of Word you are using, there are macro viruses
that deliberately usurp the Save As... function to ensure that infected
documents are saved in document format but with the .RTF extension if
the RTF format is selected...
Click to expand...

I suppose it's not worth the bother for someone to put together a
utility that compares the actual format and the extension.
 
I suppose it's not worth the bother for someone to put together a
utility that compares the actual format and the extension.
Click to expand...

I have found very interesting the different point of view expressed
here on this topic. A couple of weeks ago someone in a different group
praised another O/S ( Linux? Macs?) for not even looking at the
extension, but at the file itself, in order to decide what to do with
it. From what has been expressed here it seems that it is not always
such a good idea.
A number of times has been said that many times the ignorance of the
users is part of the problem with viruses and worms. Would be better
to have the system decide according to extensions? Or would you prefer
to have the system check the format of the file? I guess that the
first option would require more knowledge from part of the users. Is
the second the prefered option on newer versions of O/S?

Geo
 
GEO said:
I have found very interesting the different point of view expressed
here on this topic. A couple of weeks ago someone in a different group
praised another O/S ( Linux? Macs?) for not even looking at the
extension, but at the file itself, in order to decide what to do with
it. From what has been expressed here it seems that it is not always
such a good idea.
A number of times has been said that many times the ignorance of the
users is part of the problem with viruses and worms. Would be better
to have the system decide according to extensions? Or would you prefer
to have the system check the format of the file? I guess that the
first option would require more knowledge from part of the users. Is
the second the prefered option on newer versions of O/S?

Geo
Click to expand...
One or the other, but not both would perhaps be best. Also one could say
that, a file should be opened using the program and in the manner that the
user expects. So file extensions maybe the way to go. Really, word documents
just shouldn't have embedded macros. They don't seem necessary. Today's
menace isn't word macros anyway.
 
"GEO" (e-mail address removed) writes:

]On Mon, 05 Apr 2004 05:27:41 -0700, Offbreed

]>I suppose it's not worth the bother for someone to put together a
]>utility that compares the actual format and the extension.

] I have found very interesting the different point of view expressed
]here on this topic. A couple of weeks ago someone in a different group
]praised another O/S ( Linux? Macs?) for not even looking at the
]extension, but at the file itself, in order to decide what to do with
]it. From what has been expressed here it seems that it is not always
]such a good idea.
] A number of times has been said that many times the ignorance of the
]users is part of the problem with viruses and worms. Would be better
]to have the system decide according to extensions? Or would you prefer
]to have the system check the format of the file? I guess that the
]first option would require more knowledge from part of the users. Is
]the second the prefered option on newer versions of O/S?

I would prefer it to do both and to complain if its file format test did
not agree with the extention test. The extentions on Windows systems are
supposed to be there to tell you and the system what kind of file it is.
If it is not that kind of file, you should be told it is not.
 
All the Unics family, including Linux, looks at the file. The name and
extension is simply not relevant (the extension is considered part of
the name).

All will tell you what the file really is, if you ask.
One or the other, but not both would perhaps be best. Also one could say
that, a file should be opened using the program and in the manner that the
user expects.
Click to expand...

The best way to open any is to open the program, then the document.
That's what I do with everything new, even if it's less convenient.
(Cleaning up after mal-ware is a lot less convenient.)

The only exceptions are files in constant use, like ng filters. I
often directly edit Mozilla and nfilter kill files, for example.
 
I think that's a good thing to build into Explorer's Properties for
use via rt-click on suspect files.
I have found very interesting the different point of view expressed
here on this topic. A couple of weeks ago someone in a different group
praised another O/S ( Linux? Macs?) for not even looking at the
extension, but at the file itself, in order to decide what to do with
it. From what has been expressed here it seems that it is not always
such a good idea.
Click to expand...

It's an utterly crap idea! How is a user supposed to assess the risk
of "opening" a file if there's no type indication to go on?

The only tyope indicators offered are the icon, and the .ext - and as
the most dangerous file types can set their own icons, only the .ext
has any strength as a risk predictor. That strength is undermined by
duhfaults that hide .ext as well as always-hidden .ext for some very
dangerous file types. When the OS ignores .ext and uses only internal
information the user is not privvy to, the user cannot assess risk.
A number of times has been said that many times the ignorance of the
users is part of the problem with viruses and worms. Would be better
to have the system decide according to extensions? Or would you prefer
to have the system check the format of the file?
Click to expand...

1) There should be type info visible to the user
2) If content is at odds with that info, the OS should NOT run it

You don't want every file listing to dig into every file's content to
retrieve type info from the file's content - that's what persistant
handlers do, and it SUCKS for performance esp. when the files are on
LAN, slow disk, broken (e.g. a search through a 1G .AVI that lacks
metatdata because it's broken) etc.


-------------------- ----- ---- --- -- - - - -
Click to expand...
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
 
JT said:
The .rtf extension just tells the OS that it is an office
document. Word will ignore the extension once the file is
passed to Word to open. An infected file renamed with the .rtf
extension would infect you just as fast as a .doc. The
extension is no real indicator of file contents, and is no
guarentee of how the file will be processed.
Click to expand...


I want to use RTF format documents rather than MS Word format
douments in order to reduce the risk of viruses.

Can anyone recommend a good and un-bloated RTF word processor?
 
I want to use RTF format documents rather than MS Word format
douments in order to reduce the risk of viruses.

Can anyone recommend a good and un-bloated RTF word processor?
Click to expand...

Wordpad?

You are not going to create documents that contain viruses for your own use
with DOC format. It only becomes an issue when you post them to others.
Don't send unsolicited Word docs to anyone. Don't mail docs unless they are
zipped, because they are bulky and compress well and are less likely to be
discarded by security systems. If you set your own macro security in Word to
medium, you will get a prompt if there are macros in a document that you
open on your machine and you can choose to disable any you are uncertain of.

--
<>>< ><<> ><<> <>>< ><<> <>>< <>>< ><<>
Graham Mayor - Word MVP

Web site www.gmayor.com
Word MVP web site www.mvps.org/word
<>>< ><<> ><<> <>>< ><<> <>>< <>>< ><<>
 
I want to use RTF format documents rather than MS Word format
douments in order to reduce the risk of viruses.

Can anyone recommend a good and un-bloated RTF word processor?
Click to expand...

Why RTF? No word processor uses it as it's native format although most can
read and write the format. Just pick a good wordprocessor. Almost all can
save in RTF or Word .doc formats. RTF has other problems that make it
less than ideal as a document format. It tends to be very inconsistant in
document layout and formatting. Look at OpenOffice.org or Star Office or
Word perfect or Lotus write or Abiword or what ever you happen to like. RTF
is not a panacea for documents and virus prevention.

JT
 
On that special day, cquirke (MVP Win9x), ([email protected])
said...
2) If content is at odds with that info, the OS should NOT run it
Click to expand...

Or only open it in some extremely restricted environment, like a test
file or hex editor. I use the hexedit for suspicious files. Problem is,
many worms are compressed, using more and more exotic packer programs,
which turns their content into pure gibberish.


Gabriele Neukam

(e-mail address removed)
 
Back
Top