Is RTF in Word still prone to viruses?

Discussion in 'Computer Security' started by Piotr Makley, Apr 4, 2004.

  1. Piotr Makley

    Piotr Makley Guest

    (1) If I use MS Word to create an RTF document then would I avoid
    including any viruses, worms and malicious stuff in my documents?

    (2) If I open an RTF document using MS Word then could any viruses,
    macros or other malicious stuff in the document run on my PC?
     
    Piotr Makley, Apr 4, 2004
    #1
    1. Advertising

  2. Piotr Makley

    JT Guest

    On Sun, 04 Apr 2004 09:13:25 +0100, Piotr Makley <> wrote:

    >(1) If I use MS Word to create an RTF document then would I avoid
    >including any viruses, worms and malicious stuff in my documents?
    >

    Can't be depended on for that

    >(2) If I open an RTF document using MS Word then could any viruses,
    >macros or other malicious stuff in the document run on my PC?


    The .rtf extension just tells the OS that it is an office document. Word
    will ignore the extension once the file is passed to Word to open. An
    infected file renamed with the .rtf extension would infect you just as fast
    as a .doc. The extension is no real indicator of file contents, and is no
    guarentee of how the file will be processed.

    JT
     
    JT, Apr 4, 2004
    #2
    1. Advertising

  3. "Piotr Makley" <> wrote in message
    news:94C15DD45EB4F31E75@130.133.1.4...
    > (1) If I use MS Word to create an RTF document then would I avoid
    > including any viruses, worms and malicious stuff in my documents?


    That is more or less the case. But if your system is comprimised by a virus
    then nothing is really "safe". A RTF document processesed as RTF is not a
    virus carrier.

    A file might have a .rtf extension but it might actually be a doc or
    something else and some programms will examine the contents of files and
    decide how to process them on that basis. - like MS word for instance.

    > (2) If I open an RTF document using MS Word then could any viruses,
    > macros or other malicious stuff in the document run on my PC?


    Make sure it's really a RTF file and not a file with an .rtf extension. It's
    not safe to assume it's safe if you use MS word.
     
    Spacen Jasset, Apr 4, 2004
    #3
  4. "JT" <> to Piotr Makley:

    > >(1) If I use MS Word to create an RTF document then would I avoid
    > >including any viruses, worms and malicious stuff in my documents?
    > >

    > Can't be depended on for that


    Indeed.

    Depending on the version of Word you are using, there are macro viruses
    that deliberately usurp the Save As... function to ensure that infected
    documents are saved in document format but with the .RTF extension if
    the RTF format is selected...


    --
    Nick FitzGerald
     
    Nick FitzGerald, Apr 5, 2004
    #4
  5. "Piotr Makley" <> wrote:

    > (1) If I use MS Word ...


    What version?

    Configured how?

    What service packs/security hotfixes, etc applied?

    > ... to create an RTF document then would I avoid
    > including any viruses, worms and malicious stuff in my documents?


    If you're really good at this stuff you can be pretty darn sure
    that Word will produce "safe" .RTF files that are RTF format.

    My "really good" hurdle is set pretty high though and only a few
    dozen to a few hundred folk outside of AV would likely clear it...

    > (2) If I open an RTF document using MS Word then could any viruses,
    > macros or other malicious stuff in the document run on my PC?


    What version of Word?

    Configured how?

    What service packs, etc??

    Older/unpatched versions of Word will follow URL links in true RTF
    format documents to offsite template files and _silently_ open them
    and "appropriately" (i.e. by typically shoddy Redmond standards)
    execute any "auto macros" therein and enable any system macros.

    Older/unpatched version of Word (and several other of the Office
    applications) have incomplete checks for the existence of macros in
    their native document formats. Opening such documents will cause
    the early "are there macros" tests to fail, thereby bypassing the
    actual "macro security" mechanisms for that document and later
    processes will go on to discover and enable macros in specially-
    prepared documents. If these documents are renamed with the .RTF
    extension, Word will still happily open them and treat just as if
    they had .DOC extensions.

    True RTF format documents can contain embedded objects that may be
    able to launch "unsafe" code (not necessarily Word macros though)
    just as native Word document files may.

    Earlier versions of various RichEd* DLLs have exploitable buffer
    overflows. These DLLs are intimately involved in processing RTF
    format files whether they are opened by Word or Write (or Wordpad
    or whatever the latter is called in your version of Windows).
    Thus, depending on the version and service pack level of your OS
    and/or version of Word, various arbitrary code execution exploits
    may be possible against you, initiated by an "attacker" sending
    you a specially prepared RTF file and you opening it in an
    appropriately out-of-date version of Word/Write/etc.

    There are probably other things I'm forgetting for now, but that's
    a tidy list for you start from...


    --
    Nick FitzGerald
     
    Nick FitzGerald, Apr 5, 2004
    #5
  6. Piotr Makley

    Offbreed Guest

    Nick FitzGerald wrote:

    > Depending on the version of Word you are using, there are macro viruses
    > that deliberately usurp the Save As... function to ensure that infected
    > documents are saved in document format but with the .RTF extension if
    > the RTF format is selected...


    I suppose it's not worth the bother for someone to put together a
    utility that compares the actual format and the extension.
     
    Offbreed, Apr 5, 2004
    #6
  7. Piotr Makley

    GEO Guest

    On Mon, 05 Apr 2004 05:27:41 -0700, Offbreed
    <> wrote:

    >I suppose it's not worth the bother for someone to put together a
    >utility that compares the actual format and the extension.


    I have found very interesting the different point of view expressed
    here on this topic. A couple of weeks ago someone in a different group
    praised another O/S ( Linux? Macs?) for not even looking at the
    extension, but at the file itself, in order to decide what to do with
    it. From what has been expressed here it seems that it is not always
    such a good idea.
    A number of times has been said that many times the ignorance of the
    users is part of the problem with viruses and worms. Would be better
    to have the system decide according to extensions? Or would you prefer
    to have the system check the format of the file? I guess that the
    first option would require more knowledge from part of the users. Is
    the second the prefered option on newer versions of O/S?

    Geo
     
    GEO , Apr 5, 2004
    #7
  8. "GEO" <> wrote in message
    news:...
    > On Mon, 05 Apr 2004 05:27:41 -0700, Offbreed
    > <> wrote:
    >
    > >I suppose it's not worth the bother for someone to put together a
    > >utility that compares the actual format and the extension.

    >
    > I have found very interesting the different point of view expressed
    > here on this topic. A couple of weeks ago someone in a different group
    > praised another O/S ( Linux? Macs?) for not even looking at the
    > extension, but at the file itself, in order to decide what to do with
    > it. From what has been expressed here it seems that it is not always
    > such a good idea.
    > A number of times has been said that many times the ignorance of the
    > users is part of the problem with viruses and worms. Would be better
    > to have the system decide according to extensions? Or would you prefer
    > to have the system check the format of the file? I guess that the
    > first option would require more knowledge from part of the users. Is
    > the second the prefered option on newer versions of O/S?
    >
    > Geo
    >

    One or the other, but not both would perhaps be best. Also one could say
    that, a file should be opened using the program and in the manner that the
    user expects. So file extensions maybe the way to go. Really, word documents
    just shouldn't have embedded macros. They don't seem necessary. Today's
    menace isn't word macros anyway.
     
    Spacen Jasset, Apr 5, 2004
    #8
  9. Piotr Makley

    Bill Unruh Guest

    "GEO" writes:

    ]On Mon, 05 Apr 2004 05:27:41 -0700, Offbreed
    ]<> wrote:

    ]>I suppose it's not worth the bother for someone to put together a
    ]>utility that compares the actual format and the extension.

    ] I have found very interesting the different point of view expressed
    ]here on this topic. A couple of weeks ago someone in a different group
    ]praised another O/S ( Linux? Macs?) for not even looking at the
    ]extension, but at the file itself, in order to decide what to do with
    ]it. From what has been expressed here it seems that it is not always
    ]such a good idea.
    ] A number of times has been said that many times the ignorance of the
    ]users is part of the problem with viruses and worms. Would be better
    ]to have the system decide according to extensions? Or would you prefer
    ]to have the system check the format of the file? I guess that the
    ]first option would require more knowledge from part of the users. Is
    ]the second the prefered option on newer versions of O/S?

    I would prefer it to do both and to complain if its file format test did
    not agree with the extention test. The extentions on Windows systems are
    supposed to be there to tell you and the system what kind of file it is.
    If it is not that kind of file, you should be told it is not.
     
    Bill Unruh, Apr 5, 2004
    #9
  10. Piotr Makley

    Offbreed Guest

    Spacen Jasset wrote:

    > "GEO" <> wrote in message
    > news:...


    >> I have found very interesting the different point of view expressed
    >>here on this topic. A couple of weeks ago someone in a different group
    >>praised another O/S ( Linux? Macs?) for not even looking at the
    >>extension, but at the file itself, in order to decide what to do with
    >>it. From what has been expressed here it seems that it is not always
    >>such a good idea.


    All the Unics family, including Linux, looks at the file. The name and
    extension is simply not relevant (the extension is considered part of
    the name).

    All will tell you what the file really is, if you ask.

    > One or the other, but not both would perhaps be best. Also one could say
    > that, a file should be opened using the program and in the manner that the
    > user expects.


    The best way to open any is to open the program, then the document.
    That's what I do with everything new, even if it's less convenient.
    (Cleaning up after mal-ware is a lot less convenient.)

    The only exceptions are files in constant use, like ng filters. I
    often directly edit Mozilla and nfilter kill files, for example.
     
    Offbreed, Apr 5, 2004
    #10
  11. On Mon, 05 Apr 2004 14:11:25 GMT, "GEO" wrote:
    >On Mon, 05 Apr 2004 05:27:41 -0700, Offbreed


    >>I suppose it's not worth the bother for someone to put together a
    >>utility that compares the actual format and the extension.


    I think that's a good thing to build into Explorer's Properties for
    use via rt-click on suspect files.

    > I have found very interesting the different point of view expressed
    >here on this topic. A couple of weeks ago someone in a different group
    >praised another O/S ( Linux? Macs?) for not even looking at the
    >extension, but at the file itself, in order to decide what to do with
    >it. From what has been expressed here it seems that it is not always
    >such a good idea.


    It's an utterly crap idea! How is a user supposed to assess the risk
    of "opening" a file if there's no type indication to go on?

    The only tyope indicators offered are the icon, and the .ext - and as
    the most dangerous file types can set their own icons, only the .ext
    has any strength as a risk predictor. That strength is undermined by
    duhfaults that hide .ext as well as always-hidden .ext for some very
    dangerous file types. When the OS ignores .ext and uses only internal
    information the user is not privvy to, the user cannot assess risk.

    > A number of times has been said that many times the ignorance of the
    >users is part of the problem with viruses and worms. Would be better
    >to have the system decide according to extensions? Or would you prefer
    >to have the system check the format of the file?


    1) There should be type info visible to the user
    2) If content is at odds with that info, the OS should NOT run it

    You don't want every file listing to dig into every file's content to
    retrieve type info from the file's content - that's what persistant
    handlers do, and it SUCKS for performance esp. when the files are on
    LAN, slow disk, broken (e.g. a search through a 1G .AVI that lacks
    metatdata because it's broken) etc.



    >-------------------- ----- ---- --- -- - - - -

    Running Windows-based av to kill active malware is like striking
    a match to see if what you are standing in is water or petrol.
    >-------------------- ----- ---- --- -- - - - -
     
    cquirke (MVP Win9x), Apr 6, 2004
    #11
  12. Piotr Makley

    Piotr Makley Guest

    JT <> wrote:

    >>(2) If I open an RTF document using MS Word then could any
    >>viruses, macros or other malicious stuff in the document run
    >>on my PC?

    >
    > The .rtf extension just tells the OS that it is an office
    > document. Word will ignore the extension once the file is
    > passed to Word to open. An infected file renamed with the .rtf
    > extension would infect you just as fast as a .doc. The
    > extension is no real indicator of file contents, and is no
    > guarentee of how the file will be processed.
    >



    I want to use RTF format documents rather than MS Word format
    douments in order to reduce the risk of viruses.

    Can anyone recommend a good and un-bloated RTF word processor?
     
    Piotr Makley, Apr 7, 2004
    #12
  13. Piotr Makley

    Graham Mayor Guest

    > I want to use RTF format documents rather than MS Word format
    > douments in order to reduce the risk of viruses.
    >
    > Can anyone recommend a good and un-bloated RTF word processor?


    Wordpad?

    You are not going to create documents that contain viruses for your own use
    with DOC format. It only becomes an issue when you post them to others.
    Don't send unsolicited Word docs to anyone. Don't mail docs unless they are
    zipped, because they are bulky and compress well and are less likely to be
    discarded by security systems. If you set your own macro security in Word to
    medium, you will get a prompt if there are macros in a document that you
    open on your machine and you can choose to disable any you are uncertain of.

    --
    <>>< ><<> ><<> <>>< ><<> <>>< <>>< ><<>
    Graham Mayor - Word MVP

    Web site www.gmayor.com
    Word MVP web site www.mvps.org/word
    <>>< ><<> ><<> <>>< ><<> <>>< <>>< ><<>
     
    Graham Mayor, Apr 7, 2004
    #13
  14. Piotr Makley

    JT Guest

    On Wed, 07 Apr 2004 12:58:45 +0100, Piotr Makley <> wrote:

    >JT <> wrote:
    >
    >>>(2) If I open an RTF document using MS Word then could any
    >>>viruses, macros or other malicious stuff in the document run
    >>>on my PC?

    >>
    >> The .rtf extension just tells the OS that it is an office
    >> document. Word will ignore the extension once the file is
    >> passed to Word to open. An infected file renamed with the .rtf
    >> extension would infect you just as fast as a .doc. The
    >> extension is no real indicator of file contents, and is no
    >> guarentee of how the file will be processed.
    >>

    >
    >
    >I want to use RTF format documents rather than MS Word format
    >douments in order to reduce the risk of viruses.
    >
    >Can anyone recommend a good and un-bloated RTF word processor?


    Why RTF? No word processor uses it as it's native format although most can
    read and write the format. Just pick a good wordprocessor. Almost all can
    save in RTF or Word .doc formats. RTF has other problems that make it
    less than ideal as a document format. It tends to be very inconsistant in
    document layout and formatting. Look at OpenOffice.org or Star Office or
    Word perfect or Lotus write or Abiword or what ever you happen to like. RTF
    is not a panacea for documents and virus prevention.

    JT
     
    JT, Apr 7, 2004
    #14
  15. On that special day, cquirke (MVP Win9x), ()
    said...

    > 2) If content is at odds with that info, the OS should NOT run it


    Or only open it in some extremely restricted environment, like a test
    file or hex editor. I use the hexedit for suspicious files. Problem is,
    many worms are compressed, using more and more exotic packer programs,
    which turns their content into pure gibberish.


    Gabriele Neukam




    --
    Ah, Information. A good, too valuable these days, to give it away, just
    so, at no cost.
     
    Gabriele Neukam, Apr 7, 2004
    #15
  16. Piotr Makley

    Rasta Robert Guest

    On Wed, 07 Apr 2004 at 11:58 GMT, Piotr Makley
    <> wrote:
    >
    > I want to use RTF format documents rather than MS Word format
    > douments in order to reduce the risk of viruses.
    >
    > Can anyone recommend a good and un-bloated RTF word processor?


    Atlantis Nova: <http://www.rssol.com/>
     
    Rasta Robert, Apr 18, 2004
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. joevan

    Adobe help needed. rtf to pdf

    joevan, Dec 21, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    513
    joevan
    Dec 21, 2003
  2. lbbss
    Replies:
    6
    Views:
    543
    Timothy Timbrook
    Aug 17, 2004
  3. psion
    Replies:
    13
    Views:
    672
    Richard
    Nov 11, 2004
  4. phrogee

    RTF files to DAT files

    phrogee, May 2, 2005, in forum: Computer Support
    Replies:
    11
    Views:
    990
    phrogee
    May 4, 2005
  5. OldGringo38

    Re: RTF ... Constitution?

    OldGringo38, Oct 21, 2010, in forum: Computer Support
    Replies:
    2
    Views:
    434
    Bucky Breeder
    Oct 21, 2010
Loading...

Share This Page