How Microsoft Office knows a document came from the Internet and might be dangerous

By way of a bit of background I had always been curious how Microsoft Office knew that a document came from the Internet and that it might be unsafe.

This behaviour can be seen in modern versions of Microsoft Office when you see:

Microsoft Office protect view bar

So I went on a 10 minute journey to find out how this worked. While thinking about it two possibilities sprung to mind:

  • The document is modified to embed something in the OLE container
  • The use of ‘Alternate Data Streams’ (ADS)

http://en.wikipedia.org/wiki/NTFS#Alternate_data_streams_.28ADS.29

http://www.heysoft.de/en/information/ntfs-ads.php

So how does it know?  The second of the two hypothesised approaches was the correct one. This was verified using LADS

C:\Data\NCC\!Research\OfficeIntertubez>c:\data\utils\LADS\lads
LADS - Freeware version 4.10
(C) Copyright 1998-2007 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!
Scanning directory C:\Data\NCC\!Research\OfficeIntertubez
size ADS in file
---------- ---------------------------------
26 C:\Data\NCC\!Research\OfficeIntertubez\Foo.pptx:Zone.Identifier
26 bytes in 1 ADS listed

A quick look inside (C:\Data\NCC\!Research\OfficeIntertubez>notepad “Foo.pptx:Zone.Identifier”) shows:

[ZoneTransfer]
ZoneId=3

A quick Google on ‘Zone.Identifier’ turned up an MSDN page titled ‘ Zone.Identifier Stream Name‘ which described it as:

“Windows® Internet Explorer® uses the stream name Zone.Identifier for storage of URL security zones.
The fully qualified form is sample.txt: Zone.Identifier:$DATA
The stream is a simple text stream of the form:

[ZoneTransfer]
ZoneId=3

[MSDN-SECZONES] gives an explanation of security zones.”

The other and arguably more interesting document was a forensics document titled ‘Zone Identifier ADS’s [OW1] ‘ which contained the following information:

The values in the following table are either explicitly assigned, i.e.

URLZONE_USER_MIN  = 1000

or are incrementing numbers i.e.

URLZONE_INTRANET = 1
URLZONE_TRUSTED = 2
URLZONE_INTERNET = 3
URLZONE_UNTRUSTED = 4

What confused me a little is that the ‘Zone.Identifier’ ADS doesn’t get modified if you enable editing within Microsoft Office.

So this fact lead to the next area of interest, how does Microsoft Office then know I’ve trusted the document? A quick run of SysInternals ProcessMonitor and we find it stores it in the registry:

Process monitor table

So now we know how Microsoft Office knows the source of a document and if you’ve trusted it… all in all a little bit of Friday fun to get to the bottom of it.

Published date:  19 December 2012

Written by:  Ollie Whitehouse