Office 2007 uses an XML based file format which have included bin files and formatting files in a single container. The actual container is a file folder or cabinet file that appears as a document file. This packaging convention is called the Open Packaging Convention and it keeps the data, content and metadata in a ZIP-based file format.
An interesting part of the Office 2007 file format is the undocumented BIN files. These binary files carry an executable payload. What work that has been done has looked at the functional aspects rather then the exploitable aspects. The basic elements of the bin files are script files that construct the way the files are displayed.
The question is whether there is an actual risk in deploying a widely used “file†format utilizing a previously exploited format (zip), carrying a binary payload, knowing that there have been exploits against the current format/application. Is the risk an actual threat?
In enterprise environments where zip files might be still banned through a firewall or deep inspection of zip files is occurring. What is the risk of using a file format that is inclusive of scripting and binary formats already carrying a payload as designed? The Word file format (.doc) is extensive, highly used, malleable, and part of the user base collaboration model between users. Users do open document files from strangers, and once exploited simply telling users not to use it won’t be an option.
The open questions are:
1) Is an exploit possible and what would the impact be?
2) What are the answers that reflect user based realities that are not dictatorial?
3) Are falling back to formats like RTF even an option?
References
Office 2007 XML Specification
http://www.microsoft.com/whdc/xps/downloads.mspx
Code Project Discussion of BIN parts of the format by Stephanie Rodrigruez
http://www.codeproject.com/cs/library/office2007bin.asp
Description of Moderate Risk Zip file exploit
http://www.frsirt.com/english/advisories/2005/1104
Description of windows zip file exploit
http://www.derkeiler.com/Mailing-Lists/Securiteam/2004-11/0073.html
Previous versions of Word were exploitable
http://www.eweek.com/article2/0,1895,2072969,00.asp
Current discussion of Word 2007 exploits
http://www.pcworld.com/article/id,130637/article.html