Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

May 13th, 2011

Why we love specifications (not)!

A few days ago we blogged about another trick in PDF parsing. We got there a comment from a person recommending that we read specifications, which we (as AV guys, not pdf-reader-writing guys) usually don’t do to the full extent, because most of the specifications we’ve seen have been misleading at best.

To illustrate this fact, let me quote from Microsoft RTF docs:

The header has the following syntax:

<header>\rtf <charset> \deff? <fonttbl> <filetbl>? <colortbl>? <stylesheet>? <listtables>? <revtbl>

An entire RTF file is considered a group and must be enclosed in braces. The \rtfN control word must follow the opening brace. The numeric parameter N identifies the major version of the RTF Specification used. The RTF standard described in this RTF Specification, although titled as version 1.6, continues to correspond syntactically to RTF Specification version 1. Therefore, the numeric parameter N for the \rtf control word should still be emitted as 1.

So lets assume we do it exactly as docs say and what we get in return? Malware passing by our filters, because Microsoft Word does not conform to specs and opens anything starting with {\rt.

The following is complete RTF file, which, when saved, would be opened with no problem by Microsoft Word 2000, 2003 and 2007. We assume also in 2010. It won’t open in WordPad though.

{\rtHereYouCanSeeWhyWeDontLikeSpecsEspeciallyFromMicrosoft\ansi\ansicpg1250\uc1\deff29\deflang1029\deflangfe1029{\f0\lang1029\langfe1033\langnp1029 Hello MS world!\par}}

So, tell me something about reading specs next time… <g>



Categories: analyses, Virus Lab Tags:
  • Aethec

    Your file also opens in Word 2010 here (Word 2010 x86 running on Win7 x64).
    Maybe you should open a bug in Connect?

  • Jindřich Kubec

    Won’t solve anything, as the nonconforming Office installations are already deployed.

  • Aethec

    Well, they might fix it in…but it’s probably here for compatibility reasons :/

  • shre54321

    yup! they will fix it!!!