Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Office Protects You From Malicious ISO Files - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Office Protects You From Malicious ISO Files

A couple of weeks ago, Johannes gave me a malicious ISO file he had received: an ISO file containing a PE file.

And that made me wonder: "has Microsoft changed the behavior of Windows or Office when it handles untrusted ISO files?"

Years ago, at the ISC, we started to see malicious ISO files. Since Windows 10 (and later) supports mounting of ISO files, and that the "mark-of-web" is often not propagated to the contained files, it is a way to bypass Protected View in Office.

For example: create a maldoc (Word with VBA), put it inside an ISO file, and email the ISO file to your targets. The victims open the email & attachment: the attached ISO is saved to disk and marked as untrusted (coming from the Internet) and then opened. Then the victims open the contained Word document: it is not opened in Protected View, the yellow SECURITY WARNING banner appears immediately.

This behavior has changed now. If you are using Office 2021, or Office 2019 that you have updated since August 2021, then the document is now opened in ProtectedView:

Didier Stevens
Senior handler
Microsoft MVP


650 Posts
ISC Handler
Apr 16th 2022

Sign Up for Free or Log In to start participating in the conversation!