Anything Else?
Read Some More?
Hello! What the hell is this place?

You can LINK up with me here on linked-in

Hello my name is Dan and I am what some would call a hacker, cracker, designer, engineering architect though I prefer information systems security consultant.  Security is not only my job, but it is also a passion. I'll share my ramblings, frustrations and interests during my day to day expedition through security in the real “business” world and how it impacts you in this fast paced industry, along with my joy of gadgets, sport and red wine. To date, I have over ten years’ experience and earned qualifications from Microsoft, SANS, EC|Council, VMware, Cisco and ISC. These include, CISSP, C|EH, SANS pen testing, Cisco Security and CCNP, MCSA, MCSE in 2003 technologies, and Enterprise Admin in MCITP 2008. Thanks for visiting and feel free to join in the discussion and comment as some posts may offend, some posts may be utter nonsense! Security is an evolving process and on-going debate. I am not sponsored by any company, nor am I trying to sell you security products, nor lead you down the rabbit hole with promises of rosy magic security solutions. 

« How an Excel Spreadsheet stole the keys to the RSA kingdom | Main | The 'phone hacking' scandal - how did it work and is it true hacking? »
Monday
Jul182011

Microsoft Security Advisory: File Validation Add-In KB2501584

DateMonday, July 18, 2011 at 11:25AM

 

Whoops. Let us hope your security and patching team tested July's update cycle from Microsoft before deploying on the live network. Looks like our Redmond friends have pushed out an update which is causing a few headaches.

The Office File Validation Add-In for Office 2003 and Office 2007 appeared on our WSUS and system center under (KB 2501584) as an "important" update. Problem is, in testing, it has a disastrous effect on opening large XLS files from network shares located on DFS and SAN environments. This seems to apply to both Excel 2003 and 2007 while 2010 gets let off. These large XLS (both normal and XML embedded) pen in a second (including branch cache) before the add-in is installed and takes an worrying 10 minutes afterwards. The same file copied to the local client VM will open in a second again.

This is more or less admitted in KB2501584 under known issues: "Opening files from a network share that have many charts or points of data will take longer to open in Office 2003".

Microsoft have now updated the KB with a crazy fix under kb2570623 - great if you only look after, say 5 machines let alone 3000+.

If you did not test the releases before hand, let me help you.

First, remove the update and decline it from your WSUS server. Search for the KB2501584

On single machines you can remove the update by navigating to add-remove programs and uninstall the Office File Validation Add-In update.

Or, my preferred way.

Edit the following registry key;

  1. Exit Excel.
  2. Click Start, click Run, type regedit, and then click OK.
  3. Locate and then click to select the following registry key:
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\
  4. After you select the key that is specified in step 3, point to New on the Edit menu, and then click Key.
  5. Type Excel, and then press ENTER.
  6. Select Excel, point to New on the Edit menu, and then click Key.
  7. Type Security, and then press ENTER.
  8. Select Security, point to New on the Edit menu, and then click Key.
  9. Type FileValidation, and then press ENTER.
  10. Select FileValidation, point to New on the Edit menu, and then click DWORD Value.
  11. Type EnableOnLoad, and then press ENTER.

On larger enterprise domains, either create a new GPO to remove the update, new start-up script as the reg-key is read write for domain users or create an MSI uninstall script.

The uninstall string;

MsiExec.exe /X {90140000-2005-0000-0000-0000000FF1CE} /qn

The reg-key;

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Excel\Security\FileValidation]
"EnableOnLoad"=dword:00000000

Finally, push out the following GPO script.

CLASS USER

CATEGORY !!Office-fileremove
 KEYNAME "Software\Policies\Microsoft\Office\11.0\Excel\Security\FileValidation"
 POLICY !!KB2541025
  #if version >= 4
   SUPPORTED !!SUPPORTED_WindowsXPSP1
  #endif
  EXPLAIN !!KB2541025
  VALUENAME "EnableOnLoad"
  VALUEON  NUMERIC 1
  VALUEOFF NUMERIC 0
 END POLICY
END CATEGORY

[strings]
Office-fileremove="Remove of KB2541025"
KB2541025="Disable KB2541025 (Excel File Validation)"
SUPPORTED_WindowsXPSP1="Requires XP SP1 or higher"

 

Remember- test all patches, even important ones before deployment.

Dan.

Comment4 Comments |
tagged , , , , , , in ,

References (1)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: custom software development
    at custom software development on November 5, 2011
    [...]The Dan Tinsley Blog - Defending the Network - Blog Home - Microsoft Security Advisory: File Validation Add-In KB2501584[...]

Reader Comments (4)

Hello, the reg patch worked fine. thanks

July 18, 2011 | Unregistered CommenterG0blo

Thanks for the feedback! Glad the reg hack worked!

July 19, 2011 | Registered CommenterDan Tinsley

Thanks, just had the issue on 500+ machines.
Unistalled with msiexec

July 27, 2011 | Unregistered CommenterFrank

Hi Frank, glad it worked

August 3, 2011 | Registered CommenterDan Tinsley

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.