TREA

Anti-virus security information in an extensible markup language document

Follow

Information

  • Patent Grant
  • 7509573
  • Patent Number
    7,509,573
  • Date Filed
    Tuesday, February 17, 2004
    20 years ago
  • Date Issued
    Tuesday, March 24, 2009
    15 years ago
Information
Abstract
Methods and systems are provided for allowing software applications capable of reading and saving Extensible Markup Language (XML) representations of documents to quickly and efficiently detect the presence of executable code contained in a given document being read or saved by the software applications. Examples of executable code include, but are not limited to macros, VBA macros, OLE code, OCX or ActiveX controls, embedded executable objects, and the like.
Description
COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the United States Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.


FIELD OF THE INVENTION

The present invention relates generally to providing information in an Extensible Markup Language (XML) document for alerting a consuming or parsing application of the presence of executable code embedded in the document.


BACKGROUND OF THE INVENTION

Computer software applications allow users to create a variety of documents to assist them in work, education, and leisure. For example, popular word processing applications allow users to create letters, articles, books, memoranda, and the like. Spreadsheet applications allow users to store, manipulate, print, and display a variety of alphanumeric data. Such applications have a number of well-known strengths including rich editing, formatting, printing, calculation, and on-line and off-line editing.


Unfortunately for users, documents received by users may contain unnecessary or unwanted executable code embedded in the document. For example, a possible problem for computer and computer software users is receiving a document containing a “virus” in the form of an embedded executable code that executes when the user opens the document or performs some action in the document and which may cause harm to the user's document or to the user's computer software applications or computer hardware, or result in otherwise undesirable behavior. In word processor documents represented using an Extensible Markup Language (XML)-based file format, executable code can be located in various places, and finding such executable code in a fast and efficient manner becomes challenging. Due to its flexibility, XML has the ability to represent the same data in a virtually infinite number of ways. Accordingly, XML data representing executable code embedded in a document may be defined or represented in a number of different ways which makes locating the executable code difficult and time consuming. For example, XML supports the ability to encode text so that characters do not appear in their literal form, but which must be converted according to certain rules or according to an entity definition possibly existing elsewhere in the file. The definition for converting the coded text itself possibly refers to other components or entities with individual definitions existing in yet other places within the file or even existing in locations remote from the document or file.


Additionally, executable code may be placed almost anywhere in the XML file provided that it follows the rules associated with the XML structure of the file. This means that in order to find the executable code, a parsing or consuming application must first parse all the elements of the file prior to the embedded executable code. Ultimately, such a process may find the executable code within the XML formatted file, but the performance of the process is very slow, if not unacceptable, in environments where speed is critical, particularly in the case of virus checking prior to application or document startup, for example when the file is processed by an email server or an Internet gateway.


It is with respect to these and other considerations that the present invention has been made.


SUMMARY OF THE INVENTION

Embodiments of the present invention solve the above and other problems by providing methods and systems for allowing software applications capable of reading and saving Extensible Markup Language (XML) representations of documents to quickly and efficiently detect the presence of executable code contained in a given document being read or saved by the software applications. Examples of executable code include, but are not limited to macros, VBA macros, OLE code, OCX or ActiveX controls, embedded executable objects, and the like.


According to aspects of the invention, one or more attributes are output on the root element of the XML structure applied to a given XML document. The attributes serve as flags indicating the presence of different kinds of executable code so that a parsing software application searching for executable code may either reject the document or continue parsing the document. The attributes also serve as flags for enabling an application supporting a given XML-based file format to reject executable code found in a document upon opening the document if flags notifying the application of the presence of the executable code are not present.


These and other features, advantages, and aspects of the present invention may be more clearly understood and appreciated from a review of the following detailed description of the disclosed embodiments and by reference to the appended drawings and claims.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is a simplified block diagram of a computing system and associated peripherals and network devices that provide an exemplary operating environment for the present invention.



FIG. 2 is a simplified block diagram illustrating interaction between software objects according to an object-oriented programming model.



FIG. 3 is a block diagram illustrating interaction between a document, an attached schema file, and a schema validation functionality model.



FIG. 4 is a block diagram illustrating interaction between a parsing application and an XML document for identifying embedded executable code contained in the document according to embodiments of the present invention.





DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Embodiments of the present invention are directed to methods and systems for allowing software applications capable of reading and saving Extensible Markup Language (XML) representations of documents to quickly and efficiently detect the presence of executable code contained in a given document being read or saved by the software applications. In the following detailed description, references are made to the accompanying drawings that form a part hereof, and in which are shown by way of illustrations specific embodiments or examples. These embodiments may be combined, other embodiments may be utilized, and structural changes may be made without departing from the spirit or scope of the present invention. The following detailed description is therefore not to be taken in a limiting senses and the scope of the present invention is defined by the appended claims and their equivalents.


Referring now to the drawings, in which like numerals represent like elements through the several figures, aspects of the present invention and the exemplary operating environment will be described. FIG. 1 and the following discussion are intended to provide a brief, general description of a suitable computing environment in which the invention may be implemented. While the invention will be described in the general context of program modules that execute in conjunction with an application program that runs on an operating system on a personal computer, those skilled in the art will recognize that the invention may also be implemented in combination with other program modules.


Generally, program modules include routines, programs, components, data structures, and other types of structures that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that the invention may be practiced with other computer system configurations, including hand-held devices, multiprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, mainframe computers, and the like. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.


Turning now to FIG. 1, illustrative computer architecture for a personal computer 2 for practicing the various embodiments of the invention will be described. The computer architecture shown in FIG. 1 illustrates a conventional personal computer, including a central processing unit 4 (“CPU”), a system memory 6, including a random access memory 8 (“RAM”) and a read-only memory (“ROM”) 10, and a system bus 12 that couples the memory to the CPU 4. A basic input/output system containing the basic routines that help to transfer information between elements within the computer, such as during startup, is stored in the ROM 10. The personal computer 2 further includes a mass storage device 14 for storing an operating system 16, application programs, such as the application program 305, and data.


The mass storage device 14 is connected to the CPU 4 through a mass storage controller (not shown) connected to the bus 12. The mass storage device 14 and its associated computer-readable media, provide non-volatile storage for the personal computer 2. Although the description of computer-readable media contained herein refers to a mass storage device, such as a hard disk or CD-ROM drive, it should be appreciated by those skilled in the art that computer-readable media can be any available media that can be accessed by the personal computer 2.


By way of example, and not limitation, computer-readable media may comprise computer storage media and communication media. Computer storage media includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EPROM, EEPROM, flash memory or other solid state memory technology, CD-ROM, DVD, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer.


According to various embodiments of the invention, the personal computer 2 may operate in a networked environment using logical connections to remote computers through a TCP/IP network 18, such as the Internet. The personal computer 2 may connect to the TCP/IP network 18 through a network interface unit 20 connected to the bus 12. It should be appreciated that the network interface unit 20 may also be utilized to connect to other types of networks and remote computer systems. The personal computer 2 may also include an input/output controller 22 for receiving and processing input from a number of devices, including a keyboard or mouse (not shown). Similarly, an input/output controller 22 may provide output to a display screen, a printer, or other type of output device.


As mentioned briefly above, a number of program modules and data files may be stored in the mass storage device 14 and RAM 8 of the personal computer 2, including an operating system 16 suitable for controlling the operation of a networked personal computer, such as the WINDOWS XP operating system from MICROSOFT CORPORATION of Redmond, Wash. The mass storage device 14 and RAM 8 may also store one or more application programs. In particular, the mass storage device 14 and RAM 8 may store an application program 305 for creating and editing an electronic document 310. For instance, the application program 305 may comprise a word processing application program, a spreadsheet application, a contact application, and the like. Application programs for creating and editing other types of electronic documents may also be used with the various embodiments of the present invention. A schema file 330 and a namespace/schema library 400, described below, are also shown.


Exemplary embodiments of the present invention are implemented by communications between different software objects in an object-oriented programming environment. For purposes of the following description of embodiments of the present invention, it is useful to briefly to describe components of an object-oriented programming environment. FIG. 2 is a simplified block diagram illustrating interaction between software objects according to an object-oriented programming model. According to an object-oriented programming environment, a first object 210 may include software code, executable methods, properties, and parameters. Similarly, a second object 220 may also include software code, executable methods, properties, and parameters.


A first object 210 may communicate with a second object 220 to obtain information or functionality from the second object 220 by calling the second object 220 via a message call 230. As is well know to those skilled in the art of object-oriented programming environment, the first object 210 may communicate with the second object 220 via application programming interfaces (API) that allow two disparate software objects 210, 220 to communicate with each other in order to obtain information and functionality from each other. For example, if the first object 210 requires the functionality provided by a method contained in the second object 220, the first object 210 may pass a message call 230 to the second object 220 in which the first object identifies the required method and in which the first object passes any required parameters to the second object required by the second object for operating the identified method. Once the second object 220 receives the call from the first object, the second object executes the called method based on the provided parameters and sends a return message 250 containing a value obtained from the executed method back to the first object 210.


For example, in terms of embodiments of the present invention, and as will be described below, a first object 210 may be a third party customized application that passes a message to a second object such as an Extensible Markup Language schema validation object whereby the first object identifies a method requiring the validation of a specified XML element in a document where the specified XML element is a parameter passed by the first object with the identified method. Upon receipt of the call from the first object, according to this example, the schema validation object executes the identified method on the specified XML element and returns a message to the first object in the form of a result or value associated with the validated XML element. Operation of object-oriented programming environments, as briefly described above, are well known to those skilled in the art.


As described below, embodiments of the present invention are implemented through the interaction of software objects in the use, customization, and application of components of the Extensible Markup Language (XML). FIG. 3 is a block diagram illustrating interaction between a document, an attached schema file, and a schema validation functionality module. As is well known to those skilled in the art, the Extensible Markup Language (XML) provides a method of describing text and data in a document by allowing a user to create tag names that are applied to text or data in a document that in turn define the text or data to which associated tags are applied. For example referring to FIG. 3, the document 310 created with the application 305 contains text that has been marked up with XML tags 315, 320, 325. For example, the text “Greetings” is annotated with the XML tag <title>. The text “My name is Sarah” is annotated with the <body> tag. According to XML, the creator of the <title> and <body> tags is free to create her own tags for describing the data to which those tags will be applied. Then, so long as any downstream consuming application or computing machine is provided instructions as to the definition of the tags applied to the text, that application or computing machine may utilize the data in accordance with the tags. For example, if a downstream application has been programmed to extract text defined as titles of articles or publications processed by that application, the application may parse the document 310 and extract the text “Greetings,” as illustrated in FIG. 3 because that text is annotated with the tag <title>. The creator of the particular XML tag naming for the document 310, illustrated in FIG. 3, provides useful description for text or data contained in the document 310 that may be utilized by third parties so long as those third parties are provided with the definitions associated with tags applied to the text or data.


According to embodiments of the present invention, the text and XML markup entered into the document 310 may be saved according to a variety of different file formats and according to the native programming language of the application 305 with which the document 310 is created. For example, the text and XML markup may be saved according to a word processing application, a spreadsheet application, and the like. Alternatively, the text and XML markup entered into the document 310 may be saved as an XML format whereby the text or data, any applied XML markup, and any formatting such as font, style, paragraph structure, etc. may be saved as an XML representation. Accordingly, downstream or third party applications capable of understanding data saved as XML may open and consume the text or data thus saved as an XML representation. For a detailed discussion of saving text and XML markup and associated formatting and other attributes of a document 310 as XML, see U.S. patent application entitled “Word Processing Document Stored in a Single XML File that may be Manipulated by Applications that Understanding XML,” U.S. Ser. No. 10/187,060, filed Jun. 28, 2002, which is incorporated herein by reference as if fully set out herein. An exemplary schema in accordance with the present invention is disclosed beginning on page 11 in an application entitled “Mixed Content Flexibility,” Ser. No. 10/726,077, filed Dec. 2, 2003, which is hereby incorporated by reference in its entirety.


In order to provide a definitional framework for XML markup elements (tags) applied to text or data, as illustrated in FIG. 3, XML schema files are created which contain information necessary for allowing users and consumers of marked up and stored data to understand the XML tagging definitions designed by the creator of the document. Each schema file also referred to in the art as a Namespace or XSD file preferably includes a listing of all XML elements (tags) that may be applied to a document according to a given schema file. For example, a schema file 330, illustrated in FIG. 3, may be a schema file containing definitions of certain XML elements that may be applied to a document 310 including attributes of XML elements or limitations and/or rules associated with text or data that may be annotated with XML elements according to the schema file. For example, referring to the schema file 330 illustrated in FIG. 3, the schema file is identified by the Namespace “intro” the schema file includes a root element of <intro card>.


According to the schema file 330, the <intro card> element serves as a root element for the schema file and also as a parent element to two child elements <title> and <body>. As is well known to those skilled in the art, a number of parent elements may be defined under a single root element, and a number of child elements may be defined under each parent element. Typically, however, a given schema file 330 contains only one root element. Referring still to FIG. 3, the schema file 330 also contains attributes 340 and 345 to the <title> and <body> elements, respectfully. The attributes 340 and 345 may provide further definition or rules associated with applying the respective elements to text or data in the document 310. For example, the attribute 345 defines that text annotated with the <title> element must be less than or equal to twenty-five characters in length. Accordingly, if text exceeding twenty-five characters in length is annotated with the <title> element or tag, the attempted annotation of that text will be invalid according to the definitions contained in the schema file 330.


By applying such definitions or rules as attributes to XML elements, the creator of the schema may dictate the structure of data contained in a document associated with a given schema file. For example, if the creator of a schema file 330 for defining XML markup applied to a resume document desires that the experience section of the resume document contain no more than four present or previous job entries, the creator of the schema file 330 may define an attribute of an <experience> element, for example, to allow that no more than four present or past job entries may be entered between the <experience> tags in order for the experience text to be valid according to the schema file 330. As is well known to those skilled in the art, the schema file 330 may be attached to or otherwise associated with a given document 310 for application of allowable XML markup defined in the attached schema file to the document 310. According to one embodiment, the document 310 marked up with XML elements of the attached or associated schema file 330 may point to the attached or associated schema file by pointing to a uniform resource identifier (URI) associated with a Namespace identifying the attached or associated schema file 330.


According to embodiments of the present invention, a document 310 may have a plurality of attached schema files. That is, a creator of the document 310 may associate or attach more than one schema file 330 to the document 310 in order to provide a framework for the annotation of XML markup from more than one schema file. For example, a document 310 may contain text or data associated with financial data. A creator of the document 310 may wish to associate XML schema files 330 containing XML markup and definitions associated with multiple financial institutions. Accordingly, the creator of the document 310 may associate an XML schema file 330 from one or more financial institutions with the document 310. Likewise, a given XML schema file 330 may be associated with a particular document structure such as a template for placing financial data into a desirable format.


According to embodiments of the present invention, a collection of XML schema files and associated document solutions may be maintained in a Namespace or schema library located separately from the document 310. The document 310 may in turn contain pointers to URIs in the Namespace or schema library associated with the one or more schema files attached to otherwise associated with the document 310. As the document 310 requires information from one or more associated schema files, the document 310 points to the Namespace or schema library to obtain the required schema definitions. For a detailed description of the use of an operation of Namespace or schema libraries, see U.S. patent application entitled “System and Method for Providing Namespace Related Information,” U.S. Ser. No. 10/184,190, filed Jun. 27, 2002, and U.S. patent application entitled “System and Method for Obtaining and Using Namespace Related Information for Opening XML Documents,” U.S. Ser. No. 10/185,940, filed Jun. 27, 2002, both U.S. patent applications of which are incorporated herein by reference as if fully set out herein. For a detailed description of a mechanism for downloading software components such as XML schema files and associated solutions from a Namespace or schema library, see US patent application entitled Mechanism for Downloading Software Components from a Remote Source for Use by a Local Software Application, U.S. Ser. No. 10/164,260, filed Jun. 5, 2002.


Referring still to FIG. 3, a schema validation functionality module 350 is illustrated for validating XML markup applied to a document 310 against an XML schema file 330 attached to or otherwise associated with the document 310, as described above. As described above, the schema file 330 sets out acceptable XML elements and associated attributes and defines rules for the valid annotation of the document 310 with XML markup from an associated schema file 330. For example, as shown in the schema file 330, two child elements <title> and <body> are defined under the root or parent element <intro card>. Attributes 340, 345 defining the acceptable string length of text associated with the child elements <title> and <body> are also illustrated. As described above, if a user attempts to annotate the document 310 with XML markup from a schema file 330 attached to or associated with the document in violation of the XML markup definitions contained in the schema file 330, an invalidity or error state will be presented. For example, if the user attempts to enter a title string exceeding twenty-five characters, that text entry will violate the maximum character length attribute of the <title> element of the schema file 330. In order to validate XML markup applied to a document 310, against an associated schema file 330, a schema validation module 350 is utilized. As should be understood by those skilled in the art, the schema validation module 350 is a software module including computer executable instructions sufficient for comparing XML markup and associated text entered in to a document 310 against an associated or attached XML schema file 330 as the XML markup and associated text is entered in to the document 310.


According to embodiments of the present invention, the schema validation module 350 compares each XML markup element and associated text or data applied to the document 310 against the attached or associated schema file 330 to determine whether each element and associated text or data complies with the rules and definitions set out by the attached schema file 330. For example, if a user attempts to enter a character string exceeding twenty-five characters annotated by the <title> elements 320, the schema validation module will compare that text string against the text string attribute 340 of the attached schema file 330 and determine that the text string entered by the user exceeds the maximum allowable text string length. Accordingly, an error message or dialogue will be presented to the user to alert the user that the text string being entered by the user exceeds the maximum allowable character length according to the attached schema file 330. Likewise, if the user attempts to add an XML markup element between the <title> and the <body> elements, the schema validation module 350 will determine that the XML markup element applied by the user is not a valid element allowed between the <title> and <body> elements according to the attached schema file 330. Accordingly, the schema validation module 350 will generate an error message or dialogue to the user to alert the user of the invalid XML markup.


Anti-Virus Security Information in XML Documents


As briefly described above, embodiments of the present invention are directed to methods and systems for allowing software applications capable of reading and saving Extensible Markup Language representations of documents to quickly and efficiently detect the presence of executable code contained in a given document being read or saved by the software applications. As should be appreciated by those skilled in the art, it is commonplace to receive a document in which an unwanted piece of executable code in the form of a virus or other undesirable object or property has been placed for doing harm or creating undesirable results to the user's document or to the user's software or computer. Examples of executable code include, but are not limited to macros, VBA macros, OLE Code, OCX controls or Active X controls, embedded executable objects, and the like. According to embodiments of the present invention, one or more attributes are output on the root element of an Extensible Markup Language (XML) structure applied to a given XML document These attributes serve as flags for indicating the presence of different kinds of executable code so that a parsing application searching for executable code may either reject the document or continuing parsing the document. The attributes also serve as flags for enabling an application supporting a given XML document to reject executable code found in a document upon opening the document if flags notifying the application of the presence of the executable code are not present. As described below, embodiments of the present invention are useful for detecting the presence of executable code upon saving an XML document and upon reading an XML document.



FIG. 4 is a block diagram illustrating interaction between a parsing application and an XML-formatted document for identifying embedded executable code contained in the document according to embodiments of the present invention. As illustrated in FIG. 4, a document 400 includes a title, two paragraphs and an embedded executable code object 440. An XML structure for the document 400 is shown in an XML structure pane 420. As shown in the XML structure, a root element 425 is illustrated and an executable code attribute 430 is illustrated associated with the root element 425. It should be appreciated, that the XML structure illustrated in FIG. 4 is not meant to include well-formed XML structure, but is intended for purposes of illustration only. Also illustrated in FIG. 4 is a parsing application 410 which may be any software application such as a word processing application, spreadsheet application, and the like capable of parsing and understanding the XML structure and related text or data applied to the document 400.


According to embodiments of the present invention, when saving a document as XML, the application 410 outputs a root level element 425 in order for the XML document 400 to be a well-formed XML document. On that root level element 425, the application 410 writes zero or more attributes for serving as flags indicating the presence or lack thereof of executable code embedded in the document 400. According to embodiments of the present invention, depending on the presence and kinds of executable code embedded in a given document 400, zero or more of the following attributes may be written to the root level element 425 as illustrated by the executable code attribute 430 shown in FIG. 4.


Attribute name: macrosPresent






    • Description: An attribute indicating the presence of VBA code or toolbar customizations in the document. It must be written out by the saving application whenever the document contains VBA or toolbar code. It is optional if no such code exists.

    • Possible values: “yes” means there is an element containing VBA code or toolbar customizations in the file. If the application reaches a certain point beyond which this element is not allowed to appear and it has not appeared so far, the application may treat the document as corrupt. “no”, or any other value—means there is no VBA or toolbar code in the file. If such code is found by the application upon further parsing, the application ignores that code or treats the file as corrupt.

    • Default value: This attribute is optional. If the macrosPresent attribute is missing, then it is assumed to be set to no


      Attribute name: embeddedObjPresent

    • Description: An attribute indicating the presence of one or more embedded OLE objects. If one or more OLE objects are present in the document, the application must output this attribute setting. If no OLE objects are present, the application may write out this attribute.

    • Possible values: “yes” means there is at least one element containing OLE object information in the file. If the application reaches a certain point beyond which this element is not allowed to appear and it has not appeared so far, the application may treat the document as corrupt. “no”, or any other value means there are no OLE objects in the file. If OLE objects are found by the application upon further parsing, the application must either ignore that code or treat the file as corrupt.

    • Default value: This attribute is optional. If the embeddedObjPresent attribute is missing, then it is assumed to be set to no


      Attribute name: ocxPresent

    • Description: This attribute indicates possible presence of OCX objects in the content of the file. If there are OCX controls in the file, the application must write out this attribute. If there are none, then the application may write out this attributes.

    • Possible values: “yes” means there may be at least one element containing OCX object information in the file. “no”, or any other value means there are no OCX objects in the file. If OCX objects are found by the application upon further parsing, the application must either ignore that code or treat the file as corrupt.

    • Default value: This attribute is optional. If the ocxPresent attribute is missing, then it is assumed to be set to “no”.


      Below is a usage example of these attributes in a word processor application XML document, this example indicates that there is VBA code, at least one embedded object, but not OCX controls.





<?xml version=“1.0” encoding=“UTF-8” standalone=“yes” ?>


<?mso-application progid=“Word.Document”?>


<w:wordDocument

    • xmlns:w=“http://schemas.microsoft.com/office/word/2003/wordml”
    • w:macrosPresent=“yes”
    • w:embeddedObjPresent=“yes”
    • w:ocxPresent=“no”


>

    • . . .


</w:wordDocument>


As described herein, methods and systems of the present invention allow for the application of attributes to the root level element of an XML structured document for notifying a parsing application of the presence of embedded executable code in a document being parsed by the parsing application. It will be apparent to those skilled in the art that various modifications or variations may be made in the present invention without departing from the scope or spirit of the invention. Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the inventions disclosed herein.

Claims
  • 1. A method, implemented at least in part by a computing apparatus, of detecting executable code embedded in an Extensible Markup Language (XML) document, comprising: applying Extensible Markup Language (XML) markup to a computer-generated document;locating executable code embedded in the document; andapplying an attribute to a root level element of the XML markup for notifying a subsequent application of the presence of the embedded executable code;wherein the attribute comprises a flag that detects the presence of the embedded executable code in the XML document, wherein the embedded executable code comprises at least one of an undesirable object and a property, and wherein the flag enables the subsequent application to reject the embedded executable code within the XML document when the XML markup is being parsed by the subsequent application in searching for the presence of the attribute indicating the presence of the embedded executable code in the document.
  • 2. The method of claim 1, further comprising: passing the document to the subsequent application.
  • 3. The method of claim 2, whereby if the attribute is located by the subsequent application, rejecting the document as corrupted by the embedded executable code.
  • 4. The method of claim 2, whereby if the attribute is located, determining whether the embedded executable code associated with the attribute requires rejection of the document, and if not, continuing to parse the XML markup of the document by the subsequent application.
  • 5. The method of claim 2, whereby if the attribute is not present, then rejecting the executable code.
  • 6. The method of claim 2, whereby the attribute is a macros present attribute for indicating the presence of VBA code in the document.
  • 7. The method of claim 6, whereby the macros present attribute has a value of “yes” where an XML markup element is in the document containing the VBA code.
  • 8. The method of claim 7, whereby the macros present attribute has a value of “no” indicating that no XML element is in the file containing the VBA code.
  • 9. The method of claim 2, whereby the attribute is an embedded object present attribute indicating the presence of one or more OLE objects in the document.
  • 10. The method of claim 9, whereby the embedded object present attribute has a value of “yes” indicating the presence of at least one XML element in the document containing data associated with an OLE object.
  • 11. The method of claim 10, whereby the embedded object present attribute has a value of “no” indicating that there are no XML elements in the file containing data associated with an OLE object.
  • 12. The method of claim 2, whereby the attribute is an OCX present attribute indicating the presence of OCX objects in the document.
  • 13. The method of claim 12, whereby the OCX present object has a value of “yes” indicating that the presence of at least one XML element in the document containing data associated with an OCX object.
  • 14. The method of claim 13, whereby the OCX present object has a value of “no” indicating that there are no XML elements in the document containing data associated with an OCX object.
  • 15. A system for detecting executable code embedded in an Extensible Markup Language (XML) document, comprising: a memory storage; anda processing unit coupled to the memory storage, wherein the processing unit is operative to:apply Extensible Markup Language (XML) markup to a computer-generated document;locate an executable code embedded in the document;apply an attribute to a root level element of the XML markup for notifying a subsequent application of the presence of the embedded executable code;pass the document to the subsequent application;parse the XML markup by the subsequent application to locate the attribute applied to the root level element of the XML markup applied to the document; andif the attribute is located by the subsequent application, reject the document as corrupted by the embedded executable code;wherein the attribute comprises a flag that detects the presence of the embedded executable code in the document, wherein the embedded executable code comprises at least one of an undesirable object and a property, and wherein the flag enables the subsequent application to reject the document as corrupted by the embedded executable code when the XML markup is being parsed.
  • 16. The system of claim 15, whereby if the embedded executable code associated with the attribute does not require rejection of the document, continuing to parse the XML markup of the document by the subsequent application.
  • 17. The system of claim 15, whereby parsing the XML markup by the subsequent application includes: determining by the subsequent application whether the attribute is present for notifying the subsequent application of the presence of the executable code; andif the attribute is not present, then rejecting the executable code.
  • 18. A computer-readable medium on which is stored instructions which when executed by a computer perform a method of detecting executable code embedded in an Extensible Markup Language (XML) document, comprising: applying Extensible Markup Language (XML) markup to a computer-generated document;locating an executable code embedded in the document;applying an attribute to a root level element of the XML markup for notifying a subsequent application of the presence of the embedded executable code;passing the document to the subsequent application;parsing the XML markup by the subsequent application to locate the attribute applied to the root level element of the XML markup applied to the document; andif the attribute is located by the subsequent application, rejecting the document as corrupted by the embedded executable code, wherein the attribute comprises a flag that detects the presence of the embedded executable code in the XML document, wherein the embedded executable code comprises a virus, and wherein the flag enables the subsequent application to reject the embedded executable code within the XML document when the XML markup is being parsed by the subsequent application in searching for the presence of the attribute indicating the presence of the embedded executable code in the document.
US Referenced Citations (201)
Number Name Date Kind
4674065 Lange et al. Jun 1987 A
4868750 Kucera et al. Sep 1989 A
5020019 Ogawa May 1991 A
5128865 Sadler Jul 1992 A
5159552 van Gasteren et al. Oct 1992 A
5267155 Buchanan et al. Nov 1993 A
5317546 Balch et al. May 1994 A
5337233 Hofert et al. Aug 1994 A
5341293 Vertelney et al. Aug 1994 A
5351190 Kondo Sep 1994 A
5392386 Chalas Feb 1995 A
5446891 Kaplan et al. Aug 1995 A
5541836 Church et al. Jul 1996 A
5596700 Darnell et al. Jan 1997 A
5617565 Augenbraun et al. Apr 1997 A
5625783 Ezekiel et al. Apr 1997 A
5627958 Potts et al. May 1997 A
5634019 Koppolu et al. May 1997 A
5640560 Smith Jun 1997 A
5657259 Davis et al. Aug 1997 A
5708825 Sotomayor Jan 1998 A
5717923 Dedrick Feb 1998 A
5752022 Chiu et al. May 1998 A
5761689 Rayson et al. Jun 1998 A
5781189 Hollcran et al. Jul 1998 A
5781904 Oren et al. Jul 1998 A
5794257 Liu et al. Aug 1998 A
5802253 Gross et al. Sep 1998 A
5802262 Van De Vanter Sep 1998 A
5802299 Logan et al. Sep 1998 A
5802530 van Hoff Sep 1998 A
5805911 Miller Sep 1998 A
5809318 Rivette et al. Sep 1998 A
5815830 Anthony Sep 1998 A
5818447 Wolf et al. Oct 1998 A
5821931 Berquist et al. Oct 1998 A
5822539 van Hoff Oct 1998 A
5826025 Gramlich Oct 1998 A
5845077 Fawcett Dec 1998 A
5855007 Jovicic et al. Dec 1998 A
5859636 Pandit Jan 1999 A
5872973 Mitchell et al. Feb 1999 A
5875443 Nielsen Feb 1999 A
5892919 Nielsen Apr 1999 A
5893073 Kasso et al. Apr 1999 A
5895461 De La Huerga et al. Apr 1999 A
5896321 Miller et al. Apr 1999 A
5900004 Gipson May 1999 A
5913214 Madnick et al. Jun 1999 A
5920859 Li Jul 1999 A
5924099 Guzak et al. Jul 1999 A
5933498 Schneck et al. Aug 1999 A
5946647 Miller et al. Aug 1999 A
5948061 Merriman et al. Sep 1999 A
5956681 Yamakita Sep 1999 A
5974413 Beauregard et al. Oct 1999 A
5995756 Hermann Nov 1999 A
6006265 Rangan et al. Dec 1999 A
6006279 Hayes Dec 1999 A
6014616 Kim Jan 2000 A
6028605 Conrad et al. Feb 2000 A
6052531 Waldin et al. Apr 2000 A
6061516 Yoshikawa et al. May 2000 A
6067087 Krauss et al. May 2000 A
6085201 Tso Jul 2000 A
6092074 Rodkin et al. Jul 2000 A
6108674 Murakami et al. Aug 2000 A
6112209 Gusack Aug 2000 A
6121968 Arcuri et al. Sep 2000 A
6122647 Horowitz et al. Sep 2000 A
6126306 Ando Oct 2000 A
6137911 Zhilyaev Oct 2000 A
6141005 Hetherington et al. Oct 2000 A
6151643 Cheng et al. Nov 2000 A
6154738 Call Nov 2000 A
6167568 Gandel et al. Dec 2000 A
6173316 De Boor et al. Jan 2001 B1
6182029 Friedman Jan 2001 B1
6185550 Snow et al. Feb 2001 B1
6185576 McIntosh Feb 2001 B1
6199046 Heinzle et al. Mar 2001 B1
6199081 Meyerzon et al. Mar 2001 B1
6219698 Iannucci et al. Apr 2001 B1
6262728 Alexander Jul 2001 B1
6272074 Winner Aug 2001 B1
6272505 De La Huerga Aug 2001 B1
6292768 Chan Sep 2001 B1
6295061 Park et al. Sep 2001 B1
6308171 De La Huerga Oct 2001 B1
6311177 Dauerer et al. Oct 2001 B1
6311194 Sheth et al. Oct 2001 B1
6323853 Hedloy Nov 2001 B1
6336125 Noda et al. Jan 2002 B2
6336131 Wolfe et al. Jan 2002 B1
6338059 Fields et al. Jan 2002 B1
6347398 Parthasarathy et al. Feb 2002 B1
6349295 Tedesco et al. Feb 2002 B1
6353926 Parthesarathy et al. Mar 2002 B1
6424979 Livingston et al. Jul 2002 B1
6434567 De La Huerga Aug 2002 B1
6438545 Beauregard et al. Aug 2002 B1
6477510 Johnson Nov 2002 B1
6480860 Monday Nov 2002 B1
6493006 Gourdol et al. Dec 2002 B1
6516321 De La Huerga Feb 2003 B1
6519603 Bays et al. Feb 2003 B1
6546433 Matheson Apr 2003 B1
6556984 Zien Apr 2003 B1
6571241 Nosohara May 2003 B1
6618733 White et al. Sep 2003 B1
6623527 Hamzy Sep 2003 B1
6625581 Perkowski Sep 2003 B1
6629079 Spiegel et al. Sep 2003 B1
6631519 Nicholson et al. Oct 2003 B1
6636880 Bera Oct 2003 B1
6658623 Schilit et al. Dec 2003 B1
6687485 Hopkins et al. Feb 2004 B2
6697824 Bowman-Amuah Feb 2004 B1
6708189 Fitzsimons et al. Mar 2004 B1
6715144 Daynes et al. Mar 2004 B2
6717593 Jennings Apr 2004 B1
6718516 Claussen et al. Apr 2004 B1
6728679 Strubbe et al. Apr 2004 B1
6732090 Shanahan et al. May 2004 B2
6732361 Andreoli et al. May 2004 B1
6745208 Berg et al. Jun 2004 B2
6795808 Strubbe et al. Sep 2004 B1
6826726 Hsing et al. Nov 2004 B2
6868625 Szabo Mar 2005 B2
6873988 Herrmann et al. Mar 2005 B2
6874143 Murray et al. Mar 2005 B1
6880129 Lee et al. Apr 2005 B1
6883137 Girardot et al. Apr 2005 B1
6925457 Britton et al. Aug 2005 B2
6925470 Sangudi et al. Aug 2005 B1
6948133 Haley Sep 2005 B2
6950866 Lowry et al. Sep 2005 B1
7013483 Cohen et al. Mar 2006 B2
20010029605 Forbes et al. Oct 2001 A1
20010041328 Fisher Nov 2001 A1
20010056461 Kampe et al. Dec 2001 A1
20020004803 Serebrennikov Jan 2002 A1
20020007309 Reynar Jan 2002 A1
20020026450 Kuramochi Feb 2002 A1
20020029304 Reynar et al. Mar 2002 A1
20020035581 Reynar et al. Mar 2002 A1
20020065110 Enns et al. May 2002 A1
20020065891 Malik May 2002 A1
20020066073 Lienhard et al. May 2002 A1
20020078222 Compas et al. Jun 2002 A1
20020091803 Imamura et al. Jul 2002 A1
20020100036 Moshir et al. Jul 2002 A1
20020103829 Manning et al. Aug 2002 A1
20020104080 Woodard et al. Aug 2002 A1
20020120685 Srivastava et al. Aug 2002 A1
20020129107 Loughran et al. Sep 2002 A1
20020133523 Ambler et al. Sep 2002 A1
20020149601 Rajarajan et al. Oct 2002 A1
20020156792 Gombocz et al. Oct 2002 A1
20020178008 Reynar Nov 2002 A1
20020178182 Wang et al. Nov 2002 A1
20020184247 Jokela et al. Dec 2002 A1
20020188941 Cicciarelli et al. Dec 2002 A1
20020196281 Audleman et al. Dec 2002 A1
20020198909 Huynh et al. Dec 2002 A1
20030002391 Biggs Jan 2003 A1
20030005411 Gerken Jan 2003 A1
20030009489 Griffin Jan 2003 A1
20030025728 Ebbo et al. Feb 2003 A1
20030051236 Pace et al. Mar 2003 A1
20030056207 Fischer et al. Mar 2003 A1
20030081791 Erickson et al. May 2003 A1
20030084138 Tavis et al. May 2003 A1
20030097318 Yu et al. May 2003 A1
20030101204 Watson May 2003 A1
20030101416 McInnes et al. May 2003 A1
20030106040 Rubin et al. Jun 2003 A1
20030121033 Peev et al. Jun 2003 A1
20030126136 Omoigui Jul 2003 A1
20030140308 Murthy et al. Jul 2003 A1
20030154144 Pokomy et al. Aug 2003 A1
20030158841 Britton et al. Aug 2003 A1
20030158851 Britton et al. Aug 2003 A1
20030172343 Leymaster et al. Sep 2003 A1
20030192040 Vaughan Oct 2003 A1
20030212527 Moore et al. Nov 2003 A1
20030220795 Araysantiparb et al. Nov 2003 A1
20030229593 Raley et al. Dec 2003 A1
20030233330 Raley et al. Dec 2003 A1
20040003389 Reynar et al. Jan 2004 A1
20040006741 Radja et al. Jan 2004 A1
20040165007 Shafron Aug 2004 A1
20040199861 Lucovsky Oct 2004 A1
20040226031 Zimmerman et al. Nov 2004 A1
20040236717 Demartini et al. Nov 2004 A1
20050027992 Wallman Feb 2005 A1
20050050164 Burd et al. Mar 2005 A1
20050055330 Britton et al. Mar 2005 A1
20050091251 Ramarao Apr 2005 A1
20050120313 Rudd et al. Jun 2005 A1
20050187926 Britton et al. Aug 2005 A1
Foreign Referenced Citations (14)
Number Date Country
0481784 Apr 1992 EP
0598511 May 1994 EP
0810520 Dec 1998 EP
1093058 Apr 2001 EP
1280068 Jan 2003 EP
1361523 Nov 2003 EP
1376392 Jan 2004 EP
WO 9507510 Mar 1995 WO
WO 9917240 Apr 1999 WO
WO 0118687 Mar 2001 WO
WO 0137170 May 2001 WO
WO 01186390 Nov 2001 WO
WO 02099627 Jan 2002 WO
WO 0215518 Feb 2002 WO