Beware OneNote .one files as virus carriers

Recent investigations have revealed some worrying truths about the risks in opening OneNote notebooks, a surprising fact about .one files, some bad news and good news.

Criminals are increasingly sending out nasty OneNote .one files in emails, taking advantage of another Microsoft security ‘blind spot’.

OneNote Embedded File Abuse from Nicholas Dhaeyer at NVISO Labs has a fairly technical explanation of the risks of OneNote .one files.

In short, be careful with .one OneNote files sent to you by email or any other means.  Treat them with suspicion and be careful of any links or tricks to make you click on something on a OneNote page.

Embedded programs in OneNote

OneNote .one files can include programs or code that can be run directly from OneNote by clicking on the wrong place or link.

It’s possible to show an image with a hidden malicious link hiding behind it. Click on the image and the nasty code will run.

Source: NVISO Labs

All manner of code or program can be run; programs, PowerShell scripts, DOS batch files, Javascript or HTML.  

In nerd speak, any of these programs can be called: ‘cmd.exe’, ‘powershell.exe’, ‘pwsh.exe’, ‘wscript.exe’, ‘cscript.exe’, ‘mshta.exe’ or ‘hh.exe’

The bad news

OneNote doesn’t appear to warn about executable content in the same way that other Office apps warn or block documents with macros. Why?

It seems that Microsoft, for all its talk about security, hasn’t done anything about the risks of OneNote embedded programs or scripts.

There’s a place for embedded programs in OneNote, though it’s rarely used.  A warning or block on embedded programs should be available.

Good news … so far

The good news is that, so far, Microsoft’s checks for malicious files are detecting the majority of these nasty OneNote .one files.

Nicholas Dhaeyer did some tests.  Of 207 malicious OneNote files, Microsoft only let one through to an Inbox.  That’s pretty good but clearly there’s work to be done and all users need to beware.

How long will that last?  Hackers will quickly develop ways to hide their nasties from automated security scans.

Surprising fact about .one files

While reading some of the OneNote analysis it was surprising to know that .one files are NOT compressed.

Word, Excel and Powerpoint files have been compressed in their .docx .xlsx or .pptx forms since 2007.  They are really ZIP files in disguise.

OneNote was first released in 2003 (in turns 20 years old this November) yet its core file format hasn’t been updated to make it more secure and use less disk space/bandwidth.

We’re overdue for a modern .onex and .onem file formats which are smaller and can block any embedded programs by default (.onex) or not (.onem) just like other Office formats.

Confused About Your OneNote App? Discover the Quick and Easy Tricks to Identifying which one you have
Vertical tabs come to OneNote for Windows
Straight lines and neater shapes in OneNote for Windows
Eight places to find missing OneNote pages or notebooks