Which common document types can have executable code in them?

Question

I'm working out the reasonability of a request to keep all documents with executable code of a document management system. This is above and beyond the existing protections restricting the file extensions to a short list and running the file by norton antivirus before we save it.

So far .doc(x), .xls(x), and .htm are all common document types that I can't demand people to stop using and that can have executable code in them.

Does the technology exist to check common document types for the existance of executable code?

Answer 1

pdf is one.

Answer 2

Unfortunately, this might be a losing game.

If you really want to completely restrict documents to ones that cannot contain executable code, you are probably better off by compiling a list of allowable document types, instead of deniable document types. There will always be new file formats with executable code, and even new versions of old formats where they've added executable code (such as PDF, as mentioned by Kevin).

The only way to make this safe would be to compile a list of allowable formats, and maintain that over time.

Answer 3

Note that security vulnerabilities in the viewer client program, such as buffer-overflow vulnerabilities can by abused to cause executable code in a fileformat that does not normally have such a feature.