Latest Post | Last 10 Posts | Archives
Previous Post: A (Microsoft) Codename a day: Sputnik
Next Post: Opera grasps at straws with latest IE criticism
Posted in:
"(B)asically what MOICE does is it hijacks the file associations in the registry and redirects them to a process called 'MOICE.EXE'. This process basically spawns the Office 2007 file format converter to up-convert the double-clicked Office 2003 document to the new Open XML file format. Oh and the converter runs in its own desktop with a super-locked down token (Dave is the freaking man!). Why run the converter in its own desktop with a super restricted token? Simple - what if the act of converting the file leads to an exploitable bug and / or code execution. This is effectively dropping the rights of the logged on user to *below* standard user levels in order to do the file conversion. Anyhoo - after the file is up-converted to the new Office 2007 file format - the theory is that the vulnerability will have been 'wrung' out (indeed the code name for this project was 'Wringer')."Back story: Office remains a big hacker target -- something of which Microsoft is quite aware. As Hensing blogged:
"(I)t's no secret that Office was used in some targetted attacks last year . . . some attacks involving 0-day vulnerabilities for which our customers had no way of protecting themselves (short of not opening documents). Had MOICE been available these customers could have deployed it to mitigate these attacks."Additional info: The National Security Agency published a fact sheet on Wringer, as well as a Wringer deployment guide. Got a Microsoft code name you’ve been wondering about? Send it my way. All submitters will be kept confidential.Meanwhile, if you want to keep track of the full month’s worth of Microsoft code names I end up posting, bookmark this “Microsoft Codenames” page.
"(B)asically what MOICE does is it hijacks the file associations in the registry and redirects them to a process called 'MOICE.EXE'. This process basically spawns the Office 2007 file format converter to up-convert the double-clicked Office 2003 document to the new Open XML file format. Oh and the converter runs in its own desktop with a super-locked down token (Dave is the freaking man!). Why run the converter in its own desktop with a super restricted token? Simple - what if the act of converting the file leads to an exploitable bug and / or code execution. This is effectively dropping the rights of the logged on user to *below* standard user levels in order to do the file conversion. Anyhoo - after the file is up-converted to the new Office 2007 file format - the theory is that the vulnerability will have been 'wrung' out (indeed the code name for this project was 'Wringer')."Back story: Office remains a big hacker target -- something of which Microsoft is quite aware. As Hensing blogged:
"(I)t's no secret that Office was used in some targetted attacks last year . . . some attacks involving 0-day vulnerabilities for which our customers had no way of protecting themselves (short of not opening documents). Had MOICE been available these customers could have deployed it to mitigate these attacks."Additional info: The National Security Agency published a fact sheet on Wringer, as well as a Wringer deployment guide. Got a Microsoft code name you’ve been wondering about? Send it my way. All submitters will be kept confidential.
posted by Mary Jo Foley
August 29, 2008 @ 10:05 am
Previous Post: A (Microsoft) Codename a day: Sputnik
Next Post: Opera grasps at straws with latest IE criticism
WordPress Mobile Edition available at alexking.org.
powered by WordPress.
