May 10th, 2007
New MS tool isolates Office 2003 zero-day exploits
Microsoft plans to ship a file conversion tool to give Office 2003 users a chance to protect against exploits rigged into .doc, .xls, .ppt documents.
The tool, called MOICE (Microsoft Office Isolated Conversion Environment), is a direct response to the nonstop zero-day attacks that use rigged Word, Excel and Powerpoint documents to plant call-home Trojans on government and corporate networks.
Microsoft has already built new protection mechanisms into the Office 2007 software suite but customers running older versions of Office are at the highest risk. The statistics are telling: Since January 2006, Microsoft has shipped 20 bulletins covering code-execution holes in Office 2003. Over that same period, only 2 bulletins were shipped for Office 2007.
Facing pressure from .gov and .mil customers, Microsoft is hoping MOICE can offer some temporary respite for users who have not yet upgraded to Office 2007.
The groundwork for MOICE has already been laid with the decision to ship an update to Group policy as a non-security update during Patch Tuesday. The group policy update allows IT administrators to have granular control over which types of files users can and cannot access, specifically requiring they open and save only files that are in the OpenXML format.
With MOICE, the plan is to give users a free tool to allow Office 2003 files to be converted to an OpenXML format.
When installed on desktop machines and used in conjunction with Group Policy settings, MOICE initiates a process that converts documents in legacy (.doc) formats to OpenXML formats, stripping out potentially harmful elements that could pose a potential security risk.
The conversion process takes place in a safe, quarantined sandbox environment, so the user's computer is fully protected.
"We recommend that organizations who are concerned about targeted file format attacks, and are interested in achieving the very highest levels of security consider deploying [the MOICE tool]," a Microsoft spokesman said.
The tool was supposed to ship this week but was delayed while Redmond cleans up some bugs related non-English versions of Office 2003.
Microsoft's David LeBlanc explains the reasons for creating MOICE and the way the tool works:
MOICE takes advantage of an effect we noticed while working on Office 2007 – when we get MSRC cases in, we have to check to see whether it affects each version, including new code. One of the things we noticed is that when we converted an exploit document to the new Office 2007 'Metro' format, it would either fail the conversion, emit a non-exploitable file, or the converter itself would crash. The possibility exists that something could make it all the way through, but we haven't seen any of those yet.
Thus, if we could pre-process documents coming from untrusted sources from the older format to the new format, and then get an older version of Office to use its converter to read in the new file format, the customer is going to end up safer. The way that this works is to associate the old document format extensions with MOICE, which will then upconvert the file to the new format, and hand it off to the real registered app to read in the file that's in the new format.
The protections offered by MOICE does come with a performance downside.
In order to get all this, you'll need to download and install MOICE when it becomes available, and you'll need to set a policy that opts you into using it. There are some downsides – converting a file twice before you can open it adds a performance penalty. Whether it's something you'll notice depends on the size of the files – if you use it to pre-process resume's, you may not notice, but larger documents could take a noticeable amount of time. We're also stripping out things like macros and VBA projects – sure, it's a big app-compat hit, but this is a security feature.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
