Confusion and Imperfection

By Larry Seltzer  |  Posted 2007-05-23 Print this article Print

There has been some confusion over the use of the term "binary" for the old file formats, which are sometimes known to programmers as OLE 2 Structured Storage, in that they store streams of OLE2 objects. These files are "binary" in the sense that you cant load them into a text editor and read them easily, but Open XML isnt all that easy to read by humans just because you can load it into a text editor. First, the small .DOC file I just saved as a .DOCX has 12 files in it in six subdirectories (Open XML files are actually ZIP archives of directories of XML files). And the XML in them often describes binary data, just in a very verbose way.

Microsoft Office vulnerabilities are under concerted attack. Click here to read more.

Therefore, there are certainly potential attacks that MOICE does not address: For instance, its certainly possible that there are Open XML document parsing errors that could be exploitable, and perhaps its possible to write a .DOC file that translates through MOICE to a file which would exploit Word 7.

Sure, it could happen. But it doesnt seem to happen in the real world. As MOICEs author, David LeBlanc, put it in his blog:
MOICE takes advantage of an effect we noticed while working on Office 2007—when we get MSRC [Microsoft Security Response Center] cases in, we have to check to see whether it affects each version, including new code. One of the things we noticed is that when we converted an exploit document to the new Office 2007 Metro format, it would either fail the conversion, emit a non-exploitable file, or the converter itself would crash. The possibility exists that something could make it all the way through, but we havent seen any of those yet.
LeBlanc goes on to explain why the exploits dont convert, which is not surprising since they often rely on tricks related to specific file format details in OLE2 structured storage.

As good as it can possibly be, MOICE cant be a complete solution for Office malware. For one thing, it strips out macros and VBA projects, and some companies rely on them. Such companies either need to move on completely to Office 7 formats or use additional security options and take their chances with the old formats. MOICE also imposes a performance penalty, perhaps trivial, perhaps significant, depending on the files.

Wilcox is not alone in missing the point. Ive had two vendors ask my opinion of MOICE, with their questions implying that they didnt get the point of it. But the point is simple, and it addresses one of the most significant problems in malware today. Im not sure theyre trying to do this at all, but Microsoft could attempt to put some malware detection into MOICE and either flag suspicious structures in the input files or refuse to convert them. Perhaps security vendors find this threatening to their businesses. I have a hard time sympathizing. Its users interests that matter most, and MOICE is a pointed effort at addressing those concerns.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers blog Cheap Hack More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel