Confusion and Imperfection
There has been some confusion over the use of the term "binary" for the old file formats, which are sometimes known to programmers as OLE 2 Structured Storage, in that they store streams of OLE2 objects. These files are "binary" in the sense that you cant load them into a text editor and read them easily, but Open XML isnt all that easy to read by humans just because you can load it into a text editor. First, the small .DOC file I just saved as a .DOCX has 12 files in it in six subdirectories (Open XML files are actually ZIP archives of directories of XML files). And the XML in them often describes binary data, just in a very verbose way. Microsoft Office vulnerabilities are under concerted attack. Click here to read more.Sure, it could happen. But it doesnt seem to happen in the real world. As MOICEs author, David LeBlanc, put it in his blog:
More from Larry Seltzer
Therefore, there are certainly potential attacks that MOICE does not address: For instance, its certainly possible that there are Open XML document parsing errors that could be exploitable, and perhaps its possible to write a .DOC file that translates through MOICE to a file which would exploit Word 7.
MOICE takes advantage of an effect we noticed while working on Office 2007when we get MSRC [Microsoft Security Response Center] cases in, we have to check to see whether it affects each version, including new code. One of the things we noticed is that when we converted an exploit document to the new Office 2007 Metro format, it would either fail the conversion, emit a non-exploitable file, or the converter itself would crash. The possibility exists that something could make it all the way through, but we havent seen any of those yet.LeBlanc goes on to explain why the exploits dont convert, which is not surprising since they often rely on tricks related to specific file format details in OLE2 structured storage. As good as it can possibly be, MOICE cant be a complete solution for Office malware. For one thing, it strips out macros and VBA projects, and some companies rely on them. Such companies either need to move on completely to Office 7 formats or use additional security options and take their chances with the old formats. MOICE also imposes a performance penalty, perhaps trivial, perhaps significant, depending on the files. Wilcox is not alone in missing the point. Ive had two vendors ask my opinion of MOICE, with their questions implying that they didnt get the point of it. But the point is simple, and it addresses one of the most significant problems in malware today. Im not sure theyre trying to do this at all, but Microsoft could attempt to put some malware detection into MOICE and either flag suspicious structures in the input files or refuse to convert them. Perhaps security vendors find this threatening to their businesses. I have a hard time sympathizing. Its users interests that matter most, and MOICE is a pointed effort at addressing those concerns. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack