If you havent been under a rock for the last couple of years, then you know that a major problem has developed with numerous exploits of subtle vulnerabilities in the old, pre-2007 Microsoft Office file formats. The usual scenario is that we find out about them after a “targeted attack,” probably an attempt to compromise a single company.
As Ive written just a few months ago, the problem of the old Office file formats is perhaps the biggest security challenge for Microsoft. Even if Office 2007 and its new formats are a real solution, it will take years before adoption of the new version is dominant.
Thats why MOICE (Microsoft Office Isolated Conversion Environment) is such a good idea, and why Im perplexed at the failure of some people to get the point of it. Our own Joe Wilcox expressed incredulity at every claim for it recently in his blog.
If you need a terse and clear explanation of what MOICE does, read MS Knowledge Base article 935865 (where you can also download MOICE):
In other words, instead of having the Office applications directly open the files in the old formats, they use a separate program to open the files and convert them to the new Open XML format, and then Office opens that file.
What does this accomplish? It prevents Office-based malware authors from using the old formats to attack Office users. The MOICE program that does the actual conversion needs and runs with very few privileges. It only needs read and write access to the directory in which it operates. It doesnt need permission to execute external programs, for example, so if an attacker were to write a Word document that compromised MOICE, then there isnt much they could do with it. This is why the term “sandbox” has been used.
Its easy to presume that Microsoft has ulterior motives for MOICE, and perhaps they even consciously see it as a way of promoting the use of Open XML, or at least of making users feel more at ease with it. So what? This is objectionable only of youre trying to oppose Microsoft for the sake of opposing Microsoft, and it doesnt dispute the obvious security benefits of MOICE. And just in case theres any confusion about this, MOICE does not require the user to run Office 2007 at all; along with the Office 2007 format support for Office 2003, its a solution for Office 2003 users.
Next page: Confusion and Imperfection
Confusion and Imperfection
There has been some confusion over the use of the term “binary” for the old file formats, which are sometimes known to programmers as OLE 2 Structured Storage, in that they store streams of OLE2 objects. These files are “binary” in the sense that you cant load them into a text editor and read them easily, but Open XML isnt all that easy to read by humans just because you can load it into a text editor. First, the small .DOC file I just saved as a .DOCX has 12 files in it in six subdirectories (Open XML files are actually ZIP archives of directories of XML files). And the XML in them often describes binary data, just in a very verbose way.
Therefore, there are certainly potential attacks that MOICE does not address: For instance, its certainly possible that there are Open XML document parsing errors that could be exploitable, and perhaps its possible to write a .DOC file that translates through MOICE to a file which would exploit Word 7.
Sure, it could happen. But it doesnt seem to happen in the real world. As MOICEs author, David LeBlanc, put it in his blog:
LeBlanc goes on to explain why the exploits dont convert, which is not surprising since they often rely on tricks related to specific file format details in OLE2 structured storage.
As good as it can possibly be, MOICE cant be a complete solution for Office malware. For one thing, it strips out macros and VBA projects, and some companies rely on them. Such companies either need to move on completely to Office 7 formats or use additional security options and take their chances with the old formats. MOICE also imposes a performance penalty, perhaps trivial, perhaps significant, depending on the files.
Wilcox is not alone in missing the point. Ive had two vendors ask my opinion of MOICE, with their questions implying that they didnt get the point of it. But the point is simple, and it addresses one of the most significant problems in malware today. Im not sure theyre trying to do this at all, but Microsoft could attempt to put some malware detection into MOICE and either flag suspicious structures in the input files or refuse to convert them. Perhaps security vendors find this threatening to their businesses. I have a hard time sympathizing. Its users interests that matter most, and MOICE is a pointed effort at addressing those concerns.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer