New MS tool isolates Office 2003 zero-day exploits

New MS tool isolates Office 2003 zero-day exploits

Summary: Microsoft plans to ship a file conversion tool to give Office 2003 users a chance to protect against exploits rigged into .doc, .xls, .ppt documents.

SHARE:
TOPICS: Microsoft
35

Microsoft plans to ship a file conversion tool to give Office 2003 users a chance to protect against exploits rigged into .doc, .xls, .ppt documents.
Office 2007
The tool, called MOICE (Microsoft Office Isolated Conversion Environment), is a direct response to the nonstop zero-day attacks that use rigged Word, Excel and Powerpoint documents to plant call-home Trojans on government and corporate networks.

Microsoft has already built new protection mechanisms into the Office 2007 software suite but customers running older versions of Office are at the highest risk.  The statistics are telling:  Since January 2006, Microsoft has shipped 20 bulletins covering code-execution holes in Office 2003.  Over that same period, only 2 bulletins were shipped for Office 2007.

Facing pressure from .gov and .mil customers, Microsoft is hoping MOICE can offer some temporary respite for users who have not yet upgraded to Office 2007.

The groundwork for MOICE has already been laid with the decision to ship an update to Group policy as a non-security update during Patch Tuesday.  The group policy update allows IT administrators to have granular control over which types of files users can and cannot access, specifically requiring they open and save only files that are in the OpenXML format.

With MOICE, the plan is to give users a free tool to allow Office 2003 files to be converted to an OpenXML format. 

When installed on desktop machines and used in conjunction with Group Policy settings, MOICE initiates a process that converts documents in legacy (.doc) formats to OpenXML formats, stripping out potentially harmful elements that could pose a potential security risk. 

The conversion process takes place in a safe, quarantined sandbox environment, so the user's computer is fully protected.  

"We recommend that organizations who are concerned about targeted file format attacks, and are interested in achieving the very highest levels of security consider deploying [the MOICE tool]," a Microsoft spokesman said.

The tool was supposed to ship this week but was delayed while Redmond cleans up some bugs related non-English versions of Office 2003.

Microsoft's David LeBlanc explains the reasons for creating MOICE and the way the tool works:

MOICE takes advantage of an effect we noticed while working on Office 2007 – when we get MSRC cases in, we have to check to see whether it affects each version, including new code. One of the things we noticed is that when we converted an exploit document to the new Office 2007 'Metro' format, it would either fail the conversion, emit a non-exploitable file, or the converter itself would crash. The possibility exists that something could make it all the way through, but we haven't seen any of those yet.

Thus, if we could pre-process documents coming from untrusted sources from the older format to the new format, and then get an older version of Office to use its converter to read in the new file format, the customer is going to end up safer. The way that this works is to associate the old document format extensions with MOICE, which will then upconvert the file to the new format, and hand it off to the real registered app to read in the file that's in the new format.

The protections offered by MOICE does come with a performance downside.

In order to get all this, you'll need to download and install MOICE when it becomes available, and you'll need to set a policy that opts you into using it. There are some downsides – converting a file twice before you can open it adds a performance penalty. Whether it's something you'll notice depends on the size of the files – if you use it to pre-process resume's, you may not notice, but larger documents could take a noticeable amount of time. We're also stripping out things like macros and VBA projects – sure, it's a big app-compat hit, but this is a security feature.

Topic: Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • Strips out macros and VBA???

    Talk about making something useless.
    No_Ax_to_Grind
    • "Talk about making something useless."

      MS excels at that though. What a completely asinine way to secure MS's interoperability induced vulnerabilities.

      The real question involves this: how many people stupid enough to open Office files from untrusted sources will have the fore-thought and proclivity to down load both the "MOICE" thing as well as the file converters for Office 2007 to 2003?

      I imagine that it won't be many...
      jacarter3
    • Oh, I'm sorry, somebody actually USES VBA?! (nt)

      nt = no text
      CobraA1
      • Only a few million times a day. (nt)

        But then, even you knew that...
        No_Ax_to_Grind
        • You're an exception, not the rule

          Yeah, but you're a techie, so you're pretty much the exception, not the rule. The average Joe probably never touches VBA.
          CobraA1
          • Maybe, but I build

            add-ins for other users. (Corporate)
            No_Ax_to_Grind
    • Might as well save it as ODF then. :-D

      This is just another version of their "This document contains macros that might be dangerous..." routine. I'm sure everyone would just love to have their document converted up to a version that can't be read by Office 2000 and no longer contains their calculation macros.

      But at least it's secure...
      Robert Crocker
    • Maybe ...

      Maybe we can finally rid the enterprise of those time wasting souls who have to make every petty e-mail a VB experience.
      Too Old For IT
  • Kludgy is better than nothing, I guess

    Our MS rep said he hadn't heard of the Office zero-day vulnerability issues, but luckily MS must have. Now if they can just refine this solution so it's easier to implement.
    ejhonda
    • Refine the solution?

      Um yeah! They'd better! Cuz if the converter crashes, it's nothing more than another new attack vector!!
      Techboy_z
      • Explain that statement

        How does a crash of the application running in a sand box open an attack vector? I mean you made the statement, so explain it and show us your evidence that it happens with the convertor.
        No_Ax_to_Grind
        • Hmmm...

          How many "sandboxes" in the history of any OS/platform have proven completely secure over time? 0. They help, but are not perfect. That's all I'm saying. And anytime you can induce a crash, at whatever level, it's not good for that dynamic. Especially once you find a way to predictably produce the crash. I don't have an example, nor do I need to - the MOICE peeps have cited that as one of 3 outcomes, as quoted in the article.
          Techboy_z
          • Well, you have me, Java is certainly full of holes.

            But crashing it is rarely (don't know of it ever happening) the cause.
            No_Ax_to_Grind
  • "The statistics are telling"

    "Since January 2006, Microsoft has shipped 20 bulletins covering code-execution holes in Office 2003. Over that same period, only 2 bulletins were shipped for Office 2007."

    What statistical relevance does this have? Office 2007 has been deployed only a few months of the 15 months your "statistics" refer to.

    No actuary or statistician that I know of would infer anything from that useless statement. Undoubtedly, Office 2007 has a lot of vulnerabilities and flaws. We have only seen the "low hanging fruit" plucked by MS Office 2007 advisories at this point in time.
    jacarter3
  • Crash means unexpected abort

    If the sandbox crashes than it means that something has corrupted the environment that creates and maintains the sandbox. This would mean that there is some potential for other unplanned actions at that point.

    (Not saying that it's very likely, but it is theoretically possible.)

    Frankly I think your first point about losing all the macros makes the whole "solution" a non-starter for the work environment anyway.
    Robert Crocker
    • Huge misunderstanding

      [i]If the sandbox crashes than it means that something has corrupted the environment that creates and maintains the sandbox.[/i]

      There is a huge difference between the sandbox crashing and an application crashing within the sandbox. What makes you believe that the converter crashing within the sandbox will immediately crash the sandbox itself?

      [i]Frankly I think your first point about losing all the macros makes the whole "solution" a non-starter for the work environment anyway.[/i]

      If you use this tool for [b]all[/b] Office docs then yes, I would agree. However, it would make a lot of sense to me to use a tool like this for all "untrusted" Office docs (downloaded or email attachments) while forgoing this for Office docs that live on your corporate shared drives. Is it a perfect solution? Obviously not but I would bet that the [b]vast[/b] majority of rigged Office dogs come in as attachments and aren't the ones that are already sitting on your network drives.
      NonZealot
      • Is "If" a little hard to parse?

        I said "If the sandbox crashes" not "if the application crashes inside the sandbox". This was actually a reply to No_Ax about how there could be an exploit against a program running in a sandbox. I hit the wrong reply button and of course fell out of the thread.

        I'm sure the idea of only using this on "untrusted" documents is wonderful but what happens when that corporate machine gets a virus at home and then infects all the .DOC files at work later?
        Robert Crocker
        • "If" should be something reasonable

          I guess no one can say, with 100% certainty, that it would be [b]impossible[/b] to create a Word doc that cause the converter to crash in such a way that it caused a buffer overflow in the sandbox which then caused harmful code of the malware author's choice to run. Highly unlikely at best. Let me construct something similar:
          [i]If someone could create an SMTP message that caused a chrooted postfix daemon to crash in such a way that it caused a buffer overflow in the chroot code that also took advantage of a privilege escalation vulnerability to install a rootkit on your *nix server, then chroot is completely useless![/i]

          I used the word "If" so I'm okay, right?

          [i]what happens when that corporate machine gets a virus at home and then infects all the .DOC files at work later?[/i]

          Oh, now its my turn! Is "not the perfect solution" a little hard to parse? From my post:
          [i]Is it a perfect solution? Obviously not but I would bet that the vast majority of rigged Office dogs come in as attachments and aren't the ones that are already sitting on your network drives.[/i]

          While you are right and such a scenario could potentially occur, can you actually point to a real exploit that is currently working this way? Most exploits that use the malformed Office document attack the victim as an email attachment. If this tool can protect the user against 100% of current exploits and 99.9999% of future exploits, isn't this a good thing?
          NonZealot
  • Just like Microsoft to let one product suck to promote another

    Nobody here has seen the light yet...

    This "trick" will get hordes of people to convert their Office files.

    Easy to control the "fear, uncertainty, and doubt" when you purposefully make insecure products.

    Now, the insecurity of pre-ODF format files shows its true colors. Get 'em to change.

    I look forward to the day, not far off in the future, when MS becomes irrelevant.
    aboulley