Microsoft Announces New Office Security Tools

Yesterday, Microsoft Corp. announced the availability of its Microsoft Office Isolated Conversion Environment (MOICE), a feature it hopes will help put the kibosh on an increasingly common exploit vector –- the innocent-looking Office document with a malicious payload.

Microsoft also alerted users to the File Block functionality that's already built into Office 2007. File Block, like MOICE, can help minimize the danger posed by malicious Office files, Microsoft officials say.

MOICE uses Office 2007's built-in tools to convert Word, Excel and PowerPoint 2003 binary documents into the Office 2007 Open XML format.

Why is this important? For starters, Microsoft says, MOICE conversion doesn’t actually involve opening the document binary. In addition, MOICE conversions occur in an isolated environment, so even in cases where a document does have a malicious payload, it probably won’t be able to cause any harm, Microsoft says. "During the conversion of an unsafe file, MOICE will fail to convert the file, create a safe version of the file, or the converter itself will crash; the mere process of conversion and achieving one of three possible outcomes is what protects customers," Microsoft's advisory reads. "Additionally, the conversion process itself takes place in an isolated environment, so even if the unsafe Office file being converted contains exploit code it is extremely unlikely that exploit code would affect a user's system."

On the other hand, MOICE isn't a silver bullet for all Office users. In order to install it, customers must be running Office 2003 or Office 2007, as well as the Office 2007 Compatibility Pack for Word, Excel, and PowerPoint 2007.

Ditto for File Block. It's a feature that forces Excel 2003, PowerPoint 2003 and Word 2003, along with the Office 2007 variants of all three products, to check the FileOpenBlock subkey in the Registry before opening specific Office file types. If, for example, a user tries to open a file type that's on File Block's blacklist, Office will prevent it from opening; otherwise, the user can open it normally.

The File Block functionality ships as part of the 2007 Office System and can be configured by means of Microsoft's Office System Administrative Templates. The situation is a bit murkier in the case of Office 2003, if only because File Block didn’t ship natively with Office 2003. As a result, administrators must first install Microsoft’s May 8 security updates for Word, Excel, and PowerPoint and then make manual additions to the Windows Registry. Information about how and what to do in Word 2003 can be found here; ditto for Excel 2003, and PowerPoint 2003.

It might seem like a lot of effort, but Microsoft believes the combination of MOICE and File Block will help reduce both the prevalence and the severity of Office zero-day attacks. "When MOICE and File Block are used together they are an effective mitigation strategy for customers when the threat of attack using certain Office types exists. This enables customers to continue using Microsoft Office with a high degree of assurance that the files being opened are considered safe and will not infect users with malicious software," Microsoft’s advisory concludes.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


comments powered by Disqus