Wednesday, September 19, 2007 8:39 AM cmosby

SANS Internet Storm Center - MOICE - Microsoft Office Isolated Conversion Environment

 

MOICE - Microsoft Office Isolated Conversion Environment

Published: 2007-09-18,
Last Updated: 2007-09-18 23:28:24 UTC
by Jason Lam (Version: 1)

Tomorrow is the release day of Office 2003 SP3. Just before another round of service pack installs, we would like to re-introduce our readers to one of the preventive components released by Microsoft called MOICE (Microsoft Office Isolated Conversion Environment). What's so great about it? MOICE is like an intrusion prevention system for Microsoft Office 2003.

We all know that the Microsoft's secure development lifecycle is getting better and better, Office 2007 file parsing code is a lot better than the Office 2003 parsing code. Based on this fact, MOICE tool converts the Office 2003 (and below) document to the new Open XML format and then converts back to the legacy binary format before the document gets actually processed. While it might sounds like a whole lot more work, these extra steps provide extra validation that would protect the Office instance from many of the file parsing exploit from working.

To provide even more protection, the whole conversion process happens in an isolated desktop environment and is run with a low privilege account to protect the user even if the converter itself become compromised.

If you are running Office 2003, you might want to seriously consider installing MOICE to protect from future attacks.

For more information on MOICE, refer to the following links

http://blogs.technet.com/msrc/archive/2007/05/22/two-advisories-on-non-security-updates.aspx
http://blogs.technet.com/robert_hensing/archive/2007/05/22/moice-microsoft-office-isolated-conversion-environment.aspx
http://www.microsoft.com/technet/security/advisory/937696.mspx

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Filed under: , ,

Comments

No Comments