Tool may foil Office 2003 hacks with '07 security

Microsoft enterprise tool expected to protect users still running Office 2003 apps

Microsoft will release an enterprise tool that offers some of the security features in the new Office 2007 suite to protect users still running the older Office 2003 applications, a company researcher said Tuesday.

Third-party security professionals applauded the move, calling it a "fantastic" idea and a "very positive" step.

Saddled with the ungainly title Microsoft Office Isolated Conversion Environment (MOICE), the tool should put a stop to the kind of attacks that rely on malformed Word or Excel or PowerPoint documents to hijack specifically-targeted corporate PCs. These attacks, which began early last year and ramped up dramatically during the summer, have continued into 2007.

The concept, said David LeBlanc, co-author of the just-released book Writing Secure Code for Vista (Microsoft Press) and one of the proponents of Microsoft's Security Development Lifecycle initiative, uses new security properties of Office 2007 document formats to protect Office 2003. "When we converted a [Office 2003] exploit document to the new Office 2007 'Metro' format, it would either fail the conversion, emit a nonexploitable file, or the converter itself would crash," said LeBlanc on a his company blog.

That discovery set wheels in motion. "If we could preprocess documents coming from untrusted sources from the older [2003] format to protect the new [2007] format, and then get an older version of Office to use its converter to read in the new file format, the customer is going to end up safer," LeBlanc said.

Because the process requires two document conversions -- the first from old format to new, then another from new back to old -- Microsoft acknowledged that MOICE won't be the choice for everyone. "We're also stripping out things like macros and VBA projects, [so] sure, it's a big hit, but this is a security feature," said LeBlanc.

Joshua Edwards, the technical product manager for Office, seconded that in an interview last week. "It's designed for organizations or companies that have higher security needs, like financial services. Users will see a delay in opening the file."

MOICE does more than just translate document formats, however -- or even dump potentially dangerous components such as macros, said LeBlanc. The tool also converts incoming files in an isolated, sandbox-like environment. "When we looked at the threats to this package, the most obvious is that the converter itself could have a fault that would result in running arbitrary code," he said. To defend against that possibility, MOICE uses several techniques to prevent attack code that, say, crashed the converter or even exploited an unknown bug in the tool from reaching the rest of the operating system.

"What it boils down to is that even if you do get arbitrary code running in the converter, good luck getting it to do anything very useful," said LeBlanc.

Microsoft originally intended to release MOICE Tuesday -- the same day as the May set of monthly security updates -- but pulled back last week. A company spokeswoman blamed the delay on localizing the tool.

"We are continuing to refine the ability of MOICE to work with non-English versions of Office 2003," she said, "and in order to make it available at the same time to our entire global customer base, have decided to postpone its release."

"This is a fantastic idea," said Minoo Hamilton, senior security researcher at nCircle Network Security Inc. "It makes perfect sense and will definitely have an impact on security. We've been noticing on a monthly basis the quantity of Office file formats climbing, so if they can cut the number, I'm all for it."

Amol Sarwate, vulnerability lab manager at Qualys Inc., agreed. "This is a very good idea," Sarwate said. "The last couple of years, file format vulnerabilities have exponentially increased, especially malformed Word files. This tries to address that specific security issue."

Microsoft may be known for banging the drum on new software's security prowess in the hope of convincing users to upgrade, but in this case, the company has changed the beat, Hamilton said. By delivering additional security to users of older software, Hamilton said, Microsoft is showing that "some of the realism is sinking in perhaps, that it makes better business sense to think about security separately from the equation of selling software."

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?