Microsoft plans to release a plug-in to protect users from exploits targeting an ever-growing number of Office vulnerabilities. Known as MOICE (Microsoft Office Isolated Conversion Environment), the tool converts Office 2003 Word, Excel, or PowerPoint documents to the Office 2007 Open XML format. This creates a document that takes advantage of 2007 security enhancements without upgrading the user to the newer release. The converted document is then opened by the appropriate application.
This is an important step for Microsoft. Office applications are rapidly increasing in popularity as malware targets. According to Symantec, the huge Office user base presents an attractive attack surface for malware developers who are increasingly blocked by enhanced operating system security processes. In fact, "… about two-thirds of the Microsoft Security Bulletins concerning Office 2003 applications were released [in 2006]" (Hon Lau, "The Microsoft Office Vulnerabilities Treadmill," 28 Sep 2006).
Organizations and individual users with updated anti-malware solutions are reasonably protected from Office document attacks. However, the increase in zero-day exploits underscores the need to augment signature-based remedies. MOICE will help in this effort by helping to ensure that document formats include only what is expected.
So what's the downside? This looks like a pretty good solution. Well, the most discerning users might not think so. Because a document is converted twice — once to XML and then to native Office 2003 format — opening a document will take longer. MOICE also strips out macros and VBA projects. These issues translate into this being a security tool that might not be for everyone.
There is also the question of the converter. What happens if an attacker attempts to exploit a vulnerability discovered in the software that is supposed to clean bad documents? This isn't a problem. The converter runs in an isolated sandbox environment. Compromise of the converter won't add much value to an attack.
Originally planned for release in May 2007, MOICE availability has been delayed for "up to several weeks."
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.