Sunday, May 13, 2007

New MS tool isolates Office 2003 zero-day exploits

Microsoft plans to ship a file conversion tool to give Office 2003 users a chance to protect against exploits rigged into .doc, .xls, .ppt documents.

The tool, called MOICE (Microsoft Office Isolated Conversion Environment), is a direct response to the nonstop zero-day attacks that use rigged Word, Excel and Powerpoint documents to plant call-home Trojans on government and corporate networks.

Microsoft has already built new protection mechanisms into the Office 2007 software suite but customers running older versions of Office are at the highest risk. The statistics are telling: Since January 2006, Microsoft has shipped 20 bulletins covering code-execution holes in Office 2003. Over that same period, only 2 bulletins were shipped for Office 2007.

Facing pressure from .gov and .mil customers, Microsoft is hoping MOICE can offer some temporary respite for users who have not yet upgraded to Office 2007.

The groundwork for MOICE has already been laid with the decision to ship an update to Group policy as a non-security update during Patch Tuesday. The group policy update allows IT administrators to have granular control over which types of files users can and cannot access, specifically requiring they open and save only files that are in the OpenXML format.
With MOICE, the plan is to give users a free tool to allow Office 2003 files to be converted to an OpenXML format.

When installed on desktop machines and used in conjunction with Group Policy settings, MOICE initiates a process that converts documents in legacy (.doc) formats to OpenXML formats, stripping out potentially harmful elements that could pose a potential security risk.
The conversion process takes place in a safe, quarantined sandbox environment, so the user's computer is fully protected.

"We recommend that organizations who are concerned about targeted file format attacks, and are interested in achieving the very highest levels of security consider deploying [the MOICE tool]," a Microsoft spokesman said.

The tool was supposed to ship this week but was delayed while Redmond cleans up some bugs related non-English versions of Office 2003.

No comments: