22 May 2007, 13:24

Microsoft announces updates to increase Office security

Very often during the last few months, soon after Microsoft's monthly patchdays new vulnerabilities have appeared in Microsoft's Office which could be exploited by hackers for arbitrary code execution (zero-day attacks). Now, the vendor acknowledges the need for action to provide a higher degree of security for users of their Office suite, and has announced two software updates targeted at mitigating risks when working with manipulated Office documents: Microsoft Office Isolated Conversion Environment (MOICE) and a file block functionality.

The MOICE software simply uses the 2007 Microsoft Office conversion routines to convert Office binary documents to the Office XML format. When analysing unsafe documents, the Office developers noticed that the converters from Office 2007 could only create a document that did not contain malicious code; otherwise, the conversion failed or the software just crashed.

According to Microsoft, users now enjoy a much greater degree of security when opening such a converted document with Office 2000, XP, 2003 or 2007, since converted documents no longer contain the malicious code. However, a compatibility update must be installed for older Office versions to allow them to understand the new XML format. Official support is only provided for Office 2003 and 2007.

In his blog, Microsoft developer David LeBlanc explains that, as opposed to Office 2007 filters, MOICE works within a sandbox with restricted access rights, from where no new processes can be launched, which can prevent arbitrary code execution in case the converter crashes.

To use the filters, the administrator or user must associate the respective document types (.doc, .xls, .xlt, .xla, .ppt, .pot, .pps) with MOICE; the software will then convert the documents when they are opened and will hand off the filtered document to the real registered application.

However, problems may arise when working with MOICE. For instance, the default setting of the filters interrupts the process if the conversion has not been completed within 45 seconds; thus, converting large documents requires specific registry settings. PowerPoint presentations created with program version 97 or prior versions cannot be converted, and the filters remove smart tags from presentations. MOICE also filters macros from the documents.

The conversion software has mainly been designed for corporate use, since, so far, companies were the primary targets of zero-day exploits in Office. For instance, it is possible to perform a central conversion of all incoming Office files with MOICE right at the gateway. Andreas Marx from AV-Test warns, protection is only provided against exploits in old formats, and nobody knows which new surprises await Office 2007 users.

Microsoft has also announced the availability of another update to improve Office security: a patch that enables so-called file block functionality in Office 2007 or upgrades Office 2003 accordingly. Administrators can use this functionality to restrict access to certain office file types by means of group policies or changes to the registry. This makes sense, for instance, to protect users if vulnerabilities in Word, Excel or PowerPoint are detected and no patches are available yet to fix these holes.

While in their security advisory, Microsoft announces that both software updates are available, no links are provided to download the software. Soon, such links should be available on the general download site for Microsoft Office. From June 12, 2007, the MOICE software will be available on the Microsoft Update site as a recommended update. Office 2003 or 2007 with all relevant updates must be installed to use this software. While the file block functionality is already included in Office 2007, Microsoft intends to provide updates for Office 2003 to upgrade to this functionality.