The Register® — Biting the hand that feeds IT

Feeds

MS anti-Trojan shield fails to protect older Offices

MOICE and sleazy

By John Leyden, 6th June 2007
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Microsoft's attempts to protect against the growing range of attacks targeting unpatched flaws in its Office application suite are only likely to be partially effective, according to security experts.

The tool, Microsoft Office Isolated Conversion Environment (MOICE), is designed to protect against malformed Office 2003 documents that attempt to exploit 0-day vulnerabilities. The technology works by converting Office 2003 binary format files to Open XML format using Microsoft Office 2007 system converters. Microsoft claims three possible failsafe outcomes: successful conversion, failure to covert, or the converter (though not the underlying OS) crashes.

Clearswift ThreatLab manager Pete Simpson said the technology is to screen out malware from legacy Office document formats, a problem that arises in the first place from "lax sanity checking of field bounds and pointers" that leads to buffer overflow flaws and the like.

"These vulnerabilities are abound in pre-2007 Office documents and have been exploited by attackers to force buffer overflows leading to execution of the attached Trojan code, when an unsuspecting user simply opens a malformed Office email attachment. Furthermore automated 'fuzzing' tools are capable of generating numerous document malformations that will cause Office applications to crash," he said.

Simpson said that MOICE is all very well - as far as it goes - but it only helps users of Office 2003 or higher to enjoy the sort of improved protection offered by the different file formats that come with Office 2007. Office XP, or lower, users aren't protected.

Hackers are increasingly attempting to smuggle maliciously constructed Office files that attempt to exploit unpatched vulnerabilities past corporate defences. Although 0-day Office Trojans have been observed since late 2004, they increased by a factor of ten through 2006, according to ClearSwift.

The assaults often take the form of targeted attacks - featuring plausible message hooks and spoofed headers - designed to trick workers in sensitive sectors such as government into opening infected files.

"The attackers - organised crime or hostile intelligence services - are scoping targets for theft of specific valuable information. The problem is certainly not going to vanish any time soon. Neither will Microsoft's response - MOICE - solve the problem until all Office users upgrade to 2003 or higher," Simpson added. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (4)
Latest Comments
Michael Rudas

Back-door lock-in?

In light of the fact that ONLY Office 2000-and-up can officially read OOXML files at this time (and THAT requires a conversion add-on for Office 2000/XP/2003), I see this so-called "security" move as a net negative-- an attempt to lock users into MS software. Sure, there are stand-alone converters that will convert back from DOCX to DOC formats, but how many end-users will know this, or be in an environment that allows such software to be installed?

We can only HOPE that OOXML crashes-and-burns, as it deserves to. The fact that most professional journals won't accept OOXML file formats is telling.

-- Mikey

0
0
Anonymous Coward
Anonymous Coward

irony...

"I use Apple's Pages, and don't have any Microsoft product on this computer that was made this millennium, and you don't see me blathering on about it."

That's not entirely true now is it...

0
0
Blain Hamon

Yes, yes, we know.

Blah blah open office blah. Please. There is a time and a place for advertisements. I use Apple's Pages, and don't have any Microsoft product on this computer that was made this millennium, and you don't see me blathering on about it.

Those that know about OpenOffice have already made their decision, and those that don't will be put off with your preaching.

P.S. http://spellbound.sourceforge.net/ will help your cause. Trust me on that.

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
133
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
59
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15