Microsoft Boosts Office Security with New Tools
Published: May 23, 2007
by Alex Woodie
Microsoft yesterday quietly announced a pair of new tools designed to protect Office 2003 and Office 2007 from zero-day exploits. The new products, unveiled on the company's TechNet security Web site, protect users by converting older Office formats into the new Open XML format that Microsoft is now pushing. Because Open XML is so new, there are few known vulnerabilities in it, providing users a window of protection. But the big question is: How long will it last?
Microsoft announced the new tools, including the Microsoft Office Isolated Conversion Environment (MOICE) feature and File Block, with Microsoft Security Advisory (937696)--a notification mechanism usually reserved for warning Microsoft customers about newly discovered security holes.
Microsoft says both new tools should make it easier for users to protect themselves from malicious Office files, such as those received via e-mail. Vulnerabilities in Office formats such as Word, Excel, and PowerPoint, are a favorite avenue of attack for malicious software writers looking to infect Windows computers.
MOICE provides protection by converting Office 2003 documents to the new Open XML format that Microsoft introduced with Office 2007. In short, MOICE works as a "pre-processor" for potentially unsafe Office documents, and should give users greater confidence in opening Office documents, according to Microsoft. (While Office 2007 users who adopt the new Open XML format would already be protected from vulnerabilities in older Office file formats, many Office 2007 users, it would seem, continue to work with Office 2003 binary documents instead of the new Open XML format, so that appears to be why Microsoft made the new tool available for Office 2007 users, too.)
Meanwhile, the new File Block capability provides a mechanism that administrators can use to control and block the opening of specific Microsoft Office file types. The vendor says the tool allows administrators to restrict, via registry and Active Directory Group Policy, specific Word, PowerPoint, and Excel formats. Microsoft indicates it expects File Block to be employed when the threat of attack from specific Office file types is high--such as when zero-day attacks exploiting a newly discovered vulnerability have been discovered, and Microsoft has not had time to patch the flaw.
There has been a rash of zero-day exploits discovered in Office products over the last year. According to eEye Digital Security's Zero-Day Tracker, there is currently only 1 un-patched flaw in an Office product--the Microsoft Office 2003 PPT Local Denial of Service flaw. But over the last 12 months, there have been 11 zero-day flaws discovered in Word, Excel, and PowerPoint products, and it took Microsoft an average of 49.7 days to fix them.
So far, Office 2007 has stayed relatively intact, security-wise. The only flaw affecting Office 2007 at this point appears to be the Drawing Object Vulnerability, which Microsoft fixed earlier this month with Microsoft Security Bulletin MS07-025. The remote execution vulnerability afflicted every version of Office going back to Office 2000, but it was deemed only an "important" flaw on Office 2007, compared to a "critical" flaw on more recent versions, including Office 2007.
However, if history is any lesson, malicious software writers will undoubtedly find flaws in Office 2007 and the new Open XML file formats as the products gain more usage, which could render the protection afforded by MOICE and File Block a moot point. But as long as Open XML adoption remains relatively low, it should provide an element of additional protection.
MOICE and the File Block tools work independently, but Microsoft recommends combining them to get the maximum benefit. The new tools do not work directly with Office 2000 and Office XP. However, files that have been converted using MOICE could be opened on these versions of Office if the user has the Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats installed, Microsoft says.
For more information on MOICE and File Block, see Microsoft Security Advisory (937696) at www.microsoft.com/technet/security/advisory/937696.mspx. To download MOICE, go to Knowledge Base article935865.
File Block is enabled by default on Office 2007. Office 2003 users must independently download and configure the File Block functionality. For instructions on how to enable File Block for PowerPoint 2003, Excel 2003, and Word 2003, visit these Microsoft Knowledge Base Articles, respectively: 922847, 922848, and 922849.
Patch Tuesday Yields Seven Critical Patches for 19 Flaws
Another Zero-Day Flaw Found in Word
Another Zero-Day Vulnerability Hits Office
Zero-Day Word Exploit Making the Rounds
New Excel Vulnerabilities Targeted in Zero-Day Attacks
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot