RE: Free tools to protect yall's fools

["Alex Eckelberry" <AlexE () sunbelt-software com>]

Putting aside the fascinating analysis of "ya'll", this doesn't do
anything for Metro docs, right?  It just upconverts older format files,
stripping exploits?

Alex


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Dude VanWinkle
Sent: Friday, May 11, 2007 8:51 PM
To: FunSec [List]
Subject: [funsec] Free tools to protect yall's fools

Personally, I convert all office documents to csv and plain text files
for all users, whether they like it or not  ;-)

----------------------------

http://blogs.msdn.com/david_leblanc/archive/2007/05/08/new-file-converte
r-coming-soon.aspx

You might have recently heard something about the new "Microsoft Office
Isolated Conversion Environment", a tool we are providing to help
protect Office 2003 users from malicious content in Office files.
You might be asking yourself what it is, and why we need such a long
name?

I really don't know the second question - marketing people and PMs put
names on things, I just write code and try to help others write secure
code. I do know a lot about the first question, and I have a series of
blog entries planned to talk about how it works in some detail.

MOICE takes advantage of an effect we noticed while working on Office
2007 - when we get MSRC cases in, we have to check to see whether it
affects each version, including new code. One of the things we noticed
is that when we converted an exploit document to the new Office 2007
'Metro' format, it would either fail the conversion, emit a
non-exploitable file, or the converter itself would crash. The
possibility exists that something could make it all the way through, but
we haven't seen any of those yet.

Thus, if we could pre-process documents coming from untrusted sources
from the older format to the new format, and then get an older version
of Office to use its converter to read in the new file format, the
customer is going to end up safer. The way that this works is to
associate the old document format extensions with MOICE, which will then
upconvert the file to the new format, and hand it off to the real
registered app to read in the file that's in the new format.

The reason this process ends up stripping out exploits is that the older
formats would do things like write offsets directly into the file, and
in some cases would write pointer values right into the file. It seemed
like a good idea back in 1995 or so, but isn't something we want to do
now. Because the new file format is meant to eliminate security problems
and has a goal of simplicity (which is a great way to help make things
more secure), that information often just doesn't make it across the
conversion process. It's also true that the converter itself is composed
of the same code used to process the older formats by Office 2007, and
that code has the benefit of improvements we've made in Prefast (known
in Office as OACR, for Office Automated Code Review), a huge amount of
fuzzing, and many other improvements - all in all, the new code is going
to be safer.

------------------------------\

-JP
"Personally, I convert all office documents to csv and plain text files
for all users, whether they like it or not"
- Some guy in the unemployment line

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

....

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.