funsec mailing list archives
RE: Free tools to protect yall's fools
From: "Alex Eckelberry" <AlexE () sunbelt-software com>
Date: Sat, 12 May 2007 17:31:55 -0400
Putting aside the fascinating analysis of "ya'll", this doesn't do anything for Metro docs, right? It just upconverts older format files, stripping exploits? Alex -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Dude VanWinkle Sent: Friday, May 11, 2007 8:51 PM To: FunSec [List] Subject: [funsec] Free tools to protect yall's fools Personally, I convert all office documents to csv and plain text files for all users, whether they like it or not ;-) ---------------------------- http://blogs.msdn.com/david_leblanc/archive/2007/05/08/new-file-converte r-coming-soon.aspx You might have recently heard something about the new "Microsoft Office Isolated Conversion Environment", a tool we are providing to help protect Office 2003 users from malicious content in Office files. You might be asking yourself what it is, and why we need such a long name? I really don't know the second question - marketing people and PMs put names on things, I just write code and try to help others write secure code. I do know a lot about the first question, and I have a series of blog entries planned to talk about how it works in some detail. MOICE takes advantage of an effect we noticed while working on Office 2007 - when we get MSRC cases in, we have to check to see whether it affects each version, including new code. One of the things we noticed is that when we converted an exploit document to the new Office 2007 'Metro' format, it would either fail the conversion, emit a non-exploitable file, or the converter itself would crash. The possibility exists that something could make it all the way through, but we haven't seen any of those yet. Thus, if we could pre-process documents coming from untrusted sources from the older format to the new format, and then get an older version of Office to use its converter to read in the new file format, the customer is going to end up safer. The way that this works is to associate the old document format extensions with MOICE, which will then upconvert the file to the new format, and hand it off to the real registered app to read in the file that's in the new format. The reason this process ends up stripping out exploits is that the older formats would do things like write offsets directly into the file, and in some cases would write pointer values right into the file. It seemed like a good idea back in 1995 or so, but isn't something we want to do now. Because the new file format is meant to eliminate security problems and has a goal of simplicity (which is a great way to help make things more secure), that information often just doesn't make it across the conversion process. It's also true that the converter itself is composed of the same code used to process the older formats by Office 2007, and that code has the benefit of improvements we've made in Prefast (known in Office as OACR, for Office Automated Code Review), a huge amount of fuzzing, and many other improvements - all in all, the new code is going to be safer. ------------------------------\ -JP "Personally, I convert all office documents to csv and plain text files for all users, whether they like it or not" - Some guy in the unemployment line _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. .... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Free tools to protect yall's fools Dude VanWinkle (May 11)
- RE: Free tools to protect yall's fools Alex Eckelberry (May 12)
- Re: Free tools to protect yall's fools Dude VanWinkle (May 12)
- Re: Free tools to protect yall's fools Florian Weimer (May 13)
- TSA means.... Randy Abrams (May 13)
- Re: Free tools to protect yall's fools Dude VanWinkle (May 12)
- RE: Free tools to protect yall's fools Alex Eckelberry (May 12)
- <Possible follow-ups>
- Re: Free tools to protect yall's fools Fergie (May 11)
- Re: Free tools to protect yall's fools Dude VanWinkle (May 11)
- Re: Free tools to protect yall's fools Larry (May 11)
- Re: Free tools to protect yall's fools Dave Paris (May 11)
- Re: Free tools to protect yall's fools Larry (May 11)
- Re: Free tools to protect yall's fools Drsolly (May 12)
- Proper y'all usage Gary Warner (May 12)