funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A new security tool from Microsoft: Is it clever or whacky?

From: "Michael Silk" <michaelslists () gmail com>
Date: Tue, 29 May 2007 08:52:33 +1000
On 5/29/07, rms () computerbytesman com <rms () computerbytesman com> wrote:



http://blogs.technet.com/msrc/archive/2007/05/22/two-advisories-on-non-secur
ity-updates.aspx

Tuesday, May 22, 2007 4:31 PM by MSRCTEAM

More Information on MOICE and Restricting Opening or Saving Types of Files

The MOICE tool works to help protect you from malicious Office documents
by
capturing the legacy file format associations and diverting file open
requests to this new process. First, it converts the document to the new
Office Open XML format. It then converts back to the legacy binary format
before handing off to the regular Office application to open the document.



gee, what could _possibly_ go wrong here.


As David discussed in detail, this conversion happens in an isolated,

low-rights environment which helps protect against attempts to exploit the
conversion.



how is this achieved?


MOICE captures the file associations for the following file types:


• .doc (Word document)
• .xls (Excel spreadsheet)
• .xlt (Excel Template)
• .xla (Excel Addin)
• .ppt (Powerpoint document)
• .pot (Powerpoint Template
• .pps (PowerPoint slideshow)



what about .dot?

i agree; this does seem rather wacky and strange.

"our regular word parser isn't secure, lets make a new one, that converts
twice, and make THAT secure" .... seems a little weird to me.


Because a malicious user could try to bypass this conversion by renaming his

malicious evil.doc file to evil.rtf, it's also important to block other
file
types not handled by MOICE that Office still opens. That's where the
restricting open and saving types of files comes in: to block RTF and
other
file types not in the list above. The combination of MOICE + restricting
opening or saving types of files helps to ensure that all files in the
legacy binary file format go through this isolated conversion process
before
regular Office operates on them.




_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.





--
mike
00110001 <3 00110111

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: