More Dish on MOICE
- By Stephen Swoyer
- May 23, 2007
Microsoft provided a few more details about this week's MOICE (Microsoft Office Isolated Conversion Environment) offering
, which was the subject of a previous security advisory.
First, MOICE was a more or less serendipitous discovery.
"When we get MSRC [Microsoft Security Response Center] cases in, we have to check to see whether it affects each version, including new code," wrote Microsoft's David LeBlanc on his Technet blog. "One of the things we noticed is that when we converted an exploit document to the new Office 2007 'Metro' format, it would either fail the conversion, emit a non-exploitable file, or the converter itself would crash. The possibility exists that something could make it all the way through, but we haven't seen any of those yet."
With respect to the question of how MOICE is able to do what it does, Blanc is obligingly expansive.
"The reason this process ends up stripping out exploits is that the older formats would do things like write offsets directly into the file, and in some cases would write pointer values right into the file. It seemed like a good idea back in 1995 or so, but isn't something we want to do now," he stated. "Because the new file format is meant to eliminate security problems and has a goal of simplicity … that information often just doesn't make it across the conversion process. It's also true that the converter itself is composed of the same code used to process the older formats by Office 2007, and that code has the benefit of improvements we've made in Prefast [Office Automated Code Review]."
MOICE isn't a completely free lunch, of course.
"There are some downsides -- converting a file twice before you can open it adds a performance penalty," LeBlanc conceded. "Whether it's something you'll notice depends on the size of the files….We're also stripping out things like macros and VBA projects -- sure, it's a big [application compatibility] hit, but this is a security feature."