funsec mailing list archives
Re: A new security tool from Microsoft: Is it clever or whacky?
From: "Michael Silk" <michaelslists () gmail com>
Date: Tue, 29 May 2007 08:52:33 +1000
On 5/29/07, rms () computerbytesman com <rms () computerbytesman com> wrote:
http://blogs.technet.com/msrc/archive/2007/05/22/two-advisories-on-non-secur ity-updates.aspx Tuesday, May 22, 2007 4:31 PM by MSRCTEAM More Information on MOICE and Restricting Opening or Saving Types of Files The MOICE tool works to help protect you from malicious Office documents by capturing the legacy file format associations and diverting file open requests to this new process. First, it converts the document to the new Office Open XML format. It then converts back to the legacy binary format before handing off to the regular Office application to open the document.
gee, what could _possibly_ go wrong here. As David discussed in detail, this conversion happens in an isolated,
low-rights environment which helps protect against attempts to exploit the conversion.
how is this achieved? MOICE captures the file associations for the following file types:
• .doc (Word document) • .xls (Excel spreadsheet) • .xlt (Excel Template) • .xla (Excel Addin) • .ppt (Powerpoint document) • .pot (Powerpoint Template • .pps (PowerPoint slideshow)
what about .dot? i agree; this does seem rather wacky and strange. "our regular word parser isn't secure, lets make a new one, that converts twice, and make THAT secure" .... seems a little weird to me. Because a malicious user could try to bypass this conversion by renaming his
malicious evil.doc file to evil.rtf, it's also important to block other file types not handled by MOICE that Office still opens. That's where the restricting open and saving types of files comes in: to block RTF and other file types not in the list above. The combination of MOICE + restricting opening or saving types of files helps to ensure that all files in the legacy binary file format go through this isolated conversion process before regular Office operates on them. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
-- mike 00110001 <3 00110111
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- A new security tool from Microsoft: Is it clever or whacky? rms (May 28)
- Re: A new security tool from Microsoft: Is it clever or whacky? Michael Silk (May 28)
- Re: A new security tool from Microsoft: Is it clever or whacky? Dude VanWinkle (May 28)
- Re: A new security tool from Microsoft: Is it clever or whacky? Michael Silk (May 28)