Re: A new security tool from Microsoft: Is it clever or whacky?

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 5/28/07, Michael Silk <michaelslists () gmail com> wrote:
> On 5/29/07, rms () computerbytesman com <rms () computerbytesman com> wrote:
>
> >
> http://blogs.technet.com/msrc/archive/2007/05/22/two-advisories-on-non-secur
> > ity-updates.aspx
> >
> > Tuesday, May 22, 2007 4:31 PM by MSRCTEAM
> >
> > More Information on MOICE and Restricting Opening or Saving Types of Files
> >
> > The MOICE tool works to help protect you from malicious Office documents
> by
> > capturing the legacy file format associations and diverting file open
> > requests to this new process. First, it converts the document to the new
> > Office Open XML format. It then converts back to the legacy binary format
> > before handing off to the regular Office application to open the document.
>
> gee, what could _possibly_ go wrong here.
>
>
> > As David discussed in detail, this conversion happens in an isolated,
> > low-rights environment which helps protect against attempts to exploit the
> > conversion.
>
> how is this achieved?

durr, mebe read the thread on this earlier in funsec, or the link to
research.ms...

> > MOICE captures the file associations for the following file types:
> >
> > • .doc (Word document)
> > • .xls (Excel spreadsheet)
> > • .xlt (Excel Template)
> > • .xla (Excel Addin)
> > • .ppt (Powerpoint document)
> > • .pot (Powerpoint Template
> > • .pps (PowerPoint slideshow)
>
> what about .dot?
>
> i agree; this does seem rather wacky and strange.
>
> "our regular word parser isn't secure, lets make a new one, that converts
> twice, and make THAT secure" .... seems a little weird to me.

well when you program in code, sometime your exploits dont port
forward. These guys discovered if you port 2003/200 code to office
2007 code, none of the exploits translate (and even if they did, how
would you get around Stack Cookies, SafeSEH and DEP (excluding
starforce ;-), and decided to release this as a tool..

IMO MS has stepped up and is doing an awesome job..


-JP<mailing lists byte computerman, fer once>

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.