Hello everyone,

 

This is Christopher Budd. I wanted to let you know we’ve just posted a couple of Security Advisories related to important updates.

 

We often use Security Advisories to let you know when we’re aware of security incidents that can affect customers.  We also use Security Advisories to let you know about important information that can relate to your overall security. In this case, we’re letting you know about two non-security updates that we think it’s important for you to review.

 

The first advisory is Microsoft Security Advisory (927891). This advisory is to let you know about an update to the Windows Installer, sometimes called the MSI installer. This update applies to currently supported versions of Windows except Windows Vista. The update addresses an issue you may experience where systems may become unresponsive when Windows Update or Microsoft update is scanning them. This update is being released through Windows Update, Microsoft Update and Automatic Updates. I want to note that this update will install correctly even if you’re experiencing this issue. However, the issue may prevent you from installing other updates (including security updates) until you apply this new update, so we encourage customers to apply this right away.

 

The second advisory is Microsoft Security Advisory (937696). This advisory announces the availability of the Microsoft Office Isolated Conversion Environment (MOICE) feature. It also lets you know more widely of the ability to restrict opening or saving types of files in Microsoft Office 2003 and the 2007 Microsoft Office system (called "file block" by some).  In the 2007 Microsoft Office system, this capability is part of the 2007 Office System Administrative Templates. For Office 2003, this capability is included in MS07-023 for Excel, MS07-024 for Word, and non-security update 933669 for PowerPoint.

 

My colleague David LeBlanc first mentioned MOICE a couple of weeks ago. MOICE provides new security mitigation technologies designed to convert specific Microsoft Office files types.  Additionally, the ability to restrict opening or saving types of files provides a mechanism that can control and block specific Microsoft Office file types. Taken together, both of these are designed to make it easier for customers to protect themselves from Microsoft Office files that may contain malicious software, such as unsolicited Microsoft Office files received from unknown or known sources.  To help you understand more of what MOICE and the ability to restrict opening or saving types of files do, I’ve asked my colleague Jonathan to go into some more technical detail below.

 

We encourage you to review both advisories and deploy the updates and tools as appropriate.

 

Thanks.

 

Christopher

 

More Information on MOICE and Restricting Opening or Saving Types of Files

 

Hi everyone.  Jonathan from the SWI team here.  David LeBlanc, one of the architects of the MOICE tool, wrote a great intro to the tool that you can find here.  As David mentioned, the 2007 Office system’s new “Metro” file format received lots of additional security testing time and is more resilient by design to file format-based attacks.  The code in the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats which parses legacy documents to convert them to the new format has been through this same rigorous security testing cycle as the 2007 Office system.  Bottom line, the new stuff is much safer.  And now with the MOICE tool, those of you have not yet upgraded to the 2007 release can take advantage of these enhancements today.

 

The MOICE tool works to help protect you from malicious Office documents by capturing the legacy file format associations and diverting file open requests to this new process.  First, it converts the document to the new Office Open XML format.  It then converts back to the legacy binary format before handing off to the regular Office application to open the document.  As David discussed in detail, this conversion happens in an isolated, low-rights environment which helps protect against attempts to exploit the conversion. 

 

MOICE captures the file associations for the following file types:

·          .doc (Word document)

·         .xls (Excel spreadsheet)

·         .xlt (Excel Template)

·         .xla (Excel Addin)

·         .ppt (Powerpoint document)

·         .pot (Powerpoint Template

·         .pps (PowerPoint slideshow)

 

Because a malicious user could try to bypass this conversion by renaming his malicious evil.doc file to evil.rtf, it’s also important to block other file types not handled by MOICE that Office still opens.  That’s where the restricting open and saving types of files comes in: to block RTF and other file types not in the list above.  The combination of MOICE + restricting opening or saving types of files helps to ensure that all files in the legacy binary file format go through this isolated conversion process before regular Office operates on them.

 

I’m looking forward to David’s blog series on the technology behind the isolated conversion process.  I have heard him talk about it and it is really impressive. 

 

Thanks

 

Jonathan

*This posting is provided "AS IS" with no warranties, and confers no rights.*