Using Microsoft MOICE to protect against malicious Office files
Date : May 11, 2009
Since 2006 new vulnerabilities discovered in the Microsoft Office suite are regularly be used to perform targeted attacks. To do this, an attacker builds a malicious file (which exploits a vulnerability previously unknown) and sends it to his victim. When this file is opened it then performs malicious actions on the computer of the victim.
To counter this attack tactic, Microsoft released in 2007 two complementary tools for Office 2003 and 2007:
- MOICE (Microsoft Office Isolated Conversion Environment), which inspects and pre-processes the Office documents before they are handled by Word, Excel or Powerpoint.
- "File Blocker" which bans the opening of some files by Word, Excel or Powerpoint (e.g. those that are not supported by MOICE).
These tools are now frequently recommended by Microsoft to face up to targeted attacks that use malicious Office files. But they still seem quite unknown. This is the reason why we explain here how they work and how they could be used with Office 2000, XP, 2003 and 2007.
MOICE
MOICE is a tool that parses and filters the binary Office files before calling the appropriate Office application (Word, Excel or Powerpoint). MOICE runs in a protected environment (which limits the actions a malicious file might perform in case a vulnerability is found in MOICE), analyzes the input file, produces a result file, and finally pass that result file to the appropriate Office application for editing. The fact that MOICE rewrites the file later processed by Office provides a good level of assurance than attack code which might have been embedded in the file will be sanitized. MOICE is designed not to be disturbed by the oddities found in the parsed file and to remove them.
MOICE was built with the converters developed for Office 2007. This means that MOICE produces result files which use the new XML format introduced by Office 2007.
Notes:
- You can see that the new Office 2007 file format is XML-based by renaming a ".docx" file produced by Office ("docx" is the new suffix now used for "Word 2007" documents) into ". zip", and then opens this ".zip" file: you will see that the ZIP file contains a set of XML files.
- MOICE does not convert the macros found when processed documents (they are lost, but as macro could be dangerous this may be seen as a safe approach) and can not handle files protected by password or DRM (Digital Right Management).
For the Office applications launched by MOICE (Office 2000, XP, 2003 or 2007 according to the environments) to be able to open the converted document it is required that the "Compatibility Pack for Microsoft Office file formats Word, Excel and PowerPoint 2007 " has been installed (or that Office 2007 has been installed). This is actually not an issue because this Compatibility Pack is available for Office 2000, XP and 2003. Moreover MOICE itself is delivered as a component of this Compatibility Pack.
Note: The Office Compatibility Pack is available for Office 2000, XP and 2003. However Microsoft indicates that MOICE (which comes with this package) can operate only in environments that use Office 2003 and 2007.
The
following table lists the files that MOICE can process and the result it
produces for each:
Input file | Output file |
.doc (Word document) | .docx |
.xls (Excel spreadsheet) | .xlsx |
.xlt (Excel Template) | .xltx |
.xla (Excel Addin) | .xlam |
.ppt (Powerpoint document) | .pptx |
.pot (Powerpoint Template | .potx |
.pps (PowerPoint slideshow) | .ppsx |
MOICE shortcomings
Once MOICE has
been installed on a computer, when you double click a file with one of the
extensions supported by MOICE, MOICE is automatically run to convert the file. The
result file is created by MOICE in the "%TEMP%" directory (i.e.
" C:Documents and Settings{username}Local SettingsTemp")
and this file is then opened by the appropriate Office application.
This behaviour is quite disturbing if you modify this file, because when you save
it you must move it from the "%TEMP%" folder to a more appropriate
location. It is also highly suggested to manually delete the original file. If
you don't and choose to keep the ".doc" and ".docx" files
(let suppose you work on a Word document) both in the same directory, there is
actually a risk that you later edit the old ".doc" file instead of
the new ".docx" file (which is the only one that includes the changes
you made in the document).
In fact, from our point of view, the deployment of MOICE on user's computers is probably comfortable only for organizations which have already decided to migrate their documents to the new Office 2007 file format. In that situation most of the user's files are already ".docx" files and automatically converting some new ".doc" files (for example the ".doc" files received from the outside) into ".docx" files makes perfect sense. Although it is possible to use the new Office 2007 file formats using previous Office releases (eg Office 2003), this scheme seems a little bit odd. Deploying both MOICE and Office 2007 is probably the best choice.
Note: MOICE is not automatically installed with Office 2007. It significantly strengthens Office 2007 and must be installed. If not, the old Office documents (.doc, .xls, .ppt, etc…) will be handled directly by Office 2007 and could result in Office 2007 to be exposed to attacks via malicious Office files.
For organizations that have not decided yet to migrate their documents into the new Office 2007 format, one solution might be, rather than deploying MOICE on all workstations, to set up a "MOICE gateway" at the network perimeter. This gateway would be responsible for running MOICE on all documents which are received from outside of the organisation. As MOICE is "scriptable" (you can invoke it through a command line) it seems possible to implement that MOICE conversion on existing email gateways. This result in any ".doc", ".xls" or ".ppt" files attached to an in-coming email to be converted by the gateway into safe ".docx", ".xlsx" and ".pptx" files. Although this approach has been discussed since the first publication of MOICE (e.g. see at the end of this DOE document) we have not found yet any feedback from companies that have set up or experimented a MOICE gateway.
File Block
"File Block" is a feature included in Office 2003 and 2007 which is totally separate from MOICE but it complements the protection provided by the latter. It allows to define a set of file types that Word, Excel and Powerpoint must refuse to open because they are considered as dangerous. For example, it is possible with "File Block" to prohibit Word from opening "RTF" files. The "File Block" configuration is set via the Windows Registry.
The "File Block" feature in fact provides to Office a feature similar to the one the "Kill bit" feature provides to Internet Explorer (to block dangerous ActiveX Controls).
The File Block feature complements MOICE on two aspects:
- It first allows prohibiting Word, Excel and Powerpoint from opening the files that MOICE is not able to inspect (for example the RTF format).
- It also provides a way to block the methods a user may (accidentally) use to bypass the MOICE conversion.
About this second point, it is important to note that MOICE is invocated only when the user double click on a file (which means he asks Windows to run the default application for that file type). But there is other methods for opening a file which will bypass MOICE invocation. E.G. for a Word document:
- Using "File/Open" menu from Word,
- Or selecting a file, right-click on it to invoke the context menu, and choose the "Open With / Microsoft Office Word" option.
If you use "File block" to prohibit Word from opening ".doc" files you will be sure that these bypass methods will fail.
Note: There is a mechanism in "File Block" to face with situation where a user absolutely has to open a document which should normally be blocked by "File Block". This is done by defining a special folder named the "exempt location" in Office 2003 and the "trusted location" in Office 2007. Files dropped in that folder bypasses the "File Block" mechanism.
Conclusion
MOICE, when used in conjunction with "File Block", drastically reduces the risk of attack through malicious Office files. However this mechanism seems not easy to deploy in organizations that have not yet migrated to Office 2007. Setting up a MOICE gateway at the border of the organisation seems an attractive alternative for deploying the same protection in the environments where Office 2000, XP and 2003 are used.
For further information
- Microsoft
Security Advisory (937696): Release of MOICE and File Block Functionality for
Microsoft Office
http://www.microsoft.com/technet/security/advisory/937696.mspx
- Two
Advisories on Non-Security Updates
http://blogs.technet.com/msrc/archive/2007/05/22/two-advisories-on-non-security-updates.aspx
- A NSA
Deployment Guide for the MOICE and File Block Functionality with Office 2003
http://www.nsa.gov/ia/_files/factsheets/I733-007R-2008.zip