Microsoft bolsters Office security
Microsoft released updates to its productivity suite this week, adding security features for Office 2003 that were developed for Office 2007.Called the Microsoft Office Isolated Conversion Environment (MOICE), one feature converts Office 2003 binary documents into Office 2007’s open XML format.
MOICE allows users to pre-process Office documents while converting them, giving program users an additional layer of security, Microsoft said in today’s advisory.
The feature requires that users have the Office Compatibility Pack for Word, Excel and PowerPoint 2007 file formats installed, according to Microsoft, which added that the update is only supported for use with Office 2003 and 2007.
Microsoft programmer David LeBlanc said on his blog earlier this month that researchers noticed Office exploits could not be translated into newer formats during testing.
"One of the things we noticed is that when we converted an exploit document to the new Office 2007 ‘Metro’ format, it would either fail the conversion, emit a non-exploitable or the converter itself would crash," he said. "The possibility exists that something could make it all of the way through, but we haven’t seen any of those yet."
The computing giant also made File Block Functionality available for both Office 2003 and 2007. The program allows administrators to place restrictions on Office file types to keep end-users from opening potentially unsafe documents.
The feature allows administrators to respond to current events — such as public attacks on Office flaws — by preventing end-users from opening malicious documents, according to a security advisory released by Microsoft on Monday.
In an advisory released today, US-CERT urged administrators to "implement these enhancements where pertinent."
Ron O’Brien, senior security analyst for Sophos, told SCMagazine.com today that attackers are generally focused on Office 2003 because it’s more deployed than the 2007 version.
"There are a number of reasons why [researchers are unable to convert Office 2003 exploits to Office 2007]," he said. "When you’re a hacker, you’re looking to deploy onto the systems that are most commonly used, and Office 2007 is just not as ubiquitous as 2003 yet."