Using MOICE to Avoid Office File Format Vulnerabilities

Q: Is there a proactive way to deal with the persistent Microsoft Office file type vulnerabilities? For example, the August 2007 Microsoft security bulletin MS07-044 detailed yet another remote code vulnerability in Microsoft Excel spreadsheet files.

A: The new Microsoft Office Isolated Conversion Environment (MOICE) feature that's a part of the Microsoft Office Compatibility Pack for Microsoft Word, Excel, and PowerPoint 2007 file formats might be an option for you. MOICE lets you more securely open Word, Excel, and PowerPoint files by automatically converting documents in the old binary Office file formats to the new XML-based format before opening the files. This automatic conversion preempts vulnerabilities such as the one in security bulletin MS07-044 because binary files are susceptible to buffer overflows, whereas XML files are much more resilient. You can use MOICE with Office 2007 and Office 2003. MOICE supports .doc, .ppt, .pot, .pps, .xls, .xlt, and .xla files. You’ll need to download the Office Compatibility Pack for Word, Excel, and PowerPoint 2007 file formats as well as some other Office updates. For more information about how to download and install MOICE, see the Microsoft article "Description of the Microsoft Office Isolated Conversion Environment update for the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats" (http://support.microsoft.com/kb/935865).

After installing MOICE, you must configure it to be the default file handler for the supported file formats. For example, to associate .doc files with MOICE, you’d run the following command:

ASSOC .doc=oice.word.document

The aforementioned article provides detailed information about how to deploy and configure MOICE centrally via Group Policy and about problems that might arise when using MOICE. Remember that even if you use Office 2007, MOICE provides added protection because Office 2007 is still vulnerable when directly opening binary Office document files.