TECHNICAL BULLETIN

CIACTech07-001: MOICE - Microsoft Office Isolated Conversion Environment

May 22, 2007 23:00 GMT


PROBLEM:	A common cyber attack is to send a user an Office document (Word, Excel, PowerPoint) containing malicious code that infects the user's computer and proceeds to do the miscreant's bidding. Targeting of users has gotten so sophisticated that advice such as "don't open files from people you don't know" is no longer effective.
PLATFORM:	Windows XP with Office 2003 or Office 2007
ABSTRACT:	One of the most successful cyber attacks uses Microsoft Office documents with embeded malcode. MOICE, the Microsoft Office Isolated Conversion Environment opens Office documents before the Office application, converts it to a format that does not "support" malcode and then invokes the application with the newly cleaned document. Properly implemented, this could mitigate attacks using email-borne Office malcode.

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/techbull/CIACTech07-001.shtml
OTHER LINKS:	http://www.microsoft.com/technet/security/advisory/937696.mspx
	http://blogs.technet.com/robert_hensing/archive/2007/05/22/moice-microsoft-office-isolated-conversion-environment.aspx

Introduction

Recent system compromises have occurred when a user clicked on a file attached to an email to open it. The file contained malicious code that compromised the user's computer and went on to perform other tasks for the miscreant who sent the file. The initial strategy used to send such files was flooding; emailing the file to many users whose names were obtained from mailing lists, on the assumption that some percentage of them would open it. More recently however, highly targetted attacks have singled out individual users known to be interested in certain topics. These users would receive an email with a subject of interest to the user purportedly from someone the user was likely to know or even work with. The result was the same, the user's system was compromised.

Some of the most sophisticated examples of malicious code would compromise the user's computer, remove the malcode from the attached file and open it in the appropriate application (Word for example). This often left the user none the wiser.

Attempts at stopping such attacks took the form of anti-virus signatures, and file blocks. However anti-virus signatures are reactive and did not stop the "first wave" of an attack. Blocking all attachments was seen as a drastic measure that was too great an impediment to workflow. In any case the miscreants moved on to emails that sent the user to a web page that then downloaded the malcode.

MOICE - The Microsoft Office Isolated Conversion Environment

Microsoft released a software tool and the supporting environment to prevent malicious code in an Office document from reaching a user's computer. After it is fully installed and working the system works as follows:

Click on document (abc.doc for example)
The file is opened by the OICE.EXE program
The file is converted to the new Office 2007 format (abc.docx)
It is saved in a temporary file location
It is then opened with the appropriate application

If the file cannot be converted it will be flagged as corrupt. There is also the possibility that the converter will crash. The converter is running with less than user privilege so it cannot be exploited very effectively.

Office 2003 users can use this system since the converter will accept Office 2003 files convert them and then they are opened in the application using a compatibility pack.

Obtaining the Software

The following Microsoft advisory contains the instructions and links to download the software.

http://www.microsoft.com/technet/security/advisory/937696.mspx

Here is a link to Robert Hensing's Blog describing the software.

http://blogs.technet.com/robert_hensing/archive/2007/05/22/moice-microsoft-office-isolated-conversion-environment.aspx

Installation Suggestions

The Microsoft Advisory provides a lot of information in a small space with minimal supporting discussion. A few things we found could use clarification. There are five basic steps to get MOICE operating.

Update XP
Install File Format Converts
Update Office
Install MOICE, the Compatibility Pack and Powerpoint patch

Knowledge Base 934391
Knowledge Base 934390
Knowledge Base 934395

Change the file associations

The instructions say that one must install all recommended updates. We did the XP update without installing IE7 and it worked.

The link to Windows Update given in the advisory provides the necessary updates to Office software. Don't be tempted to ignore the update to Office 2007 if you have Office 2003 on the assumption that it won't do anything. One of the updates installs MOICE itself and another installs the Compatibility pack, both of which are necessary.

The Windows Update session for Office 2003 took rather a long time.

Testing and Observations

CIAC tested MOICE with three different malicious .doc files. It removed the malcode from each of them.

Warning: Please be aware that there are several ways to circumvent MOICE. Since it works by file type association double clicking the document in Windows Explorer or as an email attachment will properly invoke MOICE. Using the File Open from Word itself bypasses MOICE. Right clicking on a .doc file in Windows Explorer and using the Open With option gives the choice of MOICE (actually Microsoft Office Isolated Conversion Environment) as well as Word and others. If you choose to open with Word, you will bypass MOICE.

Also be aware that after a file is converted and any malcode removed, a new file is created. The original remains intact and still contains any malcode that it might have had. There is no indication that malcode was, or was not removed, so MOICE cannot be used to find malicious files. The new file is created in the Temp directory, so if you make changes to the document and save it, the changes are not saved in the original file, but in the copy in the Temp directory. You must use Save As to put the new file somewhere other than the Temp directory.

We noticed a significant decrease in file size from the original to the converted documents. This is due more to the compression applied to the file than to the removal of malcode.

We speculate that there is probably a way to use MOICE to convert incoming email attachments in a mail server prior to delivery to the end user. We have not performed such a test.

CIAC wishes to thank Robert Hensing of Microsoft for bringing this tool to our attention.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]