A couple weeks ago I did a lightening talk with David LeBlanc at Bluehat for MSFT employees about MOICE.
MOICE is the Microsoft Office Isolated Conversion Environment. What the hack is that?!?
Well it’s no secret that Office was used in some targetted attacks last year . . . some attacks involving 0-day vulnerabilities for which our customers had no way of protecting themselves (short of not opening documents). Had MOICE been available these customers could have deployed it to mitigate these attacks.
Intrigued? Go here and read more about it – but basically what MOICE does is it hijacks the file associations in the registry and redirects them to a process called ‘MOICE.EXE’. This process basically spawns the Office 2007 file format converter to up-convert the double-clicked Office 2003 document to the new Open XML file format. Oh and the converter runs in its own desktop with a super-locked down token (Dave is the freaking man!). Why run the converter in its own desktop with a super restricted token? Simple – what if the act of converting the file leads to an exploitable bug and / or code execution. This is effectively dropping the rights of the logged on user to *below* standard user levels in order to do the file conversion. Anyhoo – after the file is up-converted to the new Office 2007 file format – the theory is that the vulnerability will have been ‘wrung’ out (indeed the code name for this project was ‘Wringer’). The vulnerable / malformed records in the file will either be removed and the file will be converted and opened, or the file will be deemed too corrupt to convert and an error will be thrown (most likely outcome with a targeted malware document), or the converter will crash (could be an exploitable crash – but the converter is running with less than user rights – so it’s not real useful for malware). Anyhoo – after the file is converted to the 2007 format, it is opened inside of the Office 2003 application using the Office 2007 compatibility pack.
Basically the process looks like this for the big three Office apps:
Double click .PPT -> OICE.EXE -> PPCNVCOM.EXE -> (emits .PPTX) -> POWERPNT.EXE <emitted .PPTX> (File opens read-only using 2007 converters).
Double click .XLS -> OICE.EXE -> EXCELCNV.EXE -> (emits .XLSX) -> EXCEL.EXE <emitted .XLSX> (File opens read-only using 2007 converters)
Double click .DOC -> OICE.EXE -> WORDCONV.EXE -> (emits .DOCX) -> WINWORD.EXE <emitted .DOCX> (File opens read-only using 2007 converters)
After the file is opened by the Office 2003 application it can be edited by the user and saved as a native Office 2003 binary format file or it can saved in the new Open XML format (TIP: Try giving an Office 2007 file a .zip extension and then double click on it to see what happens).
There may be a performance hit for big files since you’re going from 2003 binary file format to 2007 Open XML format and then back to the 2003 format for opening in the Office 2003 app – but I’ve been using it in some VM’s and the extra few seconds it takes to open the files is well worth the peace of mind this gives you.
Another part of this technology is something we call ‘Fileblock’ which is a policy that you can set that limits how Office 2003 / 2007 open (and save) files. You can use Fileblock to enforce a policy like ‘Don’t open any Office 2003 binary format files’. When this policy is deployed with something like MOICE it helps ensure that only Office 2007 Open XML format files can be opened (even by Office 2003 users) or that 2003 binary files are converted to the Open XML format before being opened. Fileblock can be configured and deployed via Group Policy (for Office 2007) or directly via the registry (Office 2003).