Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-09-18 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MOICE - Microsoft Office Isolated Conversion Environment

Published: 2007-09-18
Last Updated: 2007-09-18 23:28:24 UTC
by Jason Lam (Version: 1)
0 comment(s)

Tomorrow is the release day of Office 2003 SP3. Just before another round of service pack installs, we would like to re-introduce our readers to one of the preventive components released by Microsoft called MOICE (Microsoft Office Isolated Conversion Environment). What's so great about it? MOICE is like an intrusion prevention system for Microsoft Office 2003.

We all know that the Microsoft's secure development lifecycle is getting better and better, Office 2007 file parsing code is a lot better than the Office 2003 parsing code. Based on this fact, MOICE tool converts the Office 2003 (and below) document to the new Open XML format and then converts back to the legacy binary format before the document gets actually processed. While it might sounds like a whole lot more work, these extra steps provide extra validation that would protect the Office instance from many of the file parsing exploit from working.

To provide even more protection, the whole conversion process happens in an isolated desktop environment and is run with a low privilege account to protect the user even if the converter itself become compromised.

If you are running Office 2003, you might want to seriously consider installing MOICE to protect from future attacks.

For more information on MOICE, refer to the following links

http://blogs.technet.com/msrc/archive/2007/05/22/two-advisories-on-non-security-updates.aspx
http://blogs.technet.com/robert_hensing/archive/2007/05/22/moice-microsoft-office-isolated-conversion-environment.aspx
http://www.microsoft.com/technet/security/advisory/937696.mspx

 

 

Keywords:
0 comment(s)

Flaw in MFC42 and MFC71 findfile() function

Published: 2007-09-18
Last Updated: 2007-09-18 17:07:15 UTC
by Jason Lam (Version: 1)
0 comment(s)

A few readers brought it to our attention that a new 0-day vulnerability related to Windows platform has been published. The vulnerability is in the native libraries of Windows MFC42 and MFC71. The function CFileFind::FindFile() in MFC library is lacking in validation, when function argument is an overly long string, a heap overflow condition can result.

The effect of this vulnerability would be dependent on the application calling the function, some applications are easier to exploit than others. It is unknown at this point what major applications are affected by this vulnerability.

Please refer to this article for more details

Keywords:
0 comment(s)
Diary Archives