__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ TECHNICAL BULLETIN MOICE - Microsoft Office Isolated Conversion Environment May 22, 2007 21:00 GMT Number CIACTech07-001 ______________________________________________________________________________ PROBLEM: A common cyber attack is to send a user an Office document (Word, Excel, PowerPoint) containing malicious code that infects the user's computer and proceeds to do the miscreant's bidding. Targeting of users has gotten so sophisticated that advice such as "don't open files from people you don't know" is no longer effective. PLATFORM: Windows XP with Office 2003 or Office 2007 ABSTRACT: One of the most successful cyber attacks uses Microsoft Office documents with embeded malcode. MOICE, the Microsoft Office Isolated Conversion Environment opens an Office documents before the Office application, converts it to a format that does not "support" malcode and then invokes the application with the newly cleaned document. Properly implemented, this could mitigate attacks using email-borne Office malcode. CIAC performed preliminary testing on MOICE and found that it did, indeed, remove executable code, macros and scripts leaving the document. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/techbull/CIACTech07-001.shtml OTHER LINKS: http://www.microsoft.com/technet/security/advisory/937696.mspx http://blogs.technet.com/robert_hensing/archive/2007/05/22/moice-microsoft-office-isolated-conversion-environment.aspx ______________________________________________________________________________ Introduction Recent system compromises have occurred when a user clicked on an attached file to open it. The file contained malicious code that compromised the user's computer and went on to perform other tasks for the miscreant who sent the file. The initial strategy used to send such files was flooding; emailing the file to many users whose names were obtained from mailing lists, on the assumption that some percentage of them would open it. More recently however, highly targetted attacks have singled out individual users known to be interested in certain topics. These users would receive an email with a subject of interest to the user purportedly from someone the user was likely to know or even work with. The result was the same, the user's system was compromised. Some of the most sophisticated examples of malicious code would compromise the user's computer, remove the malcode from the attached file and open it in the appropriate application (Word for example). This often left the user none the wiser. Attempts at stopping such attacks took the form of anti-virus signatures, and file blocks. However anti-virus signatures are reactive and did not stop the "first wave" of an attack. Blocking all attachments was seen as a drastic measure that was too great an impediment to workflow. In any case the miscreants moved on to emails that sent the user to a web page that then downloaded the malcode. MOICE - The Microsoft Office Isolated Conversion Environment Microsoft released a software tool and the supporting environment to prevent malicious code in an Office document from reaching a user's computer. Once fully installed and working the system works as follows: - Click on document (abc.doc for example) - The file is opened by the OICE.EXE program - The file is converted to the new Office 2007 format (abc.docx) - It is saved in a temporary file location - It is then opened with the appropriate application If the file cannot be converted it will be flagged as corrupt. There is also the possibility that the converter will crash. The converter is running with less than user privilege so it cannot be exploited very effectively. Office 2003 users can use this system since the converter will accept Office 2003 files convert them and then they are opened in the application using a compatibility pack. Obtaining the Software The following Microsoft advisory contains the instructions and links to download the software. http://www.microsoft.com/technet/security/advisory/937696.mspx Here is a link to Robert Hensing's Blog describing the software. http://blogs.technet.com/robert_hensing/archive/2007/05/22/moice-microsoft-office-isolated-conversion-environment.aspx Installation Suggestions The Microsoft Advisory provides a lot of information in a small space with minimal supporting discussion. A few things we found could use clarification. There are five basic steps to get MOICE operating. 1. Update XP 2. Install File Format Converts 3. Update Office 4. Install MOICE, the Compatibility Pack and Powerpoint patch Knowledge Base 934391 Knowledge Base 934390 Knowledge Base 934395 5. Change the file associations The instructions say that one must install all recommended updates. We did the XP update without installing IE7 and it worked. The link to Windows Update given in the advisory provides the necessary updates to Office software. Don't be tempted to ignore the update to Office 2007 if you have Office 2003 on the assumption that it won't do anything. One of the updates installs MOICE itself and another installs the Compatibility pack, both of which are necessary. The Windows Update session for Office 2003 took rather a long time. Testing and Observations CIAC tested MOICE with three different malicious .doc files. It removed the malcode from each of them. Warning: Please be aware that there are several ways to circumvent MOICE. Since it works by file type association double clicking the document in Windows Explorer or as an email attachment will properly invoke MOICE. Using the File Open from Word itself bypasses MOICE. Right clicking on a .doc file in Windows Explorer and using the "Open With" option gives the choice of MOICE (actually Microsoft Office Isolated Conversion Environment) as well as Word and others. If you choose to open with Word, you will bypass MOICE. Also be aware that after a file is converted and any malcode removed, a new file is created. The original remains intact and still contains any malcode that it might have had. There is no indication that malcode was, or was not removed, so MOICE cannot be used to find malicious files. The new file is created in the Temp directory, so if you make changes to the document and save it, the changes are not saved in the original file, but in the copy in the Temp directory. You must use "Save As" to put the new file somewhere other than the Temp directory. We noticed a significant decrease in file size from the original to the converted documents. This is due more to the compression applied to the file than to the removal of malcode. We speculate that there is probably a way to use MOICE to convert incoming email attachments in a mail server prior to delivery to the end user. We have not performed such a test. CIAC wishes to thank Robert Hensing of Microsoft for bringing this tool to our attention. CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-235: PHP Security Update R-236: ldap-account-manager-- multiple vulnerabilities R-237: Trend Micro ServerProtect EarthAgent Vulnerability R-238: VIM Security Update R-239: Multiple Vulnerabilities in the IOS FTP Server R-240: Samba Security Update R-241: CA Anti-Virus for the Enterprise Securitiy Notice R-242: Security Vulnerability in Sun Remote Services (SRS) Net Connect Software R-243: Tomcat Security Update R-244: OPeNDAP Vulnerability