Microsoft Senior Software Development Engineer David LeBlanc has a very detailed entry in his blog this week about the new MOICE (Microsoft Office Isolated Conversion Environment) tool the software giant is preparing to release.
I recently sat down with Microsoft Office Technical Product Manager Josh Edwards to discuss this and other developments on the Office front, and he told me MOICE has been designed with businesses in mind.
MOICE is designed to convert Office 2003 files to the new Office 2007 Open XML format with the goal of squeezing malicious exploits from the file. It creates a “sandbox” with a restricted tolken where documents are scrubbed for malware. Once the malware is ejected, the file can be opened as it normally is in Office 2003, he explained.
LeBlanc offered more detail in his blog this week: “The reason this process ends up stripping out exploits is that the older formats would do things like write offsets directly into the file, and in some cases would write pointer values right into the file,” he said. “It seemed like a good idea back in 1995 or so, but isn’t something we want to do now. Because the new file format is meant to eliminate security problems and has a goal of simplicity, that information often just does not make it across the conversion process.”
He said it’s also true that the converter itself is composed of the same code used to process the older formats by Office 2007, and “that code has the benefit of improvements we’ve made in Prefast (known in Office as OACR, for Office Automated Code Review), a huge amount of fuzzing, and many other improvements … all in all, the new code is going to be safer.”
He admits there are some downsides to how the tool works:
“Converting a file twice before you can open it adds a performance penalty,” he said. “Whether it’s something you’ll notice depends on the size of the files … larger documents could take a noticeable amount of time. We’re also stripping out things like macros and VBA projects … sure, it’s a big app-compat hit, but this is a security feature.”
MOICE was supposed to be released May 8, but Microsoft has delayed it for some more tweaking.
UPDATE: A Microsoft spokesman said by email May 21 that MOICE is now live and available for download on the Microsoft Web site.