Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Institutional links

Our responsibilities
The Department
Services
- RSS Feeds
- Cyber tracking
Transparency
- Completed Access to Information Requests
- Proactive Disclosure

Microsoft Security Advisory (937696) Highlighting New Office Protection Methods

Number: IN07-001
Date: 25 May 2007

Purpose

CCIRC would like to draw attention to the recently released Microsoft advisory (937696) which highlights the following two new security initiatives:

Microsoft Office Isolated Conversion Environment (MOICE)
File Block features for Microsoft Office.

Both of these initiatives can work independently, or together to provide increased security benefits.

Assessment

Microsoft has released security advisory 937696 in response to the growing exploitation of Microsoft Office documents via malicious code. The tools are designed to protect the end user from infection through receipt of malicious Office documents. The objective of this initiative is to provide a method to verify that Microsoft Office documents are safe to open and to protect organizations from the threat of malicious software that may be present in malicious Microsoft Office files..

This is a pre-release of this software. Microsoft has made these tools available for direct download now, with the general release via the Windows automatic update engine to follow on June 12th in parallel with its June Patch release schedule.

The Microsoft Office Isolated Conversion Environment tool is designed to convert all office 2003 documents, in an isolated environment, to XML format. This gives the user an option to preview the potential unsafe Office document in an XML environment, which is an easier format in which to spot potential malicious code. The document will be opened in XML format in a read only manner by right clicking the document and selecting Open with -> Microsoft Office Isolated Conversion Environment.

The File Block feature uses registry and policy restrictions to invoke limitations on the files users are able to open. This allows both users and administrators to control the type of office document that can be opened on a particular system. File Block can be useful in situations where a known Office vulnerability is actively being exploited through the transmission of infected files. File blocking can be used to prevent a user from opening the associated Office file type during the time the exploit is actively in circulation.

Installation Instructions

MOICE:
Note, the following prerequisite conditions exist for the installation of MOICE:

To install MOICE, you must have Office 2003 or a 2007 Office suite installed.
To install MOICE, you must have the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats.
http://support.microsoft.com/kb/935865
MOICE requires users install all updates for all Office programs.
http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
MOICE also requires the following updates for the 2007 Office programs:
- Update for Office 2007 KB934391
  (http://support.microsoft.com/kb/934391/)
- Update for Office 2007 KB934390
  (http://support.microsoft.com/kb/934390/)
- Update for Office 2007 KB934395
  (http://support.microsoft.com/kb/934395/)

Instructions on using MOICE can be found under the section "Enable MOICE" located at the following address:
http://support.microsoft.com/default.aspx/kb/935865

File Blocking:
The File Block features for Microsoft Office are a policy and setting enforced method that can be deployed by a system administrator to limit and control file access. Details on each office platform can be found under the MORE INFORMATION section located at the following locations:

http://support.microsoft.com/kb/922849 - Word
http://support.microsoft.com/kb/922848 - Excel
http://support.microsoft.com/kb/922847 - PowerPoint

Additional information on the use of Group policy settings can be found here:

http://technet2.microsoft.com/Office/en-us/library/873a5392-1b1a-47a1-a863-1f29ef116d0e1033.mspx?mfr=true

Suggested action

CCIRC recommends that administrators review the Microsoft security advisory to determine if the Microsoft security features can be applied to their existing security architecture. Please consult the official Microsoft document for additional information and download instructions:

http://www.microsoft.com/technet/security/advisory/937696.mspx?pf=true

Note to Readers

Public Safety Canada (PS) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyze threats and to issue alerts, advisories, and other information products.

The Government Operations Centre (GOC) provides strategic level coordination and direction on behalf of the Government of Canada, in response to emerging or occurring events in the national interest, including threats to and incidents involving Canadian critical infrastructure. The GOC receives, shares, and coordinates information with other federal departments, as well as provincial/territorial and international partners.

For urgent matters or to report any incidents, please contact the Government Operations Centre at:

Phone: (613) 991-7000
Fax: (613) 996-0995
Secure Fax: (613) 991-7094
Email: goc-cog@ps-sp.gc.ca

For general information on critical infrastructure protection and emergency preparedness, please contact PS's Public Affairs division at:

Telephone: (613) 944-4875 or 1-800-830-3118
Fax: (613) 998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2007-09-18

Top of Page

Important Notices

Common menu bar links | Liens de navigation communs

Institutional links

Our responsibilities

The Department

Services