Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: MOICE - Microsoft Office Isolated Conversion Environment - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MOICE - Microsoft Office Isolated Conversion Environment

Tomorrow is the release day of Office 2003 SP3. Just before another round of service pack installs, we would like to re-introduce our readers to one of the preventive components released by Microsoft called MOICE (Microsoft Office Isolated Conversion Environment). What's so great about it? MOICE is like an intrusion prevention system for Microsoft Office 2003.

We all know that the Microsoft's secure development lifecycle is getting better and better, Office 2007 file parsing code is a lot better than the Office 2003 parsing code. Based on this fact, MOICE tool converts the Office 2003 (and below) document to the new Open XML format and then converts back to the legacy binary format before the document gets actually processed. While it might sounds like a whole lot more work, these extra steps provide extra validation that would protect the Office instance from many of the file parsing exploit from working.

To provide even more protection, the whole conversion process happens in an isolated desktop environment and is run with a low privilege account to protect the user even if the converter itself become compromised.

If you are running Office 2003, you might want to seriously consider installing MOICE to protect from future attacks.

For more information on MOICE, refer to the following links



I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London July 2022


93 Posts
ISC Handler
Sep 18th 2007

Sign Up for Free or Log In to start participating in the conversation!