Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Microsoft office file block & MOICE SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft office file block & MOICE

Microsoft introduced the ability to block file formats to the different  programs in office and safer ways to open suspect files about a year ago.

The file blocking is not based on the file extension but on the actual format (so renaming a rich text file (.rtf) to a .doc won't get around the restriction). Unfortunately it's set by making changes in the registry and perhaps worse: it's a blocklist instead of a list of allowed file types. Still if you never intend to open e.g. rtf files, you could block it.

Microsoft Office Isolated Conversion Environment (MOICE) is an alternate way to open office files away from the actual tool. Use it instead of the real thing if you cannot resist opening that unsolicited attachment promising whatever it promises.

It seems these tools aren't widely used, hence drawing a bit more attention to them might help protect a few in the end.

--
Swa Frantzen -- Gorilla Security

Swa

760 Posts
May 13th 2008

Sign Up for Free or Log In to start participating in the conversation!