News

More Dish on MOICE

Microsoft provided a few more details about this week's MOICE offering, which was the subject of a previous security advisory.

First, MOICE was a more or less serendipitous discovery. "When we get MSRC cases in, we have to check to see whether it affects each version, including new code. One of the things we noticed is that when we converted an exploit document to the new Office 2007 'Metro' format, it would either fail the conversion, emit a non-exploitable file, or the converter itself would crash. The possibility exists that something could make it all the way through, but we haven't seen any of those yet," writes Microsoft's David LeBlanc on his Technet blog.

With respect to the question of how MOICE is able to do what it does, Blanc is obligingly expansive.

"The reason this process ends up stripping out exploits is that the older formats would do things like write offsets directly into the file, and in some cases would write pointer values right into the file. It seemed like a good idea back in 1995 or so, but isn't something we want to do now," he indicates. "Because the new file format is meant to eliminate security problems and has a goal of simplicity … that information often just doesn't make it across the conversion process. It's also true that the converter itself is composed of the same code used to process the older formats by Office 2007, and that code has the benefit of improvements we've made in Prefast [Office Automated Code Review]."

MOICE isn't a completely free lunch, of course. "There are some downsides – converting a file twice before you can open it adds a performance penalty," LeBlanc concedes. "Whether it's something you'll notice depends on the size of the files….We're also stripping out things like macros and VBA projects -- sure, it's a big [application compatibility] hit, but this is a security feature."

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.