Microsoft: .doc and .xls are dangerous

A common phenomenon in the tech world is when vendors trash their own past products in an effort to convince you of the value of shiny new ones.

Here is an example. Microsoft’s security advisory 937696 and the related KB 935865 tells us of the dangers posed by Office binary formats including .doc, .xls and .ppt:

MOICE uses the 2007 Microsoft Office system converters to convert the Office binary format files into the Office Open XML format. This process helps remove the potential threat that may exist if the document is opened in the binary format. Additionally, MOICE converts incoming files in an isolated environment. This helps protect the computer from a potential threat.

What’s MOICE? It’s the Microsoft Office Isolated Conversion Environment, proving that even after Silverlight, the department of verbose and meaningless names is alive and well in Redmond. It is an add-on to Office 2003 or 2007 that automatically converts Office binary formats to Office Open XML (OOXML). Further, administrators can now choose to implement File Block, which prevents users from opening specified binary document types without first converting them.

The presumption here is that OOXML documents are safer. Probably true, especially since documents containing macros now require a different extension (.docm, .xlm) to flag the fact that they contain macros.

A side effect is that MOICE spreads the adoption of OOXML. Like Joe Wilcox, I can’t help wondering whether it was this, rather than security, which has prompted this release.

OOXML has real advantages, yet it can also be tiresome. Users install Office 2007, email a Word document to someone, then get a perplexed reply saying that the document won’t open. I’ve been known to show people how to set the default back to the old binary formats to avoid this problem – I would love to know how many Office 2007 rollouts do this as a matter of course.

After all, it is late in the day for Microsoft to consider blocking these formats. The Sophos web site has a Top Ten Viruses page with a neat feature: you can see stats for the last 10 years. These confirm my hunch. Back in 1999, there were 9 office macro viruses in the top 10 (Sophos prefixes these with WM or XM). Today? None. Further, note that the top 10, according to Sophos, account for 94.6% of all viruses in the wild.

The reason is that in the intervening years Microsoft has built reasonably good macro protection into Office. A factor here is that emailed documents rarely need to contain macros, so if you double-click an attachment and it wants to run a macro, that’s a big clue that something is awry.

That said, there is clearly still some risk from macro viruses, or from documents with crafted corruptions that infect a PC. Recently, Open Office has also been shown to be vulnerable. So MOICE has a value, but is it enough to compensate for the cost in terms of inconvenience? After all, while Office binary formats are almost universally readable, that’s not the case for OOXML. If you run Windows, and have Office 2000 or higher, and broadband Internet, and sufficient rights to install the converter, then the process is reasonably smooth; but that is a long way from universal.

MOICE strikes me as low priority in security terms, but nevertheless an intriguing development in the battle for XML office format adoption.