Microsoft fixes Office 2007 patch issues, releases MOICE

Users of Microsoft Office 2007 on Windows Vista missed out on some of the security patches released May 8. But the software giant has addressed the problem with a new update.

In a separate development on the Microsoft Office security front, the software giant announced that Microsoft Office Isolated Conversion Environment (MOICE) is now available for download.

In the Microsoft Security Response Center blog, program manager Mark Griesi wrote that his team updated the detection logic for the May 8 security and non-security updates for Office 2007 with the exception of the junk mail filter update.

Microsoft update woes: Microsoft plans changes to Patch Tuesday: Microsoft will provide additional detail on specific patches in its Microsoft Advance Notification Service and will change the layout of its security bulletins to reflect priority. Admins run into trouble with Microsoft updates: A DNS service failure and an ongoing WSUS glitch are among this month's frustrations as IT administrators try to deploy the latest security patches from Microsoft. Microsoft should scrap Patch Tuesday: Instead of leaving flaws unpatched for weeks between cycles, Microsoft should use its resources to produce high-quality patches shortly after vulnerabilities are discovered. Scrapping Patch Tuesday a bad idea, say bloggers

In some cases, the original detection logic may not have offered the updates or the updates may not have been installed properly on machines running Vista, he said. The changes only pertain to the fixes in security bulletins MS07-023 and MS07-025, Griesi said, adding that MS07-024 did not require an update since it doesn't affect Office 2007.

"It's important to note that there has been no change to the actual binaries in the updates themselves," he said. "If you have already successfully installed the updates using Microsoft Update, you will not be offered the update again."

He said the updates will also be available through Windows Server Update Services (WSUS), Systems Management Server (SMS) and Inventory Tool for Microsoft Updates (ITMU). Administrators of those systems will see new versions of the updates and will need to approve them. Doing so should have no impact on machines that have already installed the previous updates successfully, he said.

"So for those of you out there, such as myself, who are running Office 2007 on Windows Vista, please go ahead and install these updates if they are offered to you," Griesi said.

Microsoft plugged 19 holes in its May 8 security update, including seven critical fixes for a zero-day DNS server flaw and flaws in Microsoft Exchange, Internet Explorer, Microsoft Excel, Word and Office.

In a separate Office 2007 development, a Microsoft spokesman said by email Monday that the software giant's new MOICE program is now live and available for download on the Microsoft Web site.

It's a free, downloadable security enhancement for the Microsoft Office 2003 Compatibility Pack and the 2007 Office system that converts documents in legacy (.doc) formats to OpenXML formats, thereby stripping out potentially malicious code.

In a recent interview with SearchSecurity.com, Microsoft Office Technical Product Manager Josh Edwards said MOICE has been designed with businesses in mind. It creates a "sandbox" with a restricted token where documents are scrubbed for malware. Once the malware is ejected, the file can be opened as it normally is in Office 2003, he explained.