The problem, he said, is attackers will be able to see what the converter does and potentially come up with ways to bypass it. "The tool is a good thing for Office 2003 users from a security perspective, but it is a very kludgy approach," said John Pescatore, a Gartner analyst. However, people using older versions such as Office 2000 or Office XP can use a compatibility pack that enables users to open, edit and save files in the Office 2007 format. The tool is specifically aimed at Office 2003. Microsoft officials gave no specific date for when MOICE would be ready, but said the Redmond, Wash., company is working to make it available as soon as possible. "Thus," he continued later in the post, "if we could pre-process documents coming from untrusted sources from the older format to the new format, and then get an older version of Office to use its converter to read in the new file format, the customer is going to end up safer."
"One of the things we noticed is that when we converted an exploit document to the new Office 2007 'Metro' format, it would either fail the conversion emit a nonexploitable file, or the converter itself would crash," Microsoft Senior Software Development Engineer David LeBlanc wrote in a recent blog post. Once a file has been cleansed of exploits, it can be opened as normal in Office 2003. The company is developing a tool called MOICE (Microsoft Office Isolated Conversion Environment), which converts files from Office 2003 to the new Office 2007 Open XML format in a bid to strip exploits out of the file. Microsoft officials say plans are on the way for a weapon that can help protect Office 2003 from attacks, though users of even older versions of Office may find themselves left out in the cold.