Microsoft to boost Office 2003, 2007 security

Will backport suspicious file sniffer from Office 2010 in Q1 of 2011

Microsoft said on Tuesday that it would backport an Office 2010 security feature to the older and more widely used Office 2003 and Office 2007 early next year.

Dubbed Office File Validation (OVE), the technology validates older, pre-XML file formats for Word, Excel, PowerPoint and Publisher, then opens those that don't conform to the documented format -- rigged files containing an exploit, for example -- in a special "sandbox" within Office 2010 called Protected View.

That sandbox lets users view the contents of a document, but disables most editing functions to prevent malware that may be embedded in the file from executing.

OVE debuted in early builds of Office 2010, which launched last June.

Microsoft said on Tuesday that it would bring some parts of OVE to Office 2003 and Office 2007 in the first quarter of 2011.

"It will be an optional update for those platforms, but we'll make a big push to urge customers to download it," Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), told Computerworld on Tuesday.

As in Office 2010, OVE in Office 2003 and 2007 will examine Word, Excel, PowerPoint and Publisher documents saved in Office 97-2003 binary file formats. (Microsoft moved to XML-based document formats by default with Office 2007.)

See How to Deliver a Better PowerPoint Presentation

However, rather than opening suspicious files in a sandbox, which neither of the older suites have, OVE in Office 2003 and 2007 will trigger an alert that warns the user that the document could be dangerous.

Users can click through the warning to continue opening the file, Bryant said.

Microsoft decided to backport OVE to Office 2003 and 2007 after analyzing about four years' worth of data. The company said that more than 80% of all Office security cases would have been handled by OVE if it had been in place throughout the suite's versions.

File format vulnerabilities -- exploited by specially crafted documents -- have long plagued Office, and remain the top threat to users. On Tuesday, for example, Microsoft patched that could be used to hijack a PC with malformed files.

At some point, the Office team plans to issue "signatures" so OVE can detect newly-discovered file format vulnerabilities, then push the document into Protected View (in Office 2010) or warn the user (Office 2003, 2007).

Bryant declined to set a timeline for the updates, which would be analogous to the signature updates regularly provided for antivirus software -- but said they would definitely not go live when Office 2003 and 2007 receive the OVE upgrade next year.

"This won't happen in the foreseeable future, but when it does, the vast majority of Office vulnerabilities would be mitigated by technology like this," Bryant said.

Unfortunately, users of the even older Office XP won't receive the OVE update. That edition, which shipped in 2001, is even buggier than 2003 and 2007. Last October, for example, Microsoft patched 11 vulnerabilities in Office XP's Word 2002 , but had to issue fixes for only two of the same flaws for Office 2003 and just one each for Office 2007 and Office 2010.

Tags App SecurityapplicationssecurityMicrosoftsoftwareOffice suitesMalware and Vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?