Microsoft admits it can't stop Office file format hacks

Plans to build 'sandbox' around questionable docs in Office 2010 as defense

Microsoft's plan to "sandbox" Office documents in the next version of its application suite is an admission that the company can't keep hackers from exploiting file format bugs, a security analyst said today.

"What's been happening is that Office has lots of vulnerabilities," said John Pescatore, Gartner's primary security analyst. "For the past 18 months, hackers have been fuzzing Office file formats," he said, referring to the practice of "fuzzing," a tactic that relies on automated tools that drop random data into applications to see if, and where, breakdowns occur.

Fuzzing has been a hacker's best friend: Microsoft has repeatedly had to patch file format vulnerabilities in Office applications, most recently in July when it fixed a flaw in Publisher 2007 and in June, when it patched seven vulnerabilities in Excel and two more in Word.

"What's happening is that the bad guys are using fuzzing tools to find vulnerabilities in Office, and now Microsoft is saying, 'Okay, we can't find, let alone fix, every vulnerability. So here's a way to put a sandbox around the vulnerability."

The sandbox technique Pescatore mentioned is a new addition to Office 2010, the upcoming upgrade to Microsoft's bestselling Windows application suite.

According to Brad Albrecht, a senior security program manager with the Office team, Office 2010 will sport something called "Protected View" that isolates Word, Excel and PowerPoint files in a read-only environment. The sandbox, said Albrecht in a post to a company blog this week, will have "minimal access to the system, and no access to your other files and information. Even if the file is malicious, it can't get out of the sandbox and do harm to your computer or data."

"That's a good thing," Pescatore agreed. "Sandboxing and isolation are always good things in security, if only to limit the damage of a malicious file."

Albrecht also spelled out other security measures that Office 2010 will implement, including a more flexible file blocker and a suite-wide roll-out of "Office File Validation," a practice that was rolled out in Publisher 2007 Service Pack 2 (SP2).

The file blocker, introduced in Office 2007 then back-ported to Office 2003 in September 2007 with SP3, automatically bars access to some document types. Albrecht said that Office 2010 will let users fine-tune the feature to better manage which formats Word, Excel and PowerPoint open.

"File blocking was a real broad-brush thing in Office 2007," said Pescatore, "and it would give users obscure error messages." He applauded the move toward flexibility in the file blocker.

Office File Validation, meanwhile, is a system that validates older, pre-XML file formats for Word, Excel and PowerPoint, then blocks those that don't conform to the documented format. Documents that contain malicious code would presumably trigger the block. At that point, Office 2010 will hand off the file to the Protected View sandbox.

"There's still a trade-off," said Pescatore, talking about the improved security Microsoft plans for Office 2010. "The file in the sandbox is read-only, but if I need to open it and add something to it, that's going to annoy users."

Another downside, said Pescatore: Sandboxing, which is essentially lightweight versions of virtual machines, consumes PC resources. "On the other hand, PCs are getting faster, so we have the ability to throw more cycles at [sandboxes]."

Albrecht claimed that the new security features in Office 2010 would have "an indistinguishable performance impact on your [document] load time," but didn't go into detail about system requirements or the impact on the machine's memory and processor resources.

Microsoft declined to make Albrecht available to answer follow-up questions about Office 2010's security plans.

But Pescatore likes what he sees in Microsoft's bird's-eye view. "To build a sandbox, especially around Word docs, that's a very good idea."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Microsoft Office 2010Microsoft

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?