Microsoft admits it can't stop Office file format hacks

Plans to build 'sandbox' around questionable docs in Office 2010 as defense

Microsoft's plan to "sandbox" Office documents in the next version of its application suite is an admission that the company can't keep hackers from exploiting file format bugs, a security analyst said today.

"What's been happening is that Office has lots of vulnerabilities," said John Pescatore, Gartner's primary security analyst. "For the past 18 months, hackers have been fuzzing Office file formats," he said, referring to the practice of "fuzzing," a tactic that relies on automated tools that drop random data into applications to see if, and where, breakdowns occur.

Fuzzing has been a hacker's best friend: Microsoft has repeatedly had to patch file format vulnerabilities in Office applications, most recently in July when it fixed a flaw in Publisher 2007 and in June, when it patched seven vulnerabilities in Excel and two more in Word.

"What's happening is that the bad guys are using fuzzing tools to find vulnerabilities in Office, and now Microsoft is saying, 'Okay, we can't find, let alone fix, every vulnerability. So here's a way to put a sandbox around the vulnerability."

The sandbox technique Pescatore mentioned is a new addition to Office 2010, the upcoming upgrade to Microsoft's bestselling Windows application suite.

According to Brad Albrecht, a senior security program manager with the Office team, Office 2010 will sport something called "Protected View" that isolates Word, Excel and PowerPoint files in a read-only environment. The sandbox, said Albrecht in a post to a company blog this week, will have "minimal access to the system, and no access to your other files and information. Even if the file is malicious, it can't get out of the sandbox and do harm to your computer or data."

"That's a good thing," Pescatore agreed. "Sandboxing and isolation are always good things in security, if only to limit the damage of a malicious file."

Albrecht also spelled out other security measures that Office 2010 will implement, including a more flexible file blocker and a suite-wide roll-out of "Office File Validation," a practice that was rolled out in Publisher 2007 Service Pack 2 (SP2).

The file blocker, introduced in Office 2007 then back-ported to Office 2003 in September 2007 with SP3, automatically bars access to some document types. Albrecht said that Office 2010 will let users fine-tune the feature to better manage which formats Word, Excel and PowerPoint open.

"File blocking was a real broad-brush thing in Office 2007," said Pescatore, "and it would give users obscure error messages." He applauded the move toward flexibility in the file blocker.

Office File Validation, meanwhile, is a system that validates older, pre-XML file formats for Word, Excel and PowerPoint, then blocks those that don't conform to the documented format. Documents that contain malicious code would presumably trigger the block. At that point, Office 2010 will hand off the file to the Protected View sandbox.

"There's still a trade-off," said Pescatore, talking about the improved security Microsoft plans for Office 2010. "The file in the sandbox is read-only, but if I need to open it and add something to it, that's going to annoy users."

Another downside, said Pescatore: Sandboxing, which is essentially lightweight versions of virtual machines, consumes PC resources. "On the other hand, PCs are getting faster, so we have the ability to throw more cycles at [sandboxes]."

Albrecht claimed that the new security features in Office 2010 would have "an indistinguishable performance impact on your [document] load time," but didn't go into detail about system requirements or the impact on the machine's memory and processor resources.

Microsoft declined to make Albrecht available to answer follow-up questions about Office 2010's security plans.

But Pescatore likes what he sees in Microsoft's bird's-eye view. "To build a sandbox, especially around Word docs, that's a very good idea."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftMicrosoft Office 2010

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?