Microsoft to boost Office 2003, 2007 security

Will backport suspicious file sniffer from Office 2010 in Q1 of 2011

Microsoft said on Tuesday that it would backport an Office 2010 security feature to the older and more widely used Office 2003 and Office 2007 early next year.

Dubbed Office File Validation (OVE), the technology validates older, pre-XML file formats for Word, Excel, PowerPoint and Publisher, then opens those that don't conform to the documented format -- rigged files containing an exploit, for example -- in a special "sandbox" within Office 2010 called Protected View.

That sandbox lets users view the contents of a document, but disables most editing functions to prevent malware that may be embedded in the file from executing.

OVE debuted in early builds of Office 2010, which launched last June.

Microsoft said on Tuesday that it would bring some parts of OVE to Office 2003 and Office 2007 in the first quarter of 2011.

"It will be an optional update for those platforms, but we'll make a big push to urge customers to download it," Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), told Computerworld on Tuesday.

As in Office 2010, OVE in Office 2003 and 2007 will examine Word, Excel, PowerPoint and Publisher documents saved in Office 97-2003 binary file formats. (Microsoft moved to XML-based document formats by default with Office 2007.)

However, rather than opening suspicious files in a sandbox, which neither of the older suites have, OVE in Office 2003 and 2007 will trigger an alert that warns the user that the document could be dangerous.

Users can click through the warning to continue opening the file, Bryant said.

Microsoft decided to backport OVE to Office 2003 and 2007 after analyzing about four years' worth of data. The company said that more than 80% of all Office security cases would have been handled by OVE if it had been in place throughout the suite's versions.

File format vulnerabilities -- exploited by specially crafted documents -- have long plagued Office, and remain the top threat to users. On Tuesday, for example, Microsoft patched that could be used to hijack a PC with malformed files.

At some point, the Office team plans to issue "signatures" so OVE can detect newly-discovered file format vulnerabilities, then push the document into Protected View (in Office 2010) or warn the user (Office 2003, 2007).

Bryant declined to set a timeline for the updates, which would be analogous to the signature updates regularly provided for antivirus software -- but said they would definitely not go live when Office 2003 and 2007 receive the OVE upgrade next year.

"This won't happen in the foreseeable future, but when it does, the vast majority of Office vulnerabilities would be mitigated by technology like this," Bryant said.

Unfortunately, users of the even older Office XP won't receive the OVE update. That edition, which shipped in 2001, is even buggier than 2003 and 2007. Last October, for example, Microsoft patched 11 vulnerabilities in Office XP's Word 2002, but had to issue fixes for only two of the same flaws for Office 2003 and just one each for Office 2007 and Office 2010.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies