Microsoft struts Office 2010 'sandbox' security

'Good move,' says analyst of feature that isolates rigged docs from the PC

Microsoft's plan to "sandbox" documents in the next version of Office looks like a "very good step forward," according to one security analyst.

Last week, Microsoft revealed more details about a new security feature in Office 2010, dubbed "Protected View," that is designed to shut down the popular hacker tactic of feeding users rigged Word, Excel and PowerPoint files.

"It is a good move," said John Pescatore, Gartner's primary security analyst. "It gets away from the 'training' people have that makes them ignore pop-up warnings."

Protected View isolates Word, Excel and PowerPoint files in a read-only environment that prevents malware -- which has piggybacked on Office documents for years -- from harming the PC or hijacking the system.

"The file is being opened within a sandboxed instance of the application -- Word, Excel, PowerPoint -- and if there was malicious code present in the file, the goal is that code would not be able to find a way to tamper with your documents, change your profile or other user settings," said Vikas Malhotra, a Microsoft security program manager, in a entry to a company blog last week.

"If nothing else, we'll stay just as secure as before, but [Protected View] should cut down on the messages to the users," said Pescatore, talking about the kind of alerts current versions of Office display when users are about to open an untrusted document.

Within Outlook, for example, users who open an attachment now face a dialog box that asks, "Would you like to open the file or save it to your computer?"

"It is extremely hard to answer this question without seeing the contents of the file first," acknowledged Malhotra. "In Office 2010, we have removed this dialog and instead we now just open the file directly in Protected View ....This allows you to look over the contents and make an informed decision if you really trust the file or not."

"This is all driven by hackers using fuzzing tools," said Pescatore, talking about the dark art of hammering on file formats to probe for vulnerabilities. Microsoft has repeatedly had to patch file format flaws in Office applications, most recently in July when it fixed a bug in Publisher 2007 and in June, when it patched seven vulnerabilities in Excel and two more in Word.

Noting that it's impossible for anyone, including Microsoft, to root out every instance of an input error -- the company uses home-grown fuzzing tools on its own products during development -- Pescatore said that the only solution is to give people a way to protect themselves after the fact.

In his blog entry, Malhotra spelled out more details about Protected View, including when it's triggered and how enterprise IT staffs can manage those options.

Office 2010 opens a Word, Excel or PowerPoint document in Protected Mode when the file's downloaded from the Internet or an Outlook message's file attachment is opened. In some situations, Protected View will also swing into action when a file is grabbed from the company's internal network.

"This strikes me as a pretty good balance between security and usability," said Pescatore.

Additionally, Protected View will be used to open documents that have been tagged with the "File Block" security feature introduced in Office 2007. File Block lets corporate IT managers -- or a technically astute end user -- declare specific Office file types that can or cannot be opened by Word, Excel and PowerPoint. The feature was backported to Office 2003 in May 2007 as part of a regularly-scheduled monthly security update.

In 2007, Microsoft pitched File Block as a last-ditch defense against hacker attempts to use old file formats -- which historically have many more security holes than newer formats -- to compromise PCs.

Malhotra admitted that users hadn't taken to File Block. "From your feedback we heard that this was overly limiting from a usability aspect since your users still wanted to 'read' those files," he said. "In Office 2010 ... an administrator can set policy to indicate if the user should be allowed to leave Protected View, by editing the file, or force them to stay in it."

"The key [to Protected View] is what sort of tools will Microsoft give administrators to manage this," said Pescatore. "What if you want to be more granular than this? There are millions of documents out there that will be pulled into Protected View that aren't currently tagged with File Block. What will be the default?"

Users will also be able to open any document in Protected View from Office 2010's file menu, said Malhotra, and the Office 2010 window will carry a red bar at the top to show that the file is being viewed in a sandbox.

In a follow-up today, a Microsoft spokeswoman said that Protected View will benefit from some features in Vista and Windows 7 -- notably UIPI (User Interface Privilege Isolation) -- to further restrict the sandbox process. But Office 2010 will offer Protected View to users running the suite on the older Windows XP operating system.

Pescatore thinks it unlikely, however, that Microsoft will backport the new feature to earlier editions of Office, a tactic it's used on occasion, such as adding File Block to Office 2003. "I sort of doubt they will do that," he said. "A lot of what they're doing here is tied to the XML format."

Although Microsoft has fired up the beta process for Office 2010 -- it kicked off the Technical Preview last month as an invite-only round of testing -- it has not yet announced a ship date for the product, saying only that it will release in the first half of 2010. A beta for the general public is slated for later this year.

Join the discussion
Be the first to comment on this article. Our Commenting Policies