Microsoft spurns specific security goals for Office 2007
It plans to push some of the suite's security features into Office 2003
April 30, 2007 12:00 PM ETComputerworld - Unlike the Microsoft Corp. executives who have predicted that Windows Vista will be hit by far fewer vulnerabilities than its predecessor, the developers who crafted Office 2007 -- while confident that the suite will be tougher to attack -- won't set a security target.
"What would show we were successful?" asked Joshua Edwards, the technical product manager for Office "That we demonstrate the attack surface area is extremely small. But we don't have a specific number of vulnerabilities in the next year that we're shooting for."
Office 2007 security made front page news earlier this month when Microsoft contended that Word 2007 behavior reported as a vulnerability was actually included by design.
Edwards defended Word 2007's security and, by extension, all of Office's, even with the application crash. The new Office file formats -- a format dubbed Open XML by Microsoft -- are superior to the binary file formats of previous Office collections, he said. "Because the XML schema is so well defined, we have a higher degree of resiliency to prevent the corruption of those documents than in earlier Office," said Edwards. "If someone has injected code into the document, as we parse them off the disk in real time we can ignore that document."
Office 2007 was the first suite that Microsoft took through the Security Development Lifecycle (SDL), a multipart initiative aimed at producing secure code. Edwards touted SDL but didn't go as far as to call it a panacea. "Is it safe to assume that because of SDL, Office is more secure? Yes," said Edwards. "But at the same time, it's only part of what we've tried to do with Office security. And it's a process, right?"
Among SDL's processes is code review: examining old code that has been reused from earlier software and just-crafted code for possible security problems. Windows Vista, which was also developed using SDL's strategies, has taken heat recently for containing a bug in the animated cursor code, which was grabbed from Windows 2000, a seven-year-old operating system.
Edwards assured Office 2007 users that all legacy code had been thoroughly checked. "Every bit of that code still had to go through the SDL proofing tools," he said. During the SDL review, the Office 2007 team also checked the Office 2003 code responsible for numerous vulnerabilities throughout 2006 that allowed bugs in Word, Excel and PowerPoint to be used for targeted attacks. "We looked at those to see if they were impacting 2007, but they did not affect the 2007 code base,"he said.
Significant security improvements were also made in Office 2007's encryption, in how users interact with the applications to finesse security options, and in the tools for stripping out confidential information before passing documents to others, Edwards added.
Microsoft
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
