Microsoft admits it can't stop Office file format hacks

Computerworld - Microsoft's plan to "sandbox" Office documents in the next version of its application suite is an admission that the company can't keep hackers from exploiting file format bugs, a security analyst said today.

"What's been happening is that Office has lots of vulnerabilities," said John Pescatore, Gartner's primary security analyst. "For the past 18 months, hackers have been fuzzing Office file formats," he said, referring to the practice of "fuzzing," a tactic that relies on automated tools that drop random data into applications to see if, and where, breakdowns occur.

Fuzzing has been a hacker's best friend: Microsoft has repeatedly had to patch file format vulnerabilities in Office applications, most recently in July when it fixed a flaw in Publisher 2007 and in June, when it patched seven vulnerabilities in Excel and two more in Word.

"What's happening is that the bad guys are using fuzzing tools to find vulnerabilities in Office, and now Microsoft is saying, 'Okay, we can't find, let alone fix, every vulnerability. So here's a way to put a sandbox around the vulnerability."

The sandbox technique Pescatore mentioned is a new addition to Office 2010, the upcoming upgrade to Microsoft's bestselling Windows application suite.

According to Brad Albrecht, a senior security program manager with the Office team, Office 2010 will sport something called "Protected View" that isolates Word, Excel and PowerPoint files in a read-only environment. The sandbox, said Albrecht in a post to a company blog this week, will have "minimal access to the system, and no access to your other files and information. Even if the file is malicious, it can't get out of the sandbox and do harm to your computer or data."

"That's a good thing," Pescatore agreed. "Sandboxing and isolation are always good things in security, if only to limit the damage of a malicious file."

Albrecht also spelled out other security measures that Office 2010 will implement, including a more flexible file blocker and a suite-wide roll-out of "Office File Validation," a practice that was rolled out in Publisher 2007 Service Pack 2 (SP2).

The file blocker, introduced in Office 2007 then back-ported to Office 2003 in September 2007 with SP3, automatically bars access to some document types. Albrecht said that Office 2010 will let users fine-tune the feature to better manage which formats Word, Excel and PowerPoint open.

"File blocking was a real broad-brush thing in Office 2007," said Pescatore, "and it would give users obscure error messages." He applauded the move toward flexibility in the file blocker.

Office File Validation, meanwhile, is a system that validates older, pre-XML file formats for Word, Excel and PowerPoint, then blocks those that don't conform to the documented format. Documents that contain malicious code would presumably trigger the block. At that point, Office 2010 will hand off the file to the Protected View sandbox.

"There's still a trade-off," said Pescatore, talking about the improved security Microsoft plans for Office 2010. "The file in the sandbox is read-only, but if I need to open it and add something to it, that's going to annoy users."

Another downside, said Pescatore: Sandboxing, which is essentially lightweight versions of virtual machines, consumes PC resources. "On the other hand, PCs are getting faster, so we have the ability to throw more cycles at [sandboxes]."

Albrecht claimed that the new security features in Office 2010 would have "an indistinguishable performance impact on your [document] load time," but didn't go into detail about system requirements or the impact on the machine's memory and processor resources.

Microsoft declined to make Albrecht available to answer follow-up questions about Office 2010's security plans.

But Pescatore likes what he sees in Microsoft's bird's-eye view. "To build a sandbox, especially around Word docs, that's a very good idea."

Read more about Windows in Computerworld's Windows Topic Center.