Microsoft struts Office 2010 'sandbox' security
'Good move,' says analyst of feature that isolates rigged docs from the PC
Computerworld - Microsoft's plan to "sandbox" documents in the next version of Office looks like a "very good step forward," according to one security analyst.
Last week, Microsoft revealed more details about a new security feature in Office 2010, dubbed "Protected View," that is designed to shut down the popular hacker tactic of feeding users rigged Word, Excel and PowerPoint files.
"It is a good move," said John Pescatore, Gartner's primary security analyst. "It gets away from the 'training' people have that makes them ignore pop-up warnings."
Protected View isolates Word, Excel and PowerPoint files in a read-only environment that prevents malware -- which has piggybacked on Office documents for years -- from harming the PC or hijacking the system.
"The file is being opened within a sandboxed instance of the application -- Word, Excel, PowerPoint -- and if there was malicious code present in the file, the goal is that code would not be able to find a way to tamper with your documents, change your profile or other user settings," said Vikas Malhotra, a Microsoft security program manager, in a entry to a company blog last week.
"If nothing else, we'll stay just as secure as before, but [Protected View] should cut down on the messages to the users," said Pescatore, talking about the kind of alerts current versions of Office display when users are about to open an untrusted document.
Within Outlook, for example, users who open an attachment now face a dialog box that asks, "Would you like to open the file or save it to your computer?"
"It is extremely hard to answer this question without seeing the contents of the file first," acknowledged Malhotra. "In Office 2010, we have removed this dialog and instead we now just open the file directly in Protected View ....This allows you to look over the contents and make an informed decision if you really trust the file or not."
"This is all driven by hackers using fuzzing tools," said Pescatore, talking about the dark art of hammering on file formats to probe for vulnerabilities. Microsoft has repeatedly had to patch file format flaws in Office applications, most recently in July when it fixed a bug in Publisher 2007 and in June, when it patched seven vulnerabilities in Excel and two more in Word.
Noting that it's impossible for anyone, including Microsoft, to root out every instance of an input error -- the company uses home-grown fuzzing tools on its own products during development -- Pescatore said that the only solution is to give people a way to protect themselves after the fact.
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- HTTP Status Code Cheat Sheet Look at the Graph, Find the Code and Boom - You're Solving Problems. Identifying and understanding common HTTP status codes can go a...
- Architects lead the next generation of data-driven applications Read this whitepaper to find out how application architects can quickly and confidently deliver long-lasting applications that minimize cost, complexity, and risk while...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Desktop Apps White Papers | Webcasts