Microsoft struts Office 2010 'sandbox' security
'Good move,' says analyst of feature that isolates rigged docs from the PC
Computerworld - Microsoft's plan to "sandbox" documents in the next version of Office looks like a "very good step forward," according to one security analyst.
Last week, Microsoft revealed more details about a new security feature in Office 2010, dubbed "Protected View," that is designed to shut down the popular hacker tactic of feeding users rigged Word, Excel and PowerPoint files.
"It is a good move," said John Pescatore, Gartner's primary security analyst. "It gets away from the 'training' people have that makes them ignore pop-up warnings."
Protected View isolates Word, Excel and PowerPoint files in a read-only environment that prevents malware -- which has piggybacked on Office documents for years -- from harming the PC or hijacking the system.
"The file is being opened within a sandboxed instance of the application -- Word, Excel, PowerPoint -- and if there was malicious code present in the file, the goal is that code would not be able to find a way to tamper with your documents, change your profile or other user settings," said Vikas Malhotra, a Microsoft security program manager, in a entry to a company blog last week.
"If nothing else, we'll stay just as secure as before, but [Protected View] should cut down on the messages to the users," said Pescatore, talking about the kind of alerts current versions of Office display when users are about to open an untrusted document.
Within Outlook, for example, users who open an attachment now face a dialog box that asks, "Would you like to open the file or save it to your computer?"
"It is extremely hard to answer this question without seeing the contents of the file first," acknowledged Malhotra. "In Office 2010, we have removed this dialog and instead we now just open the file directly in Protected View ....This allows you to look over the contents and make an informed decision if you really trust the file or not."
"This is all driven by hackers using fuzzing tools," said Pescatore, talking about the dark art of hammering on file formats to probe for vulnerabilities. Microsoft has repeatedly had to patch file format flaws in Office applications, most recently in July when it fixed a bug in Publisher 2007 and in June, when it patched seven vulnerabilities in Excel and two more in Word.
Noting that it's impossible for anyone, including Microsoft, to root out every instance of an input error -- the company uses home-grown fuzzing tools on its own products during development -- Pescatore said that the only solution is to give people a way to protect themselves after the fact.
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Desktop Apps White Papers | Webcasts