Microsoft to boost Office 2003, 2007 security
Will backport suspicious file sniffer from Office 2010 in Q1 of 2011
Computerworld - Microsoft said on Tuesday that it would backport an Office 2010 security feature to the older and more widely used Office 2003 and Office 2007 early next year.
Dubbed Office File Validation (OVE), the technology validates older, pre-XML file formats for Word, Excel, PowerPoint and Publisher, then opens those that don't conform to the documented format -- rigged files containing an exploit, for example -- in a special "sandbox" within Office 2010 called Protected View.
That sandbox lets users view the contents of a document, but disables most editing functions to prevent malware that may be embedded in the file from executing.
OVE debuted in early builds of Office 2010, which launched last June.
Microsoft said on Tuesday that it would bring some parts of OVE to Office 2003 and Office 2007 in the first quarter of 2011.
"It will be an optional update for those platforms, but we'll make a big push to urge customers to download it," Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), told Computerworld on Tuesday.
As in Office 2010, OVE in Office 2003 and 2007 will examine Word, Excel, PowerPoint and Publisher documents saved in Office 97-2003 binary file formats. (Microsoft moved to XML-based document formats by default with Office 2007.)
However, rather than opening suspicious files in a sandbox, which neither of the older suites have, OVE in Office 2003 and 2007 will trigger an alert that warns the user that the document could be dangerous.
Users can click through the warning to continue opening the file, Bryant said.
Microsoft decided to backport OVE to Office 2003 and 2007 after analyzing about four years' worth of data. The company said that more than 80% of all Office security cases would have been handled by OVE if it had been in place throughout the suite's versions.
File format vulnerabilities -- exploited by specially crafted documents -- have long plagued Office, and remain the top threat to users. On Tuesday, for example, Microsoft patched that could be used to hijack a PC with malformed files.
At some point, the Office team plans to issue "signatures" so OVE can detect newly-discovered file format vulnerabilities, then push the document into Protected View (in Office 2010) or warn the user (Office 2003, 2007).
Bryant declined to set a timeline for the updates, which would be analogous to the signature updates regularly provided for antivirus software -- but said they would definitely not go live when Office 2003 and 2007 receive the OVE upgrade next year.
"This won't happen in the foreseeable future, but when it does, the vast majority of Office vulnerabilities would be mitigated by technology like this," Bryant said.
Unfortunately, users of the even older Office XP won't receive the OVE update. That edition, which shipped in 2001, is even buggier than 2003 and 2007. Last October, for example, Microsoft patched 11 vulnerabilities in Office XP's Word 2002, but had to issue fixes for only two of the same flaws for Office 2003 and just one each for Office 2007 and Office 2010.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Application Security in Computerworld's Application Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Riverbed Stingray Application Firewall: Securing Cloud Applications with a Distributed Web Application Firewall Responsibility over IT security is moving away from the network and IT infrastructure and to the application and software architecture itself. IT organizations...
- Web Application Firewalls--Laying the Myths to Rest This paper addresses some of the myths about WAFs and outlines how businesses are optimizing their investment in protecting their ever-evolving web apps.
- PCI DSS Compliance in Cloud Environments This technology analysis addresses the challenges of the evolving cloud security landscape and how organizations can achieve PCI DSS compliance in cloud environments...
- Web Attack Survival Guide This guide will help you protect your organization from external threats targeting your high-value applications and data assets.
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the... All Application Security White Papers | Webcasts