Feeds

Smart tagging in Office XP – what Melissa did next?

Privacy and virus implications to new MS automation system

  • alert
  • submit to reddit

High performance access to file storage

Microsoft is shuttering its software against viruses, but the latest edition of its flagship productivity suite, Office XP, just might be introducing a whole new class of back door. Office XP includes the facility to build a kind of multi-dimensional version of a hyperlink into data files, and that's where the problem could lie.

Microsoft's Smart Tags, as they're known, allow items in Word docs, spreadsheet cells and so on to have properties attached to them. So an entry for a person's name, for example, could 'know' that it's a name, and have knowledge of its entry in your contact book, or as the author of a book, as a company employee with a personnel file, or all of the above and more.

When you're working with that name, or any other item with Smart Tags attached to it, you'd be presented with a number of options for actions to be taken in association with it. Or conceivably, the actions could be automatically carried out. Unlike hyperlinks, they can lead in many different directions, so the possibilities are infinite.

From Microsoft's point of view the system has great potential, both from the point of view of leveraging its own assets from Office, and from that of corporate customers, who can be offered Smart Tags as a further mechanism for automating their businesses. Smart Tags themselves, incidentally, are dependent on the use of XML in the latest rev of Office, so it's worth bearing in mind that there could be security issues associated with the implementation of XML by any company - it's not necessarily just a question of Microsoft.

But in this case, Microsoft is building the tools. As explained by Microsoft VP Steve Sinofsky in Seattle yesterday, you could Smart Tag a company name to associate it with a stock ticker, and regular, live updates of the stock price from, say, Moneycentral.
You can think of hosts of examples like this where Microsoft would be able to leverage its position as vendor of the industry standard productivity suite into sales for this and other of its MSN content assets. You can also figure out how tagging can be used to automate business processes - somebody sends you an email, you can be prompted to arrange a meeting, review joint projects, upgrade their software, whatever might seem relevant, or be available.

For security reasons, although Smart Tags themselves are intended to be shared, they don't contain executable code. But they do need that code to run, so if you don't already have it in trusted form on your local machine, the tag can include a "downloadURL" you can click on in order to collect that code.

This in itself seems little different from allowing code to be attached to emails - if people can be induced to click on an executable with Anna as a payload, they're surely just as likely to click on a URL. Dumb is dumb. Today, Microsoft is busily patching the security holes that came along with its earlier integration, automation and sharing model, but Smart Tags make it clear the company is still pursuing the same approach. And potentially, because they'll be easier and more interesting from the user's perspective than VBS scripts, the problem could be a lot bigger next time around.

Smart Tags could also have serious privacy implications, depending on how they are used by e-commerce operations, and by the less scrupulous operations on the Web. Users aren't in a position to know exactly what the code they've accepted is doing, so it could be used to gather data on them, their contacts, to spread virally via their contact books... There are clearly lots of possibilities, some of them not particularly nice. Even on the nice (ish) side, imagine how e-commerce sites could operate some kind of 'loyalty points for tag acceptance' system, and using the tagging to glean ever-richer data about their customers' habits.

The defence against this is the one we prepared earlier, and that we're rolling out over the next few years. The old attachment problem is being dealt with as promised, by blocking file attachments. In Office XP Outlook has 39 file types blocked by default, and this can be adjusted according to preferences. Future defences ("post Outlook 2002") will rely far more on differentiation between trusted and untrusted, signed and unsigned apps. This however - as Microsoft itself accepts - is likely to raise hackles with other software vendors.

But there are further issues, even if all applications being run and data files being used are signed and trusted. What, for example, if a signed document includes a link to an external file that changes?

But when it comes down to it, despite all the new security measures being introduced with OXP, responsibility falls on users and administrators, as always. "Signed applications are no different from any other code that could get on your machine," says lead program manager Jeff Reynar. "There's no new opportunity to do these malicious things with Smart Tags." Basically, they just do the same kinds of things that earlier technologies did, but maybe more so - and as always, your security and privacy is based on how awake you, your admins, your business partners and suppliers are. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.