Feeds

Smart tagging in Office XP – what Melissa did next?

Privacy and virus implications to new MS automation system

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Microsoft is shuttering its software against viruses, but the latest edition of its flagship productivity suite, Office XP, just might be introducing a whole new class of back door. Office XP includes the facility to build a kind of multi-dimensional version of a hyperlink into data files, and that's where the problem could lie.

Microsoft's Smart Tags, as they're known, allow items in Word docs, spreadsheet cells and so on to have properties attached to them. So an entry for a person's name, for example, could 'know' that it's a name, and have knowledge of its entry in your contact book, or as the author of a book, as a company employee with a personnel file, or all of the above and more.

When you're working with that name, or any other item with Smart Tags attached to it, you'd be presented with a number of options for actions to be taken in association with it. Or conceivably, the actions could be automatically carried out. Unlike hyperlinks, they can lead in many different directions, so the possibilities are infinite.

From Microsoft's point of view the system has great potential, both from the point of view of leveraging its own assets from Office, and from that of corporate customers, who can be offered Smart Tags as a further mechanism for automating their businesses. Smart Tags themselves, incidentally, are dependent on the use of XML in the latest rev of Office, so it's worth bearing in mind that there could be security issues associated with the implementation of XML by any company - it's not necessarily just a question of Microsoft.

But in this case, Microsoft is building the tools. As explained by Microsoft VP Steve Sinofsky in Seattle yesterday, you could Smart Tag a company name to associate it with a stock ticker, and regular, live updates of the stock price from, say, Moneycentral.
You can think of hosts of examples like this where Microsoft would be able to leverage its position as vendor of the industry standard productivity suite into sales for this and other of its MSN content assets. You can also figure out how tagging can be used to automate business processes - somebody sends you an email, you can be prompted to arrange a meeting, review joint projects, upgrade their software, whatever might seem relevant, or be available.

For security reasons, although Smart Tags themselves are intended to be shared, they don't contain executable code. But they do need that code to run, so if you don't already have it in trusted form on your local machine, the tag can include a "downloadURL" you can click on in order to collect that code.

This in itself seems little different from allowing code to be attached to emails - if people can be induced to click on an executable with Anna as a payload, they're surely just as likely to click on a URL. Dumb is dumb. Today, Microsoft is busily patching the security holes that came along with its earlier integration, automation and sharing model, but Smart Tags make it clear the company is still pursuing the same approach. And potentially, because they'll be easier and more interesting from the user's perspective than VBS scripts, the problem could be a lot bigger next time around.

Smart Tags could also have serious privacy implications, depending on how they are used by e-commerce operations, and by the less scrupulous operations on the Web. Users aren't in a position to know exactly what the code they've accepted is doing, so it could be used to gather data on them, their contacts, to spread virally via their contact books... There are clearly lots of possibilities, some of them not particularly nice. Even on the nice (ish) side, imagine how e-commerce sites could operate some kind of 'loyalty points for tag acceptance' system, and using the tagging to glean ever-richer data about their customers' habits.

The defence against this is the one we prepared earlier, and that we're rolling out over the next few years. The old attachment problem is being dealt with as promised, by blocking file attachments. In Office XP Outlook has 39 file types blocked by default, and this can be adjusted according to preferences. Future defences ("post Outlook 2002") will rely far more on differentiation between trusted and untrusted, signed and unsigned apps. This however - as Microsoft itself accepts - is likely to raise hackles with other software vendors.

But there are further issues, even if all applications being run and data files being used are signed and trusted. What, for example, if a signed document includes a link to an external file that changes?

But when it comes down to it, despite all the new security measures being introduced with OXP, responsibility falls on users and administrators, as always. "Signed applications are no different from any other code that could get on your machine," says lead program manager Jeff Reynar. "There's no new opportunity to do these malicious things with Smart Tags." Basically, they just do the same kinds of things that earlier technologies did, but maybe more so - and as always, your security and privacy is based on how awake you, your admins, your business partners and suppliers are. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.