Feeds

Smart tagging in Office XP – what Melissa did next?

Privacy and virus implications to new MS automation system

  • alert
  • submit to reddit

Security for virtualized datacentres

Microsoft is shuttering its software against viruses, but the latest edition of its flagship productivity suite, Office XP, just might be introducing a whole new class of back door. Office XP includes the facility to build a kind of multi-dimensional version of a hyperlink into data files, and that's where the problem could lie.

Microsoft's Smart Tags, as they're known, allow items in Word docs, spreadsheet cells and so on to have properties attached to them. So an entry for a person's name, for example, could 'know' that it's a name, and have knowledge of its entry in your contact book, or as the author of a book, as a company employee with a personnel file, or all of the above and more.

When you're working with that name, or any other item with Smart Tags attached to it, you'd be presented with a number of options for actions to be taken in association with it. Or conceivably, the actions could be automatically carried out. Unlike hyperlinks, they can lead in many different directions, so the possibilities are infinite.

From Microsoft's point of view the system has great potential, both from the point of view of leveraging its own assets from Office, and from that of corporate customers, who can be offered Smart Tags as a further mechanism for automating their businesses. Smart Tags themselves, incidentally, are dependent on the use of XML in the latest rev of Office, so it's worth bearing in mind that there could be security issues associated with the implementation of XML by any company - it's not necessarily just a question of Microsoft.

But in this case, Microsoft is building the tools. As explained by Microsoft VP Steve Sinofsky in Seattle yesterday, you could Smart Tag a company name to associate it with a stock ticker, and regular, live updates of the stock price from, say, Moneycentral.
You can think of hosts of examples like this where Microsoft would be able to leverage its position as vendor of the industry standard productivity suite into sales for this and other of its MSN content assets. You can also figure out how tagging can be used to automate business processes - somebody sends you an email, you can be prompted to arrange a meeting, review joint projects, upgrade their software, whatever might seem relevant, or be available.

For security reasons, although Smart Tags themselves are intended to be shared, they don't contain executable code. But they do need that code to run, so if you don't already have it in trusted form on your local machine, the tag can include a "downloadURL" you can click on in order to collect that code.

This in itself seems little different from allowing code to be attached to emails - if people can be induced to click on an executable with Anna as a payload, they're surely just as likely to click on a URL. Dumb is dumb. Today, Microsoft is busily patching the security holes that came along with its earlier integration, automation and sharing model, but Smart Tags make it clear the company is still pursuing the same approach. And potentially, because they'll be easier and more interesting from the user's perspective than VBS scripts, the problem could be a lot bigger next time around.

Smart Tags could also have serious privacy implications, depending on how they are used by e-commerce operations, and by the less scrupulous operations on the Web. Users aren't in a position to know exactly what the code they've accepted is doing, so it could be used to gather data on them, their contacts, to spread virally via their contact books... There are clearly lots of possibilities, some of them not particularly nice. Even on the nice (ish) side, imagine how e-commerce sites could operate some kind of 'loyalty points for tag acceptance' system, and using the tagging to glean ever-richer data about their customers' habits.

The defence against this is the one we prepared earlier, and that we're rolling out over the next few years. The old attachment problem is being dealt with as promised, by blocking file attachments. In Office XP Outlook has 39 file types blocked by default, and this can be adjusted according to preferences. Future defences ("post Outlook 2002") will rely far more on differentiation between trusted and untrusted, signed and unsigned apps. This however - as Microsoft itself accepts - is likely to raise hackles with other software vendors.

But there are further issues, even if all applications being run and data files being used are signed and trusted. What, for example, if a signed document includes a link to an external file that changes?

But when it comes down to it, despite all the new security measures being introduced with OXP, responsibility falls on users and administrators, as always. "Signed applications are no different from any other code that could get on your machine," says lead program manager Jeff Reynar. "There's no new opportunity to do these malicious things with Smart Tags." Basically, they just do the same kinds of things that earlier technologies did, but maybe more so - and as always, your security and privacy is based on how awake you, your admins, your business partners and suppliers are. ®

Website security in corporate America

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.