Feeds

Smart tagging in Office XP – what Melissa did next?

Privacy and virus implications to new MS automation system

  • alert
  • submit to reddit

Remote control for virtualized desktops

Microsoft is shuttering its software against viruses, but the latest edition of its flagship productivity suite, Office XP, just might be introducing a whole new class of back door. Office XP includes the facility to build a kind of multi-dimensional version of a hyperlink into data files, and that's where the problem could lie.

Microsoft's Smart Tags, as they're known, allow items in Word docs, spreadsheet cells and so on to have properties attached to them. So an entry for a person's name, for example, could 'know' that it's a name, and have knowledge of its entry in your contact book, or as the author of a book, as a company employee with a personnel file, or all of the above and more.

When you're working with that name, or any other item with Smart Tags attached to it, you'd be presented with a number of options for actions to be taken in association with it. Or conceivably, the actions could be automatically carried out. Unlike hyperlinks, they can lead in many different directions, so the possibilities are infinite.

From Microsoft's point of view the system has great potential, both from the point of view of leveraging its own assets from Office, and from that of corporate customers, who can be offered Smart Tags as a further mechanism for automating their businesses. Smart Tags themselves, incidentally, are dependent on the use of XML in the latest rev of Office, so it's worth bearing in mind that there could be security issues associated with the implementation of XML by any company - it's not necessarily just a question of Microsoft.

But in this case, Microsoft is building the tools. As explained by Microsoft VP Steve Sinofsky in Seattle yesterday, you could Smart Tag a company name to associate it with a stock ticker, and regular, live updates of the stock price from, say, Moneycentral.
You can think of hosts of examples like this where Microsoft would be able to leverage its position as vendor of the industry standard productivity suite into sales for this and other of its MSN content assets. You can also figure out how tagging can be used to automate business processes - somebody sends you an email, you can be prompted to arrange a meeting, review joint projects, upgrade their software, whatever might seem relevant, or be available.

For security reasons, although Smart Tags themselves are intended to be shared, they don't contain executable code. But they do need that code to run, so if you don't already have it in trusted form on your local machine, the tag can include a "downloadURL" you can click on in order to collect that code.

This in itself seems little different from allowing code to be attached to emails - if people can be induced to click on an executable with Anna as a payload, they're surely just as likely to click on a URL. Dumb is dumb. Today, Microsoft is busily patching the security holes that came along with its earlier integration, automation and sharing model, but Smart Tags make it clear the company is still pursuing the same approach. And potentially, because they'll be easier and more interesting from the user's perspective than VBS scripts, the problem could be a lot bigger next time around.

Smart Tags could also have serious privacy implications, depending on how they are used by e-commerce operations, and by the less scrupulous operations on the Web. Users aren't in a position to know exactly what the code they've accepted is doing, so it could be used to gather data on them, their contacts, to spread virally via their contact books... There are clearly lots of possibilities, some of them not particularly nice. Even on the nice (ish) side, imagine how e-commerce sites could operate some kind of 'loyalty points for tag acceptance' system, and using the tagging to glean ever-richer data about their customers' habits.

The defence against this is the one we prepared earlier, and that we're rolling out over the next few years. The old attachment problem is being dealt with as promised, by blocking file attachments. In Office XP Outlook has 39 file types blocked by default, and this can be adjusted according to preferences. Future defences ("post Outlook 2002") will rely far more on differentiation between trusted and untrusted, signed and unsigned apps. This however - as Microsoft itself accepts - is likely to raise hackles with other software vendors.

But there are further issues, even if all applications being run and data files being used are signed and trusted. What, for example, if a signed document includes a link to an external file that changes?

But when it comes down to it, despite all the new security measures being introduced with OXP, responsibility falls on users and administrators, as always. "Signed applications are no different from any other code that could get on your machine," says lead program manager Jeff Reynar. "There's no new opportunity to do these malicious things with Smart Tags." Basically, they just do the same kinds of things that earlier technologies did, but maybe more so - and as always, your security and privacy is based on how awake you, your admins, your business partners and suppliers are. ®

Beginner's guide to SSL certificates

More from The Register

next story
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Post-Microsoft, post-PC programming: The portable REVOLUTION
Code jockeys: count up and grab your fabulous tablets
Twitter App Graph exposes smartphone spyware feature
You don't want everyone to compile app lists from your fondleware? BAD LUCK
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.