Feeds

MS adds sandboxing to Office 2010

Harm reduction tactic aims to block bug exploitation

Next gen security for virtualised datacentres

Microsoft has announced plans to introduce sandboxing technology with the next version of its Office suite.

Office 2010 will incorporate sandboxing technology so that when users want to simply read Office documents, these files will have no access to other files or information. "Even if the file is malicious, it can’t get out of the sandbox and do harm to your computer or data," explains Brad Albrecht, a Microsoft security specialist on the Office 2010 blog.

The sandboxing approach is a well-known mechanism for safely running untrusted programs that has been applied to Java Applets and (more recently) to Google's Chrome browser software. The technology will be used in conjunction with enhanced file (format inspection) blocker features and validity checks to provide a layered defence for Office 2010.

The file blocker, introduced in Office 2007, automatically prevents access to some document types. Improvements introduced with 2010 give users more granular control in managing how Word, Excel, and PowerPoint open their file types.

As Microsoft acknowledges, Office files have become a common payload in targeted hacking attacks over recent months.

"They have been going after many of our file-format parsers and how we read Office files," Albrecht writes. "They’re looking for ways to exploit bugs and to get their code running on your machine. We have done a lot of work to find and fix bugs, but we can’t find everything. We have to take a more proactive approach and build Office to be more resilient to attack."

Microsoft said that the security enhancements would not come at the expense of either performance or usability.

"We strive to make this process as invisible as possible," Albrecht added. "This means no noticeable delay in open times, as well as no dialogs asking you how you feel about security."

Clive Longbottom, a business process analyst at Quocirca, and veteran Microsoft watcher, said Microsoft's security enhancements provide rearguard protection against virus attacks.

"Blackhats have been most successful in the past in embedding code into a real or a false document (either a disguised .exe file, or a set of macros in the document)," Longbottom told El Reg. "The disguised .exe is pretty much covered by anti-virus files these days, but other approaches have left things open."

"This sandboxing means that even if there is malicious code in the document, it cannot do anything. The "read only" approach means that such code shouldn't be capable of running in the first place. This is all necessary as educating users has proven to be nigh-on impossible - they still open things that they shouldn't (and click on links that they shouldn't)," he added.

Longbottom added that while Microsoft's security enhancements were welcome, the software giant would always be playing catch-up with hackers.

"The rest of the approaches are all laudable, but I disagree that it puts Microsoft ahead of the blackhats - it gets Microsoft closer to them, that's all. It will not take long for the blackhats to devise alternative approaches (which may, or may not be Office related). There is just too much to be made from feeding off the mistakes that an end user will make," he concluded.

The changes were also broadly welcomed - with a few caveats on possible performance impairments - by Gartner security guru John Pescatore. The analyst told Computerworld that the enhancements represented a response by Microsoft to more widespread use of fuzzing tools, which automatically test applications for crash or code injection risks in dealing with varied (sometimes malformed) inputs, over the last 18 months or so.

"The bad guys are using fuzzing tools to find vulnerabilities in Office, and now Microsoft is saying, 'Okay, we can't find, let alone fix, every vulnerability. So here's a way to put a sandbox around the vulnerability," Pescatore said. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New twist as rogue antivirus enters death throes
That's not the website you're looking for
ISIS terror fanatics invade Diaspora after Twitter blockade
Nothing we can do to stop them, says decentralized network
prev story

Whitepapers

A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.