Feeds

MS adds sandboxing to Office 2010

Harm reduction tactic aims to block bug exploitation

Build a business case: developing custom apps

Microsoft has announced plans to introduce sandboxing technology with the next version of its Office suite.

Office 2010 will incorporate sandboxing technology so that when users want to simply read Office documents, these files will have no access to other files or information. "Even if the file is malicious, it can’t get out of the sandbox and do harm to your computer or data," explains Brad Albrecht, a Microsoft security specialist on the Office 2010 blog.

The sandboxing approach is a well-known mechanism for safely running untrusted programs that has been applied to Java Applets and (more recently) to Google's Chrome browser software. The technology will be used in conjunction with enhanced file (format inspection) blocker features and validity checks to provide a layered defence for Office 2010.

The file blocker, introduced in Office 2007, automatically prevents access to some document types. Improvements introduced with 2010 give users more granular control in managing how Word, Excel, and PowerPoint open their file types.

As Microsoft acknowledges, Office files have become a common payload in targeted hacking attacks over recent months.

"They have been going after many of our file-format parsers and how we read Office files," Albrecht writes. "They’re looking for ways to exploit bugs and to get their code running on your machine. We have done a lot of work to find and fix bugs, but we can’t find everything. We have to take a more proactive approach and build Office to be more resilient to attack."

Microsoft said that the security enhancements would not come at the expense of either performance or usability.

"We strive to make this process as invisible as possible," Albrecht added. "This means no noticeable delay in open times, as well as no dialogs asking you how you feel about security."

Clive Longbottom, a business process analyst at Quocirca, and veteran Microsoft watcher, said Microsoft's security enhancements provide rearguard protection against virus attacks.

"Blackhats have been most successful in the past in embedding code into a real or a false document (either a disguised .exe file, or a set of macros in the document)," Longbottom told El Reg. "The disguised .exe is pretty much covered by anti-virus files these days, but other approaches have left things open."

"This sandboxing means that even if there is malicious code in the document, it cannot do anything. The "read only" approach means that such code shouldn't be capable of running in the first place. This is all necessary as educating users has proven to be nigh-on impossible - they still open things that they shouldn't (and click on links that they shouldn't)," he added.

Longbottom added that while Microsoft's security enhancements were welcome, the software giant would always be playing catch-up with hackers.

"The rest of the approaches are all laudable, but I disagree that it puts Microsoft ahead of the blackhats - it gets Microsoft closer to them, that's all. It will not take long for the blackhats to devise alternative approaches (which may, or may not be Office related). There is just too much to be made from feeding off the mistakes that an end user will make," he concluded.

The changes were also broadly welcomed - with a few caveats on possible performance impairments - by Gartner security guru John Pescatore. The analyst told Computerworld that the enhancements represented a response by Microsoft to more widespread use of fuzzing tools, which automatically test applications for crash or code injection risks in dealing with varied (sometimes malformed) inputs, over the last 18 months or so.

"The bad guys are using fuzzing tools to find vulnerabilities in Office, and now Microsoft is saying, 'Okay, we can't find, let alone fix, every vulnerability. So here's a way to put a sandbox around the vulnerability," Pescatore said. ®

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.