Feeds

MS adds sandboxing to Office 2010

Harm reduction tactic aims to block bug exploitation

The Essential Guide to IT Transformation

Microsoft has announced plans to introduce sandboxing technology with the next version of its Office suite.

Office 2010 will incorporate sandboxing technology so that when users want to simply read Office documents, these files will have no access to other files or information. "Even if the file is malicious, it can’t get out of the sandbox and do harm to your computer or data," explains Brad Albrecht, a Microsoft security specialist on the Office 2010 blog.

The sandboxing approach is a well-known mechanism for safely running untrusted programs that has been applied to Java Applets and (more recently) to Google's Chrome browser software. The technology will be used in conjunction with enhanced file (format inspection) blocker features and validity checks to provide a layered defence for Office 2010.

The file blocker, introduced in Office 2007, automatically prevents access to some document types. Improvements introduced with 2010 give users more granular control in managing how Word, Excel, and PowerPoint open their file types.

As Microsoft acknowledges, Office files have become a common payload in targeted hacking attacks over recent months.

"They have been going after many of our file-format parsers and how we read Office files," Albrecht writes. "They’re looking for ways to exploit bugs and to get their code running on your machine. We have done a lot of work to find and fix bugs, but we can’t find everything. We have to take a more proactive approach and build Office to be more resilient to attack."

Microsoft said that the security enhancements would not come at the expense of either performance or usability.

"We strive to make this process as invisible as possible," Albrecht added. "This means no noticeable delay in open times, as well as no dialogs asking you how you feel about security."

Clive Longbottom, a business process analyst at Quocirca, and veteran Microsoft watcher, said Microsoft's security enhancements provide rearguard protection against virus attacks.

"Blackhats have been most successful in the past in embedding code into a real or a false document (either a disguised .exe file, or a set of macros in the document)," Longbottom told El Reg. "The disguised .exe is pretty much covered by anti-virus files these days, but other approaches have left things open."

"This sandboxing means that even if there is malicious code in the document, it cannot do anything. The "read only" approach means that such code shouldn't be capable of running in the first place. This is all necessary as educating users has proven to be nigh-on impossible - they still open things that they shouldn't (and click on links that they shouldn't)," he added.

Longbottom added that while Microsoft's security enhancements were welcome, the software giant would always be playing catch-up with hackers.

"The rest of the approaches are all laudable, but I disagree that it puts Microsoft ahead of the blackhats - it gets Microsoft closer to them, that's all. It will not take long for the blackhats to devise alternative approaches (which may, or may not be Office related). There is just too much to be made from feeding off the mistakes that an end user will make," he concluded.

The changes were also broadly welcomed - with a few caveats on possible performance impairments - by Gartner security guru John Pescatore. The analyst told Computerworld that the enhancements represented a response by Microsoft to more widespread use of fuzzing tools, which automatically test applications for crash or code injection risks in dealing with varied (sometimes malformed) inputs, over the last 18 months or so.

"The bad guys are using fuzzing tools to find vulnerabilities in Office, and now Microsoft is saying, 'Okay, we can't find, let alone fix, every vulnerability. So here's a way to put a sandbox around the vulnerability," Pescatore said. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.