Feeds

MS adds sandboxing to Office 2010

Harm reduction tactic aims to block bug exploitation

SANS - Survey on application security programs

Microsoft has announced plans to introduce sandboxing technology with the next version of its Office suite.

Office 2010 will incorporate sandboxing technology so that when users want to simply read Office documents, these files will have no access to other files or information. "Even if the file is malicious, it can’t get out of the sandbox and do harm to your computer or data," explains Brad Albrecht, a Microsoft security specialist on the Office 2010 blog.

The sandboxing approach is a well-known mechanism for safely running untrusted programs that has been applied to Java Applets and (more recently) to Google's Chrome browser software. The technology will be used in conjunction with enhanced file (format inspection) blocker features and validity checks to provide a layered defence for Office 2010.

The file blocker, introduced in Office 2007, automatically prevents access to some document types. Improvements introduced with 2010 give users more granular control in managing how Word, Excel, and PowerPoint open their file types.

As Microsoft acknowledges, Office files have become a common payload in targeted hacking attacks over recent months.

"They have been going after many of our file-format parsers and how we read Office files," Albrecht writes. "They’re looking for ways to exploit bugs and to get their code running on your machine. We have done a lot of work to find and fix bugs, but we can’t find everything. We have to take a more proactive approach and build Office to be more resilient to attack."

Microsoft said that the security enhancements would not come at the expense of either performance or usability.

"We strive to make this process as invisible as possible," Albrecht added. "This means no noticeable delay in open times, as well as no dialogs asking you how you feel about security."

Clive Longbottom, a business process analyst at Quocirca, and veteran Microsoft watcher, said Microsoft's security enhancements provide rearguard protection against virus attacks.

"Blackhats have been most successful in the past in embedding code into a real or a false document (either a disguised .exe file, or a set of macros in the document)," Longbottom told El Reg. "The disguised .exe is pretty much covered by anti-virus files these days, but other approaches have left things open."

"This sandboxing means that even if there is malicious code in the document, it cannot do anything. The "read only" approach means that such code shouldn't be capable of running in the first place. This is all necessary as educating users has proven to be nigh-on impossible - they still open things that they shouldn't (and click on links that they shouldn't)," he added.

Longbottom added that while Microsoft's security enhancements were welcome, the software giant would always be playing catch-up with hackers.

"The rest of the approaches are all laudable, but I disagree that it puts Microsoft ahead of the blackhats - it gets Microsoft closer to them, that's all. It will not take long for the blackhats to devise alternative approaches (which may, or may not be Office related). There is just too much to be made from feeding off the mistakes that an end user will make," he concluded.

The changes were also broadly welcomed - with a few caveats on possible performance impairments - by Gartner security guru John Pescatore. The analyst told Computerworld that the enhancements represented a response by Microsoft to more widespread use of fuzzing tools, which automatically test applications for crash or code injection risks in dealing with varied (sometimes malformed) inputs, over the last 18 months or so.

"The bad guys are using fuzzing tools to find vulnerabilities in Office, and now Microsoft is saying, 'Okay, we can't find, let alone fix, every vulnerability. So here's a way to put a sandbox around the vulnerability," Pescatore said. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.