Smart tagging in Office XP – what Melissa did next?

Microsoft is shuttering its software against viruses, but the latest edition of its flagship productivity suite, Office XP, just might be introducing a whole new class of back door. Office XP includes the facility to build a kind of multi-dimensional version of a hyperlink into data files, and that's where the problem could lie.

Microsoft's Smart Tags, as they're known, allow items in Word docs, spreadsheet cells and so on to have properties attached to them. So an entry for a person's name, for example, could 'know' that it's a name, and have knowledge of its entry in your contact book, or as the author of a book, as a company employee with a personnel file, or all of the above and more.

When you're working with that name, or any other item with Smart Tags attached to it, you'd be presented with a number of options for actions to be taken in association with it. Or conceivably, the actions could be automatically carried out. Unlike hyperlinks, they can lead in many different directions, so the possibilities are infinite.

From Microsoft's point of view the system has great potential, both from the point of view of leveraging its own assets from Office, and from that of corporate customers, who can be offered Smart Tags as a further mechanism for automating their businesses. Smart Tags themselves, incidentally, are dependent on the use of XML in the latest rev of Office, so it's worth bearing in mind that there could be security issues associated with the implementation of XML by any company - it's not necessarily just a question of Microsoft.

But in this case, Microsoft is building the tools. As explained by Microsoft VP Steve Sinofsky in Seattle yesterday, you could Smart Tag a company name to associate it with a stock ticker, and regular, live updates of the stock price from, say, Moneycentral.
You can think of hosts of examples like this where Microsoft would be able to leverage its position as vendor of the industry standard productivity suite into sales for this and other of its MSN content assets. You can also figure out how tagging can be used to automate business processes - somebody sends you an email, you can be prompted to arrange a meeting, review joint projects, upgrade their software, whatever might seem relevant, or be available.

For security reasons, although Smart Tags themselves are intended to be shared, they don't contain executable code. But they do need that code to run, so if you don't already have it in trusted form on your local machine, the tag can include a "downloadURL" you can click on in order to collect that code.

This in itself seems little different from allowing code to be attached to emails - if people can be induced to click on an executable with Anna as a payload, they're surely just as likely to click on a URL. Dumb is dumb. Today, Microsoft is busily patching the security holes that came along with its earlier integration, automation and sharing model, but Smart Tags make it clear the company is still pursuing the same approach. And potentially, because they'll be easier and more interesting from the user's perspective than VBS scripts, the problem could be a lot bigger next time around.

Smart Tags could also have serious privacy implications, depending on how they are used by e-commerce operations, and by the less scrupulous operations on the Web. Users aren't in a position to know exactly what the code they've accepted is doing, so it could be used to gather data on them, their contacts, to spread virally via their contact books... There are clearly lots of possibilities, some of them not particularly nice. Even on the nice (ish) side, imagine how e-commerce sites could operate some kind of 'loyalty points for tag acceptance' system, and using the tagging to glean ever-richer data about their customers' habits.

The defence against this is the one we prepared earlier, and that we're rolling out over the next few years. The old attachment problem is being dealt with as promised, by blocking file attachments. In Office XP Outlook has 39 file types blocked by default, and this can be adjusted according to preferences. Future defences ("post Outlook 2002") will rely far more on differentiation between trusted and untrusted, signed and unsigned apps. This however - as Microsoft itself accepts - is likely to raise hackles with other software vendors.

But there are further issues, even if all applications being run and data files being used are signed and trusted. What, for example, if a signed document includes a link to an external file that changes?

But when it comes down to it, despite all the new security measures being introduced with OXP, responsibility falls on users and administrators, as always. "Signed applications are no different from any other code that could get on your machine," says lead program manager Jeff Reynar. "There's no new opportunity to do these malicious things with Smart Tags." Basically, they just do the same kinds of things that earlier technologies did, but maybe more so - and as always, your security and privacy is based on how awake you, your admins, your business partners and suppliers are. ®