Office 2010 Application Security


El día de hoy en le blog de Microsoft Office 2010 Engineering se dieron a conocer algunas de las características de seguridad que tendrá Microsoft Office 2010. Aquí el detalle:

Staying ahead of hackers

To start things off, ‘Why?’ is always a good question. Why did we spend time doing anything in this space, and to what end? Well, as the security landscape has been changing, Office has had the misfortune of becoming one of the next big targets for hackers to attack. They have been going after many of our file-format parsers and how we read Office files. They’re looking for ways to exploit bugs and to get their code running on your machine. We have done a lot of work to find and fix bugs, but we can’t find everything. We have to take a more proactive approach and build Office to be more resilient to attack.

To do that, we have designed what we have been referring to as a new security workflow, a layered defense that Office documents have to go through as part of the File Open process. We strive to make this process as invisible as possible. This means no noticeable delay in open times, as well as no dialogs asking you how you feel about security.

File Block improved

The security workflow we designed has several key features that we believe achieves the goals. First, we have improved our File Block feature that was introduced in Office 2007. We now have a way to configure it in the application and have a finer level of granularity to manage how Word, Excel, and PowerPoint open their file types.

Office File Validation: integral and non-intrusive

Another feature is our new binary file-validation system, which call Office File Validation. Since the vast majority of the exploits have focused on our older file formats, pre-dating our XML versions, we built a system that can validate those files to make sure they conform to the documented format, before they are opened by Word, Excel, or PowerPoint. This is something we did in Publisher 2007, which worked out pretty well. Office File Validation is an integral part of Office that on most days, you would never know exists.

The next question is ‘What do you do with those blocked or invalid files?’. Well, if we just blocked a file and said it was invalid, you would probably be pretty curious why it was invalid, or if maybe we made a mistake. Or, you may be sure you know what it is, and still need to read it. Denying you access to these files doesn’t really meet our goals, so we also built another system we call the Protected View.

Protected View: more security, less annoyance

Protected View is a way for us to show Word, Excel, and PowerPoint files to you, but without all of the worry about those files being dangerous. We build up a read-only view of the document in an isolated sandbox, which has minimal access to the system, and no access to your other files and information. Even if the file is malicious, it can’t get out of the sandbox and do harm to your computer or data.


Fernando García Loera

MVP Lead | Community Consultant | Latin American Region

Que es un MVP? Tip para ser MVP clip_image002 clip_image004 clip_image006 clip_image008 image

Comments (0)

Skip to main content