Microsoft is touting a new set of security features designed to lock down Word and Excel. The software giant said it hopes the move will end Office's run as a favourite target of malware authors and remote attackers.
Josh Edwards, technical product manager for Microsoft Office, explained in an interview with vnu that Microsoft completely restructured the way it approaches security in the latest release of Office.
Edwards said that the new approach began three years ago when the company realised that it had to make security a central priority.
"The idea was how we could integrate security in such a way that it is not a feature, but more of a philosophy," he said.
In order to shift security to centre stage, Microsoft took several steps to ensure that security research was integrated into the development process for Office.
Edwards said that the company brought in outside researchers to find weaknesses, and required its project managers to become proficient in security.
The renewed focus on security for Office is well timed. Increasingly sophisticated attackers have shifted much of their focus from vulnerabilities within Windows to applications such as Excel and Office.
"Every file type, every application that is broadly used, is facing the same situation right now," said Edwards.
"Office, being a commonly used application, has received a lot of that attention, and has driven a lot of the things we're doing with security."
One these measures is the move to the OpenXML document format. The new format stores different parts of the document separately, keeping formatting and document information away from the actual data itself.
Microsoft hopes that OpenXML will make it easier for security software to isolate the areas where malicious code may be located and remove exploits placed within documents.
However, some security experts believe that OpenXML may do the opposite. Vincent Weafer, senior director of Symantec Security Response, told vnu that scanning OpenXML files may become too difficult and time-consuming to be practical for many users.
"You can embed objects in multiple locations, which makes scanning the files very difficult," he said. "If the cost of scanning is so great, it might not work."
Weafer is also sceptical of the effectiveness of another security feature in Office 2007: protection from macros.
Microsoft has gone to great lengths to protect Office from macro attacks, creating a separate format for Word documents that contain macros allowing users to know right away whether a Word document could contain harmful code.
The company has also disabled the ability to run macros by default, replacing the dialogue window that Edwards refers to as the 'do you feel lucky?' box with a small bar informing the user that a macro has been disabled and giving the user the option to allow the macro to run.
But Weafer believes that all the work to stop macros may be of little use against contemporary and future security threats, pointing out that it has been years since widespread macro attacks were popular.
Weafer was, however, quick to praise Microsoft for the work it has done on improving security in Office, in particular the excellent job of cleaning up source code and securing Office at the development level.
The biggest security issue facing Office, according to Weafer, is the sheer size and ubiquity of the software. Because Office is so widespread, it will always be a target of malware authors and attackers.
"These are very professional groups, and they do a lot of research," he explained. "In general, you are never going to see a day when there are no vulnerabilities."
Microsoft attempts to lock down Office
By Shaun Nichols on May 1, 2007 1:00PM