Office 2010 Takes Aim at Malware Threats

Microsoft described a security feature in Office 2010 designed to block malware associated with older Office binary file formats.

The feature, called "Office file validation," checks to see if a binary file used by Office applications such as Word, PowerPoint and Excel (with .DOC, .PPT and .XLS extensions) is a trusted document or stored in a trusted location. If not, the file will get protected in a sandbox, or "protected view," which will limit the file's access to system resources, according to David B. Heise, a member of Microsoft's Office security team, in a Wednesday blog post.

The validation feature was first introduced in Microsoft Publisher 2007 to check .PUB files, Heise explained. It will take longer to open binary files in Office 2010 because of the validation process, but the delay will be barely perceptible. Heise said in the blog that "most files validate in the 1 to 100 milliseconds range."

The new Office file validation feature extends concepts from an earlier Microsoft security tool called "MOICE," or Microsoft Office Isolated Conversion Environment, according to Wolfgang Kandek, CTO of Qualys.

"Office documents received by e-mail or downloaded through the Internet are opened in a protected environment, a 'sandbox,' and if the document attempts to modify the underlying operating system, it is blocked by the sandbox," Kandek explained in an e-mail. "If the user wants to edit and save the document, he has to press an 'enable editing' button to retrieve the document from the sandbox."

IT pros might feel nervous about letting users edit such sandboxed documents, which can be enabled through Office 2010's "backstage view." Heise explained that Microsoft provides group policy settings in Office 2010 to turn off that option.

In general, client-side attacks leveraging binary files represent a growing security concern these days, according to Tyler Reguly, senior security engineer at nCircle.

"The whole genre of client-side attacks is coming to the forefront, especially when you are talking about Office," Reguly said. "So those older documents, like Office 97 to Office 2003 formats -- before they got into the new Office 2007 format -- they really are one of the primary target points right now."

Office 2010, which was released last month as a beta, relies on Microsoft's newer Open XML file format that first appeared in Office 2007. In general, there has been a decrease in security vulnerabilities associated with Open XML document formats, according to Reguly.

Despite the new security checks in Office 2010, users still need to run antimalware at the gateway and the desktop, according to Reguly.

"You need to be scanning your e-mail -- there are too many threats coming in," Reguly said. "While this [Office file validation] is going to help and reduce the problems, it's not a be-all and end-all. It's one more layer in that onion of security."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.