Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
In November 2010, Microsoft released the first Security Bulletin (MS10-079) against an Office 2010 component, in this case Microsoft Word. Approximately 6 months had elapsed since Office 2010 launched in May and while it's good for such a widely used product to be available for so long without any reported issues, we were naturally disappointed to release the first bulletin affecting Office 2010. The issue was part of a group of 32 issues reported to us by an external researcher. All of the issues were located in file parsing code, primarily in the code used for reading Word document files (.doc extension). It is worth noting that only one of these issues affected Word 2010. In that case, the specific issue wasn't actually reported against Word 2010 but it is standard practice for us to test all supported versions of products and this was how we determined that Word 2010 was affected.
During development of Office 2010, the Office Team and members of the Microsoft Engineering Center (MSEC) organization, performed a number of actions to increase protections for file parsing code. These actions are what helped protect Word 2010 users from the vulnerabilities mitigated by Security Bulletin MS 10-079. These actions included:
File fuzzing is a good but imperfect testing technique that is continuously being improved. The existence of an issue in Word 2010 indicates a need for further improvements during development of the next version of Office, which members of the Microsoft Security Engineering Center and Office Team are pursuing.
For more information on the collaboration between the Microsoft Office and MSEC teams, see the Channel 9 video entitled "Security Talk Series: Using the SDL in Office 2010".
A lot of the good work in Office 2010 was possible because that was work planned for and completed as part of the product's lifecycle. Generally, work at that level occurs on a major product release. However, we have found a way to bring some of these protections to older versions of Office and today we are glad to report Microsoft has ported the File Validation functionality to Office 2007 and Office 2003. This functionality is expected to be available for download in CYQ1 2011. Once this enhancement is installed, Office 2007 and Office 2003 users will see two significant benefits:
Microsoft strongly encourages all Office 2007 and Office 2003 users to download and install this enhancement when it becomes available.
Bob Fruth, MSRC Security Program Manager