Microsoft Office 2010 Engineering

The official blog of the Microsoft Office product development group

Office 2010 Application Security

Office 2010 Application Security

  • Comments 35
  • Likes

Hello, my name is Brad and I work on the Office security team; we focus on a couple of key areas: building security features that improve the Office product line and driving the security engineering process across the division as part of the Security Development Lifecycle (SDL).

I would like to start with a high-level introduction of several of the new security features in Office 2010, what our goals are, and how we think about them. Because shipping Office isn’t about how we think about it, but instead how you think about it, feel free to ‘send a smile’ with the Technical Preview and let me know if we hit the mark.

Staying ahead of hackers

To start things off, ‘Why?’ is always a good question. Why did we spend time doing anything in this space, and to what end? Well, as the security landscape has been changing, Office has had the misfortune of becoming one of the next big targets for hackers to attack. They have been going after many of our file-format parsers and how we read Office files. They’re looking for ways to exploit bugs and to get their code running on your machine. We have done a lot of work to find and fix bugs, but we can’t find everything. We have to take a more proactive approach and build Office to be more resilient to attack.

To do that, we have designed what we have been referring to as a new security workflow, a layered defense that Office documents have to go through as part of the File Open process. We strive to make this process as invisible as possible. This means no noticeable delay in open times, as well as no dialogs asking you how you feel about security.

File Block improved

The security workflow we designed has several key features that we believe achieves the goals. First, we have improved our File Block feature that was introduced in Office 2007. We now have a way to configure it in the application and have a finer level of granularity to manage how Word, Excel, and PowerPoint open their file types.

Office File Validation: integral and non-intrusive

Another feature is our new binary file-validation system, which call Office File Validation. Since the vast majority of the exploits have focused on our older file formats, pre-dating our XML versions, we built a system that can validate those files to make sure they conform to the documented format, before they are opened by Word, Excel, or PowerPoint. This is something we did in Publisher 2007, which worked out pretty well. Office File Validation is an integral part of Office that on most days, you would never know exists.

The next question is ‘What do you do with those blocked or invalid files?’. Well, if we just blocked a file and said it was invalid, you would probably be pretty curious why it was invalid, or if maybe we made a mistake. Or, you may be sure you know what it is, and still need to read it. Denying you access to these files doesn’t really meet our goals, so we also built another system we call the Protected View.

Protected View: more security, less annoyance

Protected View is a way for us to show Word, Excel, and PowerPoint files to you, but without all of the worry about those files being dangerous. We build up a read-only view of the document in an isolated sandbox, which has minimal access to the system, and no access to your other files and information. Even if the file is malicious, it can’t get out of the sandbox and do harm to your computer or data.

By tying all of these features together into a layered defense, any file that reaches your machine will get inspected for the file format being blocked, tested for validity, and maybe shown in a read-only protected state. All this happens in real time, with an indistinguishable performance impact on your load time, and you can open these Office files without worry.

The other goal to make these features and workflow successful is that they don’t get in the way and instead have a positive impact on your experience. That means fewer dialog boxes and less information that is not actionable. We need to make security smart enough to get out of the way when its job is done. To do that, we have made files that open in Protected View remember when you chose to trust them, so you don’t have to re-trust them next time. You are not less secure; you’re just less annoyed (hopefully!).

In future posts, my team and I will be digging into these and other features to explain how they work and give some insight into how to get the most out of them for system administrators. Stay tuned, and give feedback if you want to hear more about a specific security feature. We hope you enjoy using Office 2010, as much as we have enjoyed working with you toward its creation.

Thanks,

Brad Albrecht

Senior Security PM
Office Trustworthy Computing

Comments
  • Sheet Level and Workbook Level Security are still as weak as in Excel 2007

    VBA Password cannot be hacked with as Hex Editor...due to the changed file type, but the encryption is i guess just the same...

    File level is pretty Strong

    Why cant to increase the encryption level of Sheet level and Workbook level password to that of File level

  • The Office IT blog is continuing to provide great insight into the development process that occurs behind what has been a leaded curtain for so long.  For developers who are able to read between the lines, there are some gems in there for us to extrapolate and start using in our own works.

    http://theycallmemrjames.blogspot.com/2009/07/more-on-office-2010.html

  • Wow!  Really seems like you've got it all right.  I'm always worried about my family opening documents without first asking themselves if it is "safe".  I really like where I see Office 2010 heading and really excited to see the final product.

  • can you explain how this relates to the need to 'enable editing' on every document I open from a Windows Server fileshare; is the assumption that any file that isn't on my hard drive is suspect? will this learn that a location I trust multiple documents from is safe - I think I have found an option to trust the location manually but the dialog box text isn't that clear...

  • I've got a Word 2003 template I'm trying to open and OFV repeatedly tells me there's a problem with it.  I'm told it can't be opened and *seems* to say it's because there are macros in it that could be malicious.  That that doesn't seem to be the reason -- I'm able to open other 2003 templates with macros.  So I assume it's corrupt in some way.  But this error message is quite insufficient to instruct me on how to proceed.

  • Will Office 2010 (Word & Excel)be HIPAA compliant via cloud computing?

  • This feature will cause major problems for my company as currently implemented!

    I'm getting the following error message when attempting to create a new document from a Word template (.dot):

    "Office File Validation detected a problem while trying to open this file. This file could potentially contain harmful content and has been blocked from opening."

    These templates contain code (macros) we developed and work on other systems. Details:

    - VBA code signed using a 3-year certificate from GoDaddy, expiration in 2012.

    - Word 2007+: Trusted Locations include a directory 1 level above that containing the template, with sub-folders Allowed.

    The error dialog has a 'Help' button, but (surprise, surprise, surprise) does not provide any relevant or useful help.

    What do we need to do to satisfy MS Weird 2010?

  • To Scott Holmes - the File Validation feature is still getting dialed in and has a higher false positive rate in the Tech Preview than it will when we ship. One thing you can do to help us dial it in is to send in the file that is failing validation. You should be getting asked to submit the file when you exit Word. If you'd rather, you can simply email me the file at bencan_at_microsoft_dot_com and we can see if the file is still failing validation and why.

  • Espero que seja facil e bom de trabalhar,tambem gostei do programa de 2007.

    O meu muito obrigado pelo vosso esfoço.

  • I too am getting "Office File Validation detected a problem while trying to open this file. This file could potentially contain harmful content and has been blocked from opening." after I have saved the file as a trusted template. I'm not willing to send you the file, it has proprietary company info. The file works fine in Word 2007.

    If I am trusting it you should not be blocking it!!

  • Also getting

    "Office File Validation detected a problem while trying to open this file. This file could potentially contain harmful content and has been blocked from opening."

    for quite a number of .dot files.

    Common for these are:

    - no VBA code.

    - created with Word 2003 running on Windows XP.

    - created with a "template builder" program which use an instance of Word 2003 and (mainly) the InsertXML method to build (and save) .dot files from bits of Word ML.

    Note: some files created with this "template builder" opens fine, others do not.

    The behaviour varies a bit dependt on settings under the Trust Center.

    If they are placed in a folder which is included in "Trusted Locations" I always get the above msg and no go.

    If they are used from another location and "Enable Protected View for files that fail validation" is checked I get the "Protected View   Office has detected a problem with this file. Editing ..." message bar.

    If "Enable Protected View for files that fail validation" is not checked I always get the above msg and no go regardless of location and other settings (it seems like...).

    When getting the "Protected View ..." message bar I get the option of "Enable Editing". Using this, I can start using the created document. However next time I try to create a document based on this template I do not get the "Protected View ..." message bar but just the msg box with "Office File Validation detected a problem while trying to open this file. This file could potentially contain harmful content and has been blocked from opening."

    Anyhow lots of permutations on behaviours here. You got a bit of work to do here to fix the "bugs" (or explain the "features").

    I use Windows 7 (x64), Office 2010 Beta (x86).

    Ben Canning: Will send you a file ... Pls delete it after testing.

    Stein-Tore

  • Will Excell 2010 have improved VBA Security?  While I can currenlty lock an Excel file so that it is almost unbreakable, we have very weak protection on the password to protect viewing of VBA code.  Will this be improved with strong encryption in 2010?

  • I have been recently invited to participate in Office 2010 beta and I am

    having probs with word 2010 beta...Always at open, it encounters an error and

    has to close. All the other office programs work just fine! (outlook, access,

    excel etc all ok)

    On the top bar it does show word fails validation, all the other programs

    validate just fine....I have tried the repair option, completely removed all

    office products, run tools like CCleaner, complete reinstall and revalidate

    and fully updated MS updates and of course needed reboots. I am running XP

    Pro SP3

    I figure it is a validation issue, but cant confirm it or found another way to validate it due to crash at every load.

    But I still have the same issue-any ideas?

  • Getting a  Office File Validation error on a excel file that was opening fine through the beta 2010 version yesterday and for weeks prior.  I can still open the same file on a different computer with office 2007 on it, so I don't know what the problem is or what to do to fix it.

  • I must strongly agree with Scott Holmes and the others!

    The Office File Validation feature will definitely  cause big problems to companies and organizations which use VBA for tasks based on Word templates. At our university we developed a template for creating an e-learning educational content and I have encountered the same problem when attempting to create a new document based on such template.

    This template is signed by valid certificate and is located in a trusted location. Protected View feature is not a solution at all because in this case there is a blank document only (which is based on the template).

    Maybe the OFV blocks code because of using events with the Document Object (e.g. Document_New etc., ie Auto Macros). But auto starting of the code is an esential part of our template because e.g. it prepares a working environment for users etc.

    Well, a knife could be used for killing people but is it a reason to ban use of knives in our kitchens?

    Are not the code signing and trusted location technologies enough to protect the users against the harmful content? What should we do? OK, let's implement one, two, three ... ten message boxes to ask a user repeatedly "Are you sure?" ... "Are you really sure?" ... "Are you sure that you are really sure?". Maybe it would be the best solution to throw VBA away from Office at all ...

    No, that is not a way. I agree that harmful content is a big problem but I don't think that the right solution is to block anything.

    So I would like to suggest the Office Developers to change the Office File Validation behaviour in a way that OFFICE FILE VALIDATION SHOULD NOT BLOCK FILES WHICH ARE BASED ON SIGNED TEMPLATES LOCATED IN TRUSTED LOCATIONS.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment