Hello, my name is Vikas and I work in the Office Trustworthy Computing security team. Today I will be telling you more about a feature I have been working on called Protected View. Protected View is one of the new security defense-in-depth features added in Office 2010. If you have not seen Brad’s post yet on this and the other new security improvements, it’s definitely worth taking a few minutes to look it over.
With any piece of complex software, over time new file parsing exploits against it may be found. The older Office binary file formats had been susceptible to these types of attacks. Over the past years hackers have discovered ways to manipulate Office binary files so that when they are opened and parsed, they cause their own code embedded within the file to run. To address these binary file parsing attacks in Office 2007, several new XML based file formats were introduced. These XML file formats are much easier to parse and provide a significant security benefit over the older binary formats. We do understand that there are still several billion binary files being used today and migrating to the new XML formats will take some time but if possible, the sooner you can migrate over, the sooner you can start leveraging the security benefits these new formats provide.
To address these attacks in the past, the Office team had released the MOICE (Microsoft Office Isolated Converter Environment). MOICE would take a potentially risky binary file type and convert it within a sandboxed process to the new XML format and then back to the binary format and open it. The hope of doing this conversion was to remove any exploit code that was hidden away within the file. Some downsides to MOICE were files that required a long time to convert would seem to take a long time to open and users would get frustrated. In addition, the conversion process did not always maintain 100% of the documents layout so there certainly was room to improve when it came to the overall user experience of the feature.
In Office 2010 when a file appears to be from a potentially risky location, such as the Internet, it is now opened in Protected View. Protected View will appear like any other read-only view. Under the covers however, when a file is opened in Protected View, it is being opened in the new Office 2010 sandbox. The Office 2010 sandbox is the “next version” of the MOICE sandbox described earlier. Unlike with MOICE, no file conversation is happening. In fact what is occurring is the file is being opened within a sandboxed instance of the application (Word, Excel, PowerPoint) and if there was malicious code present in the file the goal is that code would not be able to find a way to tamper with your documents; change your profile or other user settings. I will describe this in more detail a bit later in this post.
Since Protected View is a read only view, we understand it is not something that should be used for every file you interact with. Our goal when designing this feature was to only use it in high risk scenarios:
· Files opened from the Internet. When a file is downloaded from the Internet the Windows Attachment Execution Service places a marker in the file’s alternate data stream to indicate it came from the Internet zone. When a Word, Excel or PowerPoint file is opened and has this marker it will open in Protected View until the user decides to trust and edit it. That is done by pressing the “Enable Editing” button shown below:
In some cases when a file is opened from a network share that you believe is part of your Intranet zone it will open in Protected View and indicate on the trust bar that it originated from an Internet location. This could occur because of how your proxy is setup or because you have not indicated in your Internet Options – Local intranet setting to “automatically detect intranet network” as shown below:
· Attachments opened from Outlook 2010. When an attachment is opened from Outlook 2010 it will open in Protected View. Administrators will be able to configure if they want all attachments to open in Protected View or just those sent from senders outside their Exchange environment.
· Files opened from unsafe locations. An example of an unsafe location is files that are opened from your Temporary Internet Files folder. As an administrator you can extend this list to include directories you feel are also unsafe.
· Files that are blocked by File Block Policy. In Office 2007 we introduced a feature called File Block. This allowed administrators to define file types that should not be opened. When a type was blocked it simply could not be opened. From your feedback we heard that this was overly limiting from a usability aspect since your users still wanted to “read” those files. In Office 2010 these blocked files can now be opened in Protected View and as an administrator you can set policy to indicate if the user should be allowed to leave Protected View (by editing the file) or force them to stay in it. We hope this design will make all the issues and pains you felt go away!
· Office File Validation failures. Office File Validation is a new feature that scans an Office file when it is being opened and validates it against a well-known schema. When there are inconsistences between the file and the schema, the file will fail validation and will open in Protected View. Similar to File Block, policy will be available to determine if the user should be allowed to edit the file or not when a failure occurs.
· File Open Dialog. You can open files in Protected View explicitly by using the Open button:
The biggest gain is it lets us remove “are you sure” security prompts while giving you greater protection than you had in the past. For example, if you are an Outlook user like me you may have noticed that each time you open an attachment you are asked a question:
For me it is extremely hard to answer this question without seeing the contents of the file first. In Office 2010 we have removed this dialog and instead we now just open the file directly in Protected View! This allows you to look over the contents and make an informed decision if you really trust the file or not. If you do not, or if you only wanted to read it, you can get your job done and then close it. The reason we are comfortable opening the file directly is because of the many defense in depth checks we now have in place.
In addition to the open prompt, we also removed the Outlook Preview pane prompt shown below:
Now when you read Word, Excel, PowerPoint and Visio files in the Outlook preview pane you will no longer be prompted asking if you really trust the file first when Protected View is enabled.
Protected View had changed how Word, Excel and PowerPoint are architected. When a file is opened in Protected View there are two instances of the application that are running. To illustrate I will use Word. We have one instance of winword.exe that runs in the context of the account you are logged in as (we call this the “host” process) and we have another instance of winword.exe running in a very isolated process (we call this the “client” process). We also call the isolated process the Office sandbox and you will see these two terms intermixed.
The best way to describe it is with a picture. The client process is the part of the UI that is highlighted black and everything else is part of the host process as shown below:
When the user clicks on any part in the Host processes UI, because of UIPI, we have a high assurance the action came from the user and do not need to prompt with additional ‘are you sure you did this?’ dialogs. The host process owns the top level application frame window as shown above which includes the window caption, the ribbon, the trust bar, status bar, etc. The host process manages the Protected View and non-Protected View windows and acts as a “broker” for the client process. There is only one instance of the client/sandbox running at a given time and all files opened in Protected View share the same sandbox instance within an application. When all Protected View windows are closed the client process is terminated. When the client needs to perform a privileged task (such as accessing the file system, registry or other system resources) it makes a request to the host process and the host then will broker and perform the action if it deems appropriate.
As alluded to earlier, the client process is another Windows process that is running in the context of the user account however the token being used is a restricted token. By using a restricted token we were able to remove several rights and privileges this process has. To further lock down the client process we are also running it as a low integrity process. Together the restricted token and low integrity (UIPI) provide the foundations for our Office 2010 sandbox.
As discussed, Protected View is one of the many security defenses in Office 2010. For a malware to actually be able to run in Protected View it will first need to find a way around DEP, ASLR, GS and our new 2010 Office File validation checks. After all that, the malware would need to find a way to break out of the sandbox.
Hopefully now when you think you received a ‘scary’ Word, Excel or PowerPoint file you will be able to open it in Protected View and read it without having to worry that something bad could happen to your computer.
I appreciate you reading this far and stay tuned for more security posts coming soon!
Thanks.Vikas MalhotraSecurity Program ManagerOffice Trustworthy Computing
think it is good
Hi, if the trust centre and trusted locations and file block settings are all correct, and I still can't save any documents, even after editing the registry, are there any other fixes that you can advise me of?
i would greatly appreciate it if you could help me with the following,
i downloaded word 2010, - uninstalled word 2000, - saved all word documents.
problem; when i open my old word 2000 files in the new word 2010, i find that the word documents that have mixed content, i.e. English and Biblical Greek on the same page, results in that some of the Biblical Greek characters has changed, - some words / letters are now in squares, others look good,
thank you for your advice
met,i am not comprende because c'ist riwt ann englisch
i am sorry salutations DIDIER CARDIN
Vikas, ThanQ. I am a little more informed about haweasy I can make my work with the Office.
i cant downlod sorce office 2010 bita
Personally like a couple of others here posting about the protected view, it is seriously flawed as it is right now. I have gone into the settings and turned it all off but it still comes up on all documents on my pc that I use. Currently I tend to do alot of PC Faxing using a software to convert my .doc files into a .tif file for sending multiple pages. It worked fine with Office 2007, however with Office 2010 it now fails to convert any file becuase of the "Protected View" security feature.
This option is litterally costing me time and business. If I can not competely turn it off then it is worthless to me becuase I need those files coverted to interact with our Fax Server here in the office. I litterally have between 20-40 General Contractors that I need to fax documents to and if this can not be turned off so it quits messing up the conversion process then its a waste of money for my business and I am sure that many other business's who have the set up I do will find the same.
Please dont get me wrong, its a great feature for docs recieved thru email attachments but it is extremly frustrating that any document on my own computer is blocked when I open it is pointless and a waste of my time. Please fix the problem with protected view. If I want to turn it compeltely off then it should let me.
I can not save anything in Word 2010. I can not even open word select a blank document, I put the word test on the document, and attempt to close.
I get the following error.
This error occurs if you try to save a Microsoft Office document and the file type for that document has been blocked by a registry policy setting. To help secure your computer, Microsoft or the administrator of this computer implemented a registry policy setting that prevents saving this type of file.
To save documents with this file type, disable the registry policy setting. For more information, see Microsoft Knowledge Base article 922850.
I have attempted to do what the knowledge base states, but with the removal of Office 2007 the steps are incomplete, or do not apply to 2010 office.
Can some one help on this issue.
I am annoyed by the default Protected View settings. I like the idea, but I also wish I could mark a location as trusted or mark a file as trusted.
I've tried un-checking the boxes in the Protected View settings, and my files still open in read only. I learned that when I right click a file and choose "Edit" the file opens as an editable file.
However, strangely when I right click a file and choose "Open as Read-Only" the file will open as an editable file.
I cannot save anything in any format in 2010. I get this message:
Quote "This error occurs if you try to save a Microsoft Office document and the file type for that document has been blocked by a registry policy setting. To help secure your computer, Microsoft or the administrator of this computer implemented a registry policy setting that prevents saving this type of file.
To save documents with this file type, disable the registry policy setting. For more information, see Microsoft Knowledge Base article 922850." End Quote
I am the administrator/owner of all my computers & this article does not tell me how to modify the registry for 2010.
I'm ready to go abck to 2000!!!
Guess I need to learn to read! In the trust center I checked all the boxes. Then I read "By checking Save, Word PREVENTS saving files of this type." Duh- I must be blonde!!!
Otimo. Muito bom mesmo.
Hello, office 2010 is Very Very good for my business.
The feature seems to be good and I feel help us a lot in reading the attached files in protected mode. Now a days we are getting used to register our accounts almost in evry activity and transaction thereby receiving 10-20 mails with attachments everyday some worthy and some not. Earlier we have no option either to save or to decline without seeing the documents even if it was very important only because of some suspicion or being afraid of some kind of trojans or viruses.
I appreciate i a lot and looking forward to see some more key features included as already discussed above.