Microsoft admits it can’t stop Office file format hacks

Discussion in 'Windows News' started by reghakr, Jul 27, 2009.

  1. reghakr

    reghakr Excellent Member

    Jan 26, 2009
    Likes Received:
    Microsoft’s plan to “sandboxâ€Â￾ Office documents in the next version of its application suite is an admission that the company cannot keep hackers from exploiting file format bugs, a security analyst said on July 23. “What’s been happening is that Office has lots of vulnerabilities,â€Â￾ said Gartner’s primary security analyst. “For the past 18 months, hackers have been fuzzing Office file formats,â€Â￾ he said, referring to the practice of “fuzzing,â€Â￾ a tactic that relies on automated tools that drop random data into applications to see if, and where, breakdowns occur. Fuzzing has been a hacker’s best friend: Microsoft has repeatedly had to patch file format vulnerabilities in Office applications, most recently in July when it fixed a flaw in Publisher 2007 and in June, when it patched seven vulnerabilities in Excel and two more in Word. “What’s happening is that the bad guys are using fuzzing tools to find vulnerabilities in Office, and now Microsoft is saying, ‘Okay, we can’t find, let alone fix, every vulnerability. So here’s a way to put a sandbox around the vulnerability.â€Â￾ The sandbox technique mentioned is a new addition to Office 2010, the upcoming upgrade to Microsoft’s bestselling Windows application suite. According to a senior security program manager with the Office team, Office 2010 will sport something called “Protected Viewâ€Â￾ that isolates Word, Excel and PowerPoint files in a read-only environment. The sandbox, said the program manager in a post to a company blog this week, will have “minimal access to the system, and no access to your other files and information. Even if the file is malicious, it can’t get out of the sandbox and do harm to your computer or data.â€Â￾

  2. Camride

    Camride New Member

    Jan 17, 2009
    Likes Received:
    Not the best way to do it but it should work. I have the Office 2010 Technical Preview and I noticed that "sandbox" whenever you download a file. If you didn't create it the file is automatically opened as "read only" so it can't do anything. Pretty good idea, even if they didn't have vulnerabilities. Chrome does the same thing with it's browser.

Share This Page