Smart But Not Secure

As the latest edition to MS' flagship productivity suite, Office XP, Smart Tags ostensibly facilitate the next level of business automation.

According to Microsoft VP Steve Sinofsky, Smart Tags will allow for a kind of multi-dimensional version of a hyperlink to be inserted into data files. Seemingly you could, for example, Smart Tag a company name to associate it with a stock ticker, and regular, live updates of its stock price. When you're working with a Smart Tagged item you'd be presented with a number of associations or automatically carried out actions in short, innovative hyperlinks that can branch off in many different directions.

For reasons of security Smart Tags won't contain executable code but because they're dependent on that code to run, the tags will include a 'downloadURL' to click on in order to collect the relevant code.

Numerous security breaches have already occurred through the mechanisms of code being included in e-mails - Smart Tags are no different in this regard. If untold numbers of seemingly well-informed people can be induced to click on an executable with the "I love you" virus as a payload, then they'd just as surely click on an endearing URL. In the case of Smart Tags (which can be made to look far more interesting and inviting) the work of viral programmers could extend into new and hazardous new arenas.

A whole plethora of potential e-commerce applications may just add additional privacy concerns to the mix. These stylish tags could provide an avenue for viral marketers and other, more crooked, types to gather personal data about users and their contacts. Code could just as easily be induced to spread virally via address books in a similar fashion to the techniques employed by a number of todays viruses.

By blocking over 39 different file types by default and by relying on differences between trusted and untrusted, signed and unsigned apps Office XP Outlook hopes to overcome these and other security problems. Nonetheless even a signed and trusted document could contain a link to a very devious external file.

Despite Microsoft's continued efforts at honing out security holes in their software the responsibility still lies heavy on the shoulders of users, administrators, business partners, and suppliers alike to ensure that unsolicited code doesn't enter through the corporate back door. Given the tasty target that Microsoft apps have made for generations of hackers and crackers the fun is far from over.