With Office becoming an ever-increasing target for malware writers, Microsoft is offering a tool and guidance to help improve the security of Office 2007 and 2003.
The Office 2007 Security Guide will be posted on Microsoft’s TechEd site on Tuesday and formally introduced at the Microsoft TechEd conference this week in Barcelona, Spain. The guide will offer detailed documentation for securing Office 2007 applications to protect against specially written document files with malicious code hidden within them.
Such security has become a necessity as Office becomes a more frequent target of attacks. As Microsoft has hardened its operating system, the bad guys have gone for the low-hanging fruit and started looking in the application layer. Distribution of Word, Excel and PowerPoint files with hidden code to exploit vulnerabilities have been on the increase in recent months.
“It’s kind of a unique approach in that [security] has been the purview of the operating system,” Joshua Edwards, technical product manager for Office, told InternetNews.com. “But given the trend we’ve seen over the past few years moving from the OS level to the app layer, this was part of the design approach we’ve taken with Office 2007.”
Microsoft will also introduce the Group Policy Object Accelerator, a free tool that helps administrators set and change the security policies in Office across a network through Active Directory.
Microsoft has offered some measure of security in previous versions of its productivity suite, but Office 2007 is considerably more intricate and fine grained in its security. It has twice as many group policy and directory controls as Office 2003 and a total of 5,731 registry and policy setting, according to Edwards.
“Going through all those would be a painstaking process, so we’ve identified the 300 controls most related to security,” he said. “Everyone has a level of security and information privacy that they feel is appropriate. In the past, we’ve provided a baseline of security recommendations and guidance. But for the first time, we have built policy controls into the product itself.”
The tool and guide allow for locking down the application by not allowing it to save to certain locations, make Web transactions or run macros except from trusted sources.
Microsoft has another solution for dealing with files carrying malicious code, and that’s the XML file format used in Office 2007. Edwards said by converting files to that format, malicious code can be removed.
“Office and other media files all share a common element and that is the binary file structure,” he said. XML files are read line by line instead of as a single binary block like the old formats. “This gives you a lot of protections because the file parser will ignore something if it is not part of the XML schema, or it assumes the file is corrupt and either tries to fix or prevent it from being opened.”
Microsoft has Microsoft Office Isolated Conversion Environment (MOICE), an XML conversion tool for converting files between Office 2003 and 2007, which will provide Office 2003 users the ability to read and write XML files and hopefully protect against embedded dangerous code.