We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft dismisses Office 2007 security goals

Office security approach less bullish than Vista's

Unlike Microsoft executives who have predicted that Windows Vista will be hit by far fewer vulnerabilities than its predecessor, the developers who crafted Office 2007 won't set a security target.

"What would show we were successful?" asked Joshua Edwards, the technical product manager for Office "That we demonstrate the attack surface area is extremely small. But we don't have a specific number of vulnerabilities in the next year that we're shooting for."

Office 2007 security made front page news earlier this month when Microsoft contended that a Word 2007 'vulnerability' was actually by design.

Edwards defended Word 2007's security, and by extension, all of Office's, even with the application crash. The new Office file formats - a format dubbed Open XML by Microsoft - are superior to the binary file formats of previous Office collections, he said. "Because the XML schema is so well defined, we have a higher degree of resiliency to prevent the corruption of those documents than in earlier Office," said Edwards. "If someone has injected code into the document, as we parse them off the disk in real-time we can ignore that document."

Office 2007 was the first suite that Microsoft took through the Security Development Lifecycle (SDL), a multi-part initiative that aims for secure code. Edwards touted SDL, but didn't go as far as to call it a panacea. "Is it safe to assume that because of SDL, Office is more secure? Yes," said Edwards. "But at the same time, it's only part of what we've tried to do with Office security. And it's a process, right?"

Among SDL's processes is code review: examining old code that's been reused from earlier software and just-crafted code for possible security problems. Windows Vista, which was also developed using SDL's strategies, has taken heat recently for containing a bug in the animated cursor code, which was grabbed from Windows 2000, a seven-year-old operating system.

Edwards assured Office 2007 users that all legacy code had been thoroughly checked. "Every bit of that code still had to go through the SDL proofing tools," he said. During the SDL review, the Office 2007 team also checked the Office 2003 code responsible for numerous vulnerabilities throughout 2006 that allowed bugs in Word, Excel and PowerPoint to be used for targeted attacks. "We looked at those to see if they were impacting 2007, but they did not affect the 2007 code base."

Significant security improvements, Edwards added, were also made in Office 2007's encryption, in how users interact with the applications to finesse security options and in the tools for stripping out confidential information before passing documents to others.

Some of the security changes made in Office 2007 will also migrate downward to Office 2003 in a future service pack for the older suite, he said. Other than acknowledging that Microsoft would issue an update to Office 2003, however, Edwards refused to spell out details, such as what might make it into the service pack or when it would be released. The last Office 2003 update, SP2, appeared in September 2005.

"It's real early to have those conversations," Edwards said when asked about the service pack's specifics.

He was more forthcoming about a security guide for Office 2007 that's also in the works. Like the already-released Windows Vista Security Guide, the Office 2007 version will be aimed at IT administrators and security professionals. "It's not Microsoft's view of how to configure Office 2007, but what works in the real world," said Edwards.

The guide, which will enter an open beta this summer, is due out before the end of the year.

See PC Advisor's Office 2007 review.

www.computerworld.com


IDG UK Sites

Best January sales 2015 UK tech deals LIVE: Best New Year bargains and savings on phones, tablets,...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Best Photoshop Tutorials 2014: 10 inspiring step-by-step guides to creating amazing art,...

IDG UK Sites

Mac tips tricks & hacks: 10 things you didn't know your Mac could do