Office 2010 includes new protection technologies and a new trust model that helps provide better resilience against attack through layered defenses. For example, in previous versions of Office, when a user attempts to open a Word document, Word first tries to confirm whether the file is a properly-formatted Word document. If the document being opened was a .docx file created using Word 2007 and based on the Office Open XML specification, Word validated the document by parsing it against the XSD specification for that file format. But if the document being opened was a .doc file that was created using the earlier Word 97-2003 Document binary file format, Word simply loaded the file into memory and displayed it without further validation because of the absence of any XML specification or other standard to validate the file against. The same was true for previous versions of Excel and PowerPoint.
Because of this, the Office team has engineered new protection and threat mitigation technologies into Word 2010, Excel 2010 and PowerPoint 2010. Two of these new technologies, known as Office File Validation and Protected View, are designed to help protect an organization’s resources by mitigating potentially harmful effects that can result from Office binary file format exploits. A third new feature in Office 2010 called Trusted Documents can work together with these two protection technologies to provide users with an improved experience that requires them to make fewer security decisions when working with documents that contain active content such as macros or ActiveX controls.
With Word 2010 for example, when a user attempts to open a .doc file, instead of having Word itself load the file into memory and display its contents, the file is first passed to a DLL that thoroughly validates the file against the XML specification for.doc files that was created using the results of the intensive distributed fuzzing preformed during the Office 2010 security engineering process. If the .doc file passes validation, this DLL passes the file to Winword.exe which then opens it and displays its contents with full editing capability enabled. If the file fails validation however, there is the possibility that the file may be harmful to the user’s computer. In this case, the file is then opened within an isolated “sandbox” environment called Protected View that allows the user to scroll through the document and view its contents but disables all editing functionality and any active content in the document. At this point it is a special low-privilege sandbox Winword.exe process that renders the document, not the Winword.exe host process.
Once the user has examined the contents of the document and has determined that it is from a legitimate source, the user then has the option of enabling editing for the document by responding to a prompt displayed in the Message Bar. At that point the Protected View sandbox process terminates and the document is reopened using the Winword.exe host process with full editing capability enabled, and if the document contains any active content a second Message Bar prompt will be displayed that presents the user with the choice of enabling the active content. If the user then chooses to enable active content within the document, a new feature of Office 2010 called Trusted Documents can now remember the user’s trust decision. This means that when the user later reopens the trusted document, the active content in it is automatically enabled without prompting the user again. This behavior is different to that for Word 2007 where the user was prompted to enable active content each time they tried to open a document that contained macros or ActiveX controls.
Similar DLLs to that for Word 2010 have also been included for Excel 2010 and PowerPoint 2010. These are used for validating .xls and .ppt files, and both Excel 2010 and PowerPoint 2010 also display files using Protected View if the file fails validation. Administrators can also configure Office 2010 to submit information concerning files that fail validation via the Watson error reporting channel so the Microsoft Security Response Center (MSRC) can investigate them. When new Office binary file format vulnerabilities are discovered, updates to the XML specifications are released and automatically downloaded by Office 2010 so they can be utilized by Office File Validation. A key benefit of this approach is that provides a faster response to addressing newly discovered file format vulnerabilities than the traditional software patching process.
Office 2010 – Defense In Depth
By implementing multiple, redundant security controls at different levels of an information system, security threats are able to penetrate one defensive layer can still be stopped by another layer. Office 2010 leverages this strategy by providing four defensive layers to safeguard users against threats involving maliciously crafted Word documents, Excel spreadsheets or PowerPoint presentations. Each security layer in Office 2010 implements specific countermeasures that are designed to initiate the moment a user tries to open a file using an Office 2010 application and which continue in effect until the file has been successfully opened for editing. As shown in diagram, these four layers of Office security perform the following functions:
- Harden the attack surface through improved security engineering together with key Windows operating system security features integrated into Office 2010. Support for Data Execution Protection/No Execute (DEP/NX), robust and agile cryptography, and other technologies provide a strong, first layer of defense against threats posed by malicious Office data files.
- Reduce the attack surface by limiting the types of files applications can open and by preventing the execution of certain types of embedded code. Office File Validation is a key technology at this layer, as are two other Office 2010 features file block settings and the Office ActiveX kill bit. Together these technologies reduce the number and variety of possible attack vectors that managed to get through the first defensive layer.
- Mitigate exploits so that any attack that gets through the first two defensive layers can have its impact minimized. The key Office 2010 technology at this layer is Protected View, which allows dangerous Office files to be displayed and examined without any harm to the user’s computer or the wider network.
- Improve the user experience by reducing the number of security decisions the user needs to make and by helping the user make better security decisions. The new Trusted Documents feature of Office 2010 is key here as it prevents “prompt fatigue” a condition that can afflict most users when they are faced with too many, repeated security warnings and results in them basically ignoring future warnings.
Defense in depth for Office 2010.
How Office 2010 Helps Mitigate Exploits
Sequence of steps that occurs when a user attempts to open a file using Word 2010, Excel 2010 or PowerPoint 2010.
To learn more about New Security Features in Office 2010, download this white paper on Keeping Enterprise Data Safe with Microsoft Office 2010