Microsoft to boost Office 2003, 2007 security

Will backport suspicious file sniffer from Office 2010 in Q1 of 2011

Microsoft said on Tuesday that it would backport an Office 2010 security feature to the older and more widely used Office 2003 and Office 2007 early next year.

Dubbed Office File Validation (OVE), the technology validates older, pre-XML file formats for Word, Excel, PowerPoint and Publisher, then opens those that don't conform to the documented format -- rigged files containing an exploit, for example -- in a special "sandbox" within Office 2010 called Protected View.

That sandbox lets users view the contents of a document, but disables most editing functions to prevent malware that may be embedded in the file from executing.

OVE debuted in early builds of Office 2010, which launched last June.

Microsoft said on Tuesday that it would bring some parts of OVE to Office 2003 and Office 2007 in the first quarter of 2011.

"It will be an optional update for those platforms, but we'll make a big push to urge customers to download it," Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), told Computerworld on Tuesday.

As in Office 2010, OVE in Office 2003 and 2007 will examine Word, Excel, PowerPoint and Publisher documents saved in Office 97-2003 binary file formats. (Microsoft moved to XML-based document formats by default with Office 2007.)

See How to Deliver a Better PowerPoint Presentation

However, rather than opening suspicious files in a sandbox, which neither of the older suites have, OVE in Office 2003 and 2007 will trigger an alert that warns the user that the document could be dangerous.

Users can click through the warning to continue opening the file, Bryant said.

Microsoft decided to backport OVE to Office 2003 and 2007 after analyzing about four years' worth of data. The company said that more than 80% of all Office security cases would have been handled by OVE if it had been in place throughout the suite's versions.

File format vulnerabilities -- exploited by specially crafted documents -- have long plagued Office, and remain the top threat to users. On Tuesday, for example, Microsoft patched that could be used to hijack a PC with malformed files.

At some point, the Office team plans to issue "signatures" so OVE can detect newly-discovered file format vulnerabilities, then push the document into Protected View (in Office 2010) or warn the user (Office 2003, 2007).

Bryant declined to set a timeline for the updates, which would be analogous to the signature updates regularly provided for antivirus software -- but said they would definitely not go live when Office 2003 and 2007 receive the OVE upgrade next year.

"This won't happen in the foreseeable future, but when it does, the vast majority of Office vulnerabilities would be mitigated by technology like this," Bryant said.

Unfortunately, users of the even older Office XP won't receive the OVE update. That edition, which shipped in 2001, is even buggier than 2003 and 2007. Last October, for example, Microsoft patched 11 vulnerabilities in Office XP's Word 2002 , but had to issue fixes for only two of the same flaws for Office 2003 and just one each for Office 2007 and Office 2010.

Join the CSO newsletter!

Error: Please check your email address.

Tags App SecurityapplicationsMicrosoftsecuritysoftwareMalware and VulnerabilitiesOffice suites

More about ExcelMicrosoftTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place