In November 2010, Microsoft released the first Security Bulletin (MS10-079) against an Office 2010 component, in this case Microsoft Word. Approximately 6 months had elapsed since Office 2010 launched in May and while it’s good for such a widely used product to be available for so long without any reported issues, we were naturally disappointed to release the first bulletin affecting Office 2010. The issue was part of a group of 32 issues reported to us by an external researcher. All of the issues were located in file parsing code, primarily in the code used for reading Word document files (.doc extension). It is worth noting that only one of these issues affected Word 2010. In that case, the specific issue wasn’t actually reported against Word 2010 but it is standard practice for us to test all supported versions of products and this was how we determined that Word 2010 was affected.
Why was Word 2010 largely unaffected?
During development of Office 2010, the Office Team and members of the Microsoft Engineering Center (MSEC) organization, performed a number of actions to increase protections for file parsing code. These actions are what helped protect Word 2010 users from the vulnerabilities mitigated by Security Bulletin MS 10-079. These actions included:
- Designing and implementing the File Validation feature, which is included in Word, Excel, PowerPoint and Publisher (.doc, .xls, .ppt and .pub file formats). File Validation verifies the contents of the file as it is being read, and if it detects an issue, opens the file in Protected View (see below). To view more information on this, you can view this Security video.
- Designing and implementing the Protected View feature. Protected View provides a read-only mode that disables most editing functions when a file is opened. In Protected View, the user can review the contents of a file obtained from a potentially unsafe location (such as the Internet or as an email attachment) without endangering their system. For more information see Protected View.
- Executing in excess of 800 million iterations of file fuzzing tests against Office parsing code, including the parsers for .doc files. The Office Team built a distributed file fuzzing framework that enabled the Office team to efficiently run multiple fuzzing tests against the file parsers included in Office 2010. This framework, along with related improvements made in Office Security Engineering, was presented at the BlueHat Security Briefings in October 2009.
File fuzzing is a good but imperfect testing technique that is continuously being improved. The existence of an issue in Word 2010 indicates a need for further improvements during development of the next version of Office, which members of the Microsoft Security Engineering Center and Office Team are pursuing.
For more information on the collaboration between the Microsoft Office and MSEC teams, see the Channel 9 video entitled“Security Talk Series: Using the SDL in Office 2010”.
What about Office 2007 and Office 2003 users?
A lot of the good work in Office 2010 was possible because that was work planned for and completed as part of the product’s lifecycle. Generally, work at that level occurs on a major product release. However, we have found a way to bring some of these protections to older versions of Office and today we are glad to report Microsoft has ported the File Validation functionality to Office 2007 and Office 2003. This functionality is expected to be available for download in CYQ1 2011. Once this enhancement is installed, Office 2007 and Office 2003 users will see two significant benefits:
- The File Validation functionality will now be available. This feature will verifies the contents of .doc, .xls, .ppt and .pub files as they are being read, and if it detects an issue, display a warning informing the user that there is a potential issue with the file.
- At some point in the future, Microsoft anticipates issuing “signature files” that provide new information for use by the File Validation functionality. These signature files will typically include information that File Validation can use to detect previously unknown vulnerabilities in files, and warn the user appropriately. It is anticipated that installing a signature update will be less disruptive than deploying a Security Bulletin, especially for large Office deployments.
Microsoft strongly encourages all Office 2007 and Office 2003 users to download and install this enhancement when it becomes available.
Bob Fruth, MSRC Security Program Manager