Under the Office Security Kimono at CanSecWest

Posted by Warren Frey

Tom Gallagher, the senior security test lead for Office Trustworthy Computing, and David Conger, a Microsoft Access software engineer, peered “Under the Kimono of Office Security Engineering” today at the CanSecWest conference at the Sheraton Wall Centre in Vancouver. 

The oldest threat in Office was macro viruses, Gallagher said. People would create malicious viruses in DBA, then they would propagate through documents. Outlook attachments were another threat. Raising user awareness helped reduce the problem, but Microsoft also took away the ability to run executable attachments inside Outlook. You just can’t use VBS attachments, which has resulted in a noticeable improvement in security. 

 Around 2006, memory overflow in documents created a new set of vulnerabilities, which are still creating headaches, Gallagher said. 

The way the Office development process works is different from other teams in that not only does Microsoft have a top-level security team but all teams have to also be aware of the security risks of what they’re creating. 

Microsoft hardens the attack surface by automating code review, removing old parsers, and creating intensive distributed fuzzing. Fuzzing is throwing random, invalid or unexpected data at the inputs of a program and noting the results when it fails. The Office suite handles over 300 different formats so fuzzing the system is no small task. 

Microsoft also has labs full of thousands of machines, and rather than have then sit idle they use those machines to actively search for bugs and security flaws. Without getting too technical, a massive amount of automation searches for bugs and alerts those who can fix the bugs to do so. 

Other features are File Block, which blocks unused file formats and is an easy way to enforce policy. The other feature is Gatekeeper, which knows exactly how a file should look, and scans files to make sure they also look the way they should before Office allows them to be used. Gatekeeper also allows for faster patching.

Once Office finds unsafe folders, they get sent to the “Protected Viewer”, which keeps “bad” files isolated from the rest of the system. 

The key take of the session, at least for me, is that Office is a behemoth, and that much as Microsoft is derided for security flaws, their key product is presided over by an extensive security system that catches a whole lot more problems, bugs and exploits than the ones the public eventually sees. 


Company:
Microsoft Canada
Website:
http://www.microsoft.ca
Location:
Vancouver, British Columbia, Canada

At Microsoft, we're motivated and inspired every day by how our customers use our software to find creative solutions to business problems, develop breakthrough ideas, and stay connected to what's most important to them. We run our business in much the same way, and believe our seven core business units offer the greatest potential to serve our customers in the coming decade. more


Related Articles


blog comments powered by Disqus

Warren Frey

Warren Frey

Warren Frey is a writer, editor, blogger and podcaster based out of Vancouver, BC. After working for six years in the Canadian broadcasting industry, he switched to print and has since covered varied assignments from plumbing conferences to star-studded film galas. But he’s never lost his love for the internet and interactive media, from his teens when he dived into the WELL on his “Woz”... more



Who's Hiring



Recent Comments

Powered by Disqus