Tom Gallagher, the senior security test lead for Office Trustworthy Computing, and David Conger, a Microsoft Access software engineer, peered “Under the Kimono of Office Security Engineering” today at the CanSecWest conference at the Sheraton Wall Centre in Vancouver.
The oldest threat in Office was macro viruses, Gallagher said. People would create malicious viruses in DBA, then they would propagate through documents. Outlook attachments were another threat. Raising user awareness helped reduce the problem, but Microsoft also took away the ability to run executable attachments inside Outlook. You just can’t use VBS attachments, which has resulted in a noticeable improvement in security.
Around 2006, memory overflow in documents created a new set of vulnerabilities, which are still creating headaches, Gallagher said.
The way the Office development process works is different from other teams in that not only does Microsoft have a top-level security team but all teams have to also be aware of the security risks of what they’re creating.
Microsoft hardens the attack surface by automating code review, removing old parsers, and creating intensive distributed fuzzing. Fuzzing is throwing random, invalid or unexpected data at the inputs of a program and noting the results when it fails. The Office suite handles over 300 different formats so fuzzing the system is no small task.
Microsoft also has labs full of thousands of machines, and rather than have then sit idle they use those machines to actively search for bugs and security flaws. Without getting too technical, a massive amount of automation searches for bugs and alerts those who can fix the bugs to do so.
Other features are File Block, which blocks unused file formats and is an easy way to enforce policy. The other feature is Gatekeeper, which knows exactly how a file should look, and scans files to make sure they also look the way they should before Office allows them to be used. Gatekeeper also allows for faster patching.
Once Office finds unsafe folders, they get sent to the “Protected Viewer”, which keeps “bad” files isolated from the rest of the system.
The key take of the session, at least for me, is that Office is a behemoth, and that much as Microsoft is derided for security flaws, their key product is presided over by an extensive security system that catches a whole lot more problems, bugs and exploits than the ones the public eventually sees.