Office 2010 Application Security


Hello, my name is Brad and I work on the Office security team; we focus on a couple of key areas: building security features that improve the Office product line and driving the security engineering process across the division as part of the Security Development Lifecycle (SDL).

I would like to start with a high-level introduction of several of the new security features in Office 2010, what our goals are, and how we think about them. Because shipping Office isn’t about how we think about it, but instead how you think about it, feel free to ‘send a smile’ with the Technical Preview and let me know if we hit the mark.

Staying ahead of hackers

To start things off, ‘Why?’ is always a good question. Why did we spend time doing anything in this space, and to what end? Well, as the security landscape has been changing, Office has had the misfortune of becoming one of the next big targets for hackers to attack. They have been going after many of our file-format parsers and how we read Office files. They’re looking for ways to exploit bugs and to get their code running on your machine. We have done a lot of work to find and fix bugs, but we can’t find everything. We have to take a more proactive approach and build Office to be more resilient to attack.

To do that, we have designed what we have been referring to as a new security workflow, a layered defense that Office documents have to go through as part of the File Open process. We strive to make this process as invisible as possible. This means no noticeable delay in open times, as well as no dialogs asking you how you feel about security.

File Block improved

The security workflow we designed has several key features that we believe achieves the goals. First, we have improved our File Block feature that was introduced in Office 2007. We now have a way to configure it in the application and have a finer level of granularity to manage how Word, Excel, and PowerPoint open their file types.

Office File Validation: integral and non-intrusive

Another feature is our new binary file-validation system, which call Office File Validation. Since the vast majority of the exploits have focused on our older file formats, pre-dating our XML versions, we built a system that can validate those files to make sure they conform to the documented format, before they are opened by Word, Excel, or PowerPoint. This is something we did in Publisher 2007, which worked out pretty well. Office File Validation is an integral part of Office that on most days, you would never know exists.

The next question is ‘What do you do with those blocked or invalid files?’. Well, if we just blocked a file and said it was invalid, you would probably be pretty curious why it was invalid, or if maybe we made a mistake. Or, you may be sure you know what it is, and still need to read it. Denying you access to these files doesn’t really meet our goals, so we also built another system we call the Protected View.

Protected View: more security, less annoyance

Protected View is a way for us to show Word, Excel, and PowerPoint files to you, but without all of the worry about those files being dangerous. We build up a read-only view of the document in an isolated sandbox, which has minimal access to the system, and no access to your other files and information. Even if the file is malicious, it can’t get out of the sandbox and do harm to your computer or data.

By tying all of these features together into a layered defense, any file that reaches your machine will get inspected for the file format being blocked, tested for validity, and maybe shown in a read-only protected state. All this happens in real time, with an indistinguishable performance impact on your load time, and you can open these Office files without worry.

The other goal to make these features and workflow successful is that they don’t get in the way and instead have a positive impact on your experience. That means fewer dialog boxes and less information that is not actionable. We need to make security smart enough to get out of the way when its job is done. To do that, we have made files that open in Protected View remember when you chose to trust them, so you don’t have to re-trust them next time. You are not less secure; you’re just less annoyed (hopefully!).

In future posts, my team and I will be digging into these and other features to explain how they work and give some insight into how to get the most out of them for system administrators. Stay tuned, and give feedback if you want to hear more about a specific security feature. We hope you enjoy using Office 2010, as much as we have enjoyed working with you toward its creation.

Thanks,

Brad Albrecht

Senior Security PM
Office Trustworthy Computing

Comments (35)

  1. Anonymous says:

    Wow!  Really seems like you’ve got it all right.  I’m always worried about my family opening documents without first asking themselves if it is “safe”.  I really like where I see Office 2010 heading and really excited to see the final product.

  2. Anonymous says:

    can you explain how this relates to the need to ‘enable editing’ on every document I open from a Windows Server fileshare; is the assumption that any file that isn’t on my hard drive is suspect? will this learn that a location I trust multiple documents from is safe – I think I have found an option to trust the location manually but the dialog box text isn’t that clear…

  3. Anonymous says:

    Sheet Level and Workbook Level Security are still as weak as in Excel 2007

    VBA Password cannot be hacked with as Hex Editor…due to the changed file type, but the encryption is i guess just the same…

    File level is pretty Strong

    Why cant to increase the encryption level of Sheet level and Workbook level password to that of File level

  4. Anonymous says:

    The Office IT blog is continuing to provide great insight into the development process that occurs behind what has been a leaded curtain for so long.  For developers who are able to read between the lines, there are some gems in there for us to extrapolate and start using in our own works.

    http://theycallmemrjames.blogspot.com/2009/07/more-on-office-2010.html

  5. Anonymous says:

    I’ve got a Word 2003 template I’m trying to open and OFV repeatedly tells me there’s a problem with it.  I’m told it can’t be opened and *seems* to say it’s because there are macros in it that could be malicious.  That that doesn’t seem to be the reason — I’m able to open other 2003 templates with macros.  So I assume it’s corrupt in some way.  But this error message is quite insufficient to instruct me on how to proceed.

  6. dAVID kRAMER says:

    Will Office 2010 (Word & Excel)be HIPAA compliant via cloud computing?

  7. Scott Holmes says:

    This feature will cause major problems for my company as currently implemented!

    I’m getting the following error message when attempting to create a new document from a Word template (.dot):

    “Office File Validation detected a problem while trying to open this file. This file could potentially contain harmful content and has been blocked from opening.”

    These templates contain code (macros) we developed and work on other systems. Details:

    - VBA code signed using a 3-year certificate from GoDaddy, expiration in 2012.

    - Word 2007+: Trusted Locations include a directory 1 level above that containing the template, with sub-folders Allowed.

    The error dialog has a ‘Help’ button, but (surprise, surprise, surprise) does not provide any relevant or useful help.

    What do we need to do to satisfy MS Weird 2010?

  8. Ben Canning (Microsoft) says:

    To Scott Holmes – the File Validation feature is still getting dialed in and has a higher false positive rate in the Tech Preview than it will when we ship. One thing you can do to help us dial it in is to send in the file that is failing validation. You should be getting asked to submit the file when you exit Word. If you’d rather, you can simply email me the file at bencan_at_microsoft_dot_com and we can see if the file is still failing validation and why.

  9. Manuel Silvestre Costa says:

    Espero que seja facil e bom de trabalhar,tambem gostei do programa de 2007.

    O meu muito obrigado pelo vosso esfoço.

  10. David Plaut says:

    I too am getting “Office File Validation detected a problem while trying to open this file. This file could potentially contain harmful content and has been blocked from opening.” after I have saved the file as a trusted template. I’m not willing to send you the file, it has proprietary company info. The file works fine in Word 2007.

    If I am trusting it you should not be blocking it!!

  11. Stein-Tore Erdal says:

    Also getting

    “Office File Validation detected a problem while trying to open this file. This file could potentially contain harmful content and has been blocked from opening.”

    for quite a number of .dot files.

    Common for these are:

    - no VBA code.

    - created with Word 2003 running on Windows XP.

    - created with a “template builder” program which use an instance of Word 2003 and (mainly) the InsertXML method to build (and save) .dot files from bits of Word ML.

    Note: some files created with this “template builder” opens fine, others do not.

    The behaviour varies a bit dependt on settings under the Trust Center.

    If they are placed in a folder which is included in “Trusted Locations” I always get the above msg and no go.

    If they are used from another location and “Enable Protected View for files that fail validation” is checked I get the “Protected View   Office has detected a problem with this file. Editing …” message bar.

    If “Enable Protected View for files that fail validation” is not checked I always get the above msg and no go regardless of location and other settings (it seems like…).

    When getting the “Protected View …” message bar I get the option of “Enable Editing”. Using this, I can start using the created document. However next time I try to create a document based on this template I do not get the “Protected View …” message bar but just the msg box with “Office File Validation detected a problem while trying to open this file. This file could potentially contain harmful content and has been blocked from opening.”

    Anyhow lots of permutations on behaviours here. You got a bit of work to do here to fix the “bugs” (or explain the “features”).

    I use Windows 7 (x64), Office 2010 Beta (x86).

    Ben Canning: Will send you a file … Pls delete it after testing.

    Stein-Tore

  12. Jeff Holland says:

    Will Excell 2010 have improved VBA Security?  While I can currenlty lock an Excel file so that it is almost unbreakable, we have very weak protection on the password to protect viewing of VBA code.  Will this be improved with strong encryption in 2010?

  13. Brock Sampson says:

    I have been recently invited to participate in Office 2010 beta and I am

    having probs with word 2010 beta…Always at open, it encounters an error and

    has to close. All the other office programs work just fine! (outlook, access,

    excel etc all ok)

    On the top bar it does show word fails validation, all the other programs

    validate just fine….I have tried the repair option, completely removed all

    office products, run tools like CCleaner, complete reinstall and revalidate

    and fully updated MS updates and of course needed reboots. I am running XP

    Pro SP3

    I figure it is a validation issue, but cant confirm it or found another way to validate it due to crash at every load.

    But I still have the same issue-any ideas?

  14. Damian says:

    Getting a  Office File Validation error on a excel file that was opening fine through the beta 2010 version yesterday and for weeks prior.  I can still open the same file on a different computer with office 2007 on it, so I don’t know what the problem is or what to do to fix it.

  15. George says:

    I must strongly agree with Scott Holmes and the others!

    The Office File Validation feature will definitely  cause big problems to companies and organizations which use VBA for tasks based on Word templates. At our university we developed a template for creating an e-learning educational content and I have encountered the same problem when attempting to create a new document based on such template.

    This template is signed by valid certificate and is located in a trusted location. Protected View feature is not a solution at all because in this case there is a blank document only (which is based on the template).

    Maybe the OFV blocks code because of using events with the Document Object (e.g. Document_New etc., ie Auto Macros). But auto starting of the code is an esential part of our template because e.g. it prepares a working environment for users etc.

    Well, a knife could be used for killing people but is it a reason to ban use of knives in our kitchens?

    Are not the code signing and trusted location technologies enough to protect the users against the harmful content? What should we do? OK, let’s implement one, two, three … ten message boxes to ask a user repeatedly “Are you sure?” … “Are you really sure?” … “Are you sure that you are really sure?”. Maybe it would be the best solution to throw VBA away from Office at all …

    No, that is not a way. I agree that harmful content is a big problem but I don’t think that the right solution is to block anything.

    So I would like to suggest the Office Developers to change the Office File Validation behaviour in a way that OFFICE FILE VALIDATION SHOULD NOT BLOCK FILES WHICH ARE BASED ON SIGNED TEMPLATES LOCATED IN TRUSTED LOCATIONS.

  16. Ben Canning [Microsoft] says:

    We’re putting together a longer post about the File Validation feature, but I just wanted to thank everyone for the feedback, and clear up two things about how the feature works:

    First, the File Validator uses a set of rules to decide if a file looks ‘suspicious’. We are continuously tuning the rules the Validator uses and, much like an anti-virus signature, we’ll continue to update the rules after we release Office 2010 – both to eliminate cases where the Validator fails a file incorrectly, and to address new threats that emerge in the future.

    During the Beta, we’ve been collecting files that fail validation and using them to improve the accuracy of the system. At this point we have well over a million files in our test system, and over 99.9% of them open without error as we expect. The feedback from all of you has been very valuable in tuning the system, so thanks.

    Second, in most cases Office will not block a file from being opened, even if it fails validation. When a file fails validation, it is opened in Protected View (where any malware int he file should be prevented from doing damage to the computer) and a red bar is shown. If you click on the text in the bar, you’ll be taken to Backstage, where you can click a button to Enable Editing of the file. Once you do this, that particular file will be treated as ‘Trusted’ and will not fail validation again (unless moved or renamed).

    There’s a lot more to cover about File Validation and how it can be controlled, but I’ll leave that to a future post. One thing I’d ask is that if you have files that fail validation but shouldn’t, I encourage you to send them in if you can so we can make sure we’ve got the validator tuned properly.

    Thanks!

  17. Balaji says:

    word 2010 crashes every time if I select the file option. But other applications work fine with out any problem

  18. Tim Richards says:

    Same problem here, Excel simply refuses to open a file claiming there is “a problem” with it; I don’t even get an option re protected view.

    And even worse, attempting to add a location to Trusted Locations results in a curt rebuke along the lines of “Microsoft arent going to allow you to do that on *your* machine for security reasons”??

    How much control does Microsoft want to exercise over people?  2010 is being uninstalled right now.

  19. John Nguyen says:

    When I open my file, one Notice appears : “The Office File Validation feature has blocked this file from opening as it may contain harmful content.”

    I don’t know what the problem is. How can I solve it? Thank for your help!

  20. James Hutchens says:

    I resolved the problems I was having (excell not allowing a file to open) by adding the file location to “trusted locations” in the trust center.

    Might give it a try……..

  21. Trishin Seetharam says:

    Im also having troubles with word beta crashing all the time few seconds after opening

  22. ANDY BWELL says:

    word 97 autotext files will not open

    File validation error

  23. Matt says:

    Ditto what James Hutchens said. I added the location as a trusted location and now it works.

  24. Bernard Cronyn says:

    This is about the only place it seems we can feedback problems to you illustrious and glorious MS development team on the subject of Office 2010.

    The questions is why(unlike previous Beta versions of Office)does perfectly good VBA code developed and tested in Office Suite 2007 and 2003 no longer work properly in 2010?

    The second question is why is the standard of Help on this product so pathetic?

  25. Sergio Segal says:

    I’m getting the following error message progressively in all my PPTs:

    "Office File Validation detected a problem while trying to open this file. This file could potentially contain harmful content and has been blocked from opening."

    The message should say what to do to fix the issue. Blocking with no way out is unacceptable.

    Unless I receive a workaround I will be forced to abandon MS Office 2010.

    Many messages above mention the same issue. Is MS taking care? After the Vista scandal MS should take problems seriously.

  26. Dave Perryman says:

    Protected View: More annoyance and less work done, cant get rid of it and dont need it! Seems to detect everything regardless of Trusted Locations, regardless of how many ticks in boxes!

    not impressed

  27. Eddie says:

    EVERY file attachment I attempt to open from Outlook gives that warning and will not open. Example: Word do attached to e-mail. I click to open. I get the error "Office has detected a problem with this file… cannot be opened" message. It doesn’t give me an option do use protected view. I click OK to the error message, go back to the e-mail and double-click the attachment and it opens fine. What a pain. I have gone into the Trust Center and unchecked all the options. Still same problem. EVERY attachment I try to open behaves the same.

  28. Josef Kohout says:

    I’m using MS Office 2010 BETA for some time without any problem, enjoying the enhanced protection. However, last week when my W7 (64 bit edition) updated, files downloaded from the internet cannot be opened! All I got is a spash screen “opening in protected view …” and Word / Excel / Prowerpoint freezes. Once I tried to wait 12 hours and the document didn’t open. There is neither alert message nor question box displayed. Simply I cannot open documents. All I could do to overcome this problem was to turn off the security completely.  This is not right. Does anybody has experienced the same problem?

  29. Derek says:

    I don’t have 2010 yet.  However, if the first poster is correct, I must echo his statement.  Sheet level security is critical to me.  I’ve developed an ‘application’ within an excel file with all the intellectual property aspects hidden and ‘protected’.  Our intent is to resell this template.  

    Yes, an Excel expert could eventually build a workbook that mimicks what we have built – but they should have to work as hard for it as we did, rather than be able to steal it.  

    It is also a valid point that we could have built it using C# and distributed it as an executable, but that’s extra work and customer support.  

  30. Semyon says:

    I cant open a few PowerPoint Presentatins in my Office 2010 … Now i know why.Thank you

  31. Advance Excel User says:

    Hi development Team,

    I am facing problem in opening the excel file through IE6.0 SP3. When i open the files, IE(may be)creates index inside content.IE5. when i open it from IE and this local temp temp directory. It results in :

    .xls file locked for editing by ‘userName’.

    I googled but didn’t find any working solution.

    This problem is only with excel file and IE6 SP3.

  32. singles dating says:

    Nice post.Keep it up!

  33. Seeking Women says:

    Will Excell 2010 have improved VBA Security?  While I can currenlty lock an Excel file so that it is almost unbreakable, we have very weak protection on the password to protect viewing of VBA code.  Will this be improved with strong encryption in 2010?<a href="http://www.isisandosiris.in/">Seeking Women</a>

  34. Jamie from GMARK Ltd. in the UK says:

    We've have been looking for some insight as to how to continue to deliver PowerPoint files which contain VBA code that is inserted by our flag ship product ActivePresentation Designer.  Prior to Office 2010, we invested in digital certificates from VeriSign to give users the ability to trust us a publisher, a one time operation that meant no further security alerts were displayed.  With the advent of Protected View, this benefit for our company seems to have vanished which means the products we have developed no longer work as we are unable to deliver any of these types of products from our web site without users having to understand this new MSO feature and hence we loose them almost instantly or they create additional support costs for us.  Is there a commercial grade solution to this issue that disabled Protected View when a publisher is know to be legitimate?