Protected View in Office 2010


Hello, my name is Vikas and I work in the Office Trustworthy Computing security team. Today I will be telling you more about a feature I have been working on called Protected View. Protected View is one of the new security defense-in-depth features added in Office 2010. If you have not seen Brad’s post yet on this and the other new security improvements, it’s definitely worth taking a few minutes to look it over.

Why would opening Office documents be scary?


With any piece of complex software, over time new file parsing exploits against it may be found. The older Office binary file formats had been susceptible to these types of attacks. Over the past years hackers have discovered ways to manipulate Office binary files so that when they are opened and parsed, they cause their own code embedded within the file to run. To address these binary file parsing attacks in Office 2007, several new XML based file formats were introduced. These XML file formats are much easier to parse and provide a significant security benefit over the older binary formats. We do understand that there are still several billion binary files being used today and migrating to the new XML formats will take some time but if possible, the sooner you can migrate over, the sooner you can start leveraging the security benefits these new formats provide.

To address these attacks in the past, the Office team had released the MOICE (Microsoft Office Isolated Converter Environment). MOICE would take a potentially risky binary file type and convert it within a sandboxed process to the new XML format and then back to the binary format and open it. The hope of doing this conversion was to remove any exploit code that was hidden away within the file. Some downsides to MOICE were files that required a long time to convert would seem to take a long time to open and users would get frustrated. In addition, the conversion process did not always maintain 100% of the documents layout so there certainly was room to improve when it came to the overall user experience of the feature.

What have we done in Office 2010 to raise the bar?


In Office 2010 when a file appears to be from a potentially risky location, such as the Internet, it is now opened in Protected View. Protected View will appear like any other read-only view. Under the covers however, when a file is opened in Protected View, it is being opened in the new Office 2010 sandbox. The Office 2010 sandbox is the “next version” of the MOICE sandbox described earlier. Unlike with MOICE, no file conversation is happening. In fact what is occurring is the file is being opened within a sandboxed instance of the application (Word, Excel, PowerPoint) and if there was malicious code present in the file the goal is that code would not be able to find a way to tamper with your documents; change your profile or other user settings. I will describe this in more detail a bit later in this post.

When is Protected View used?


Since Protected View is a read only view, we understand it is not something that should be used for every file you interact with. Our goal when designing this feature was to only use it in high risk scenarios:

· Files opened from the Internet. When a file is downloaded from the Internet the Windows Attachment Execution Service places a marker in the file’s alternate data stream to indicate it came from the Internet zone. When a Word, Excel or PowerPoint file is opened and has this marker it will open in Protected View until the user decides to trust and edit it. That is done by pressing the “Enable Editing” button shown below:

Protected View Message Bar

In some cases when a file is opened from a network share that you believe is part of your Intranet zone it will open in Protected View and indicate on the trust bar that it originated from an Internet location. This could occur because of how your proxy is setup or because you have not indicated in your Internet Options – Local intranet setting to “automatically detect intranet network” as shown below:

Intranet settings dialog

· Attachments opened from Outlook 2010. When an attachment is opened from Outlook 2010 it will open in Protected View. Administrators will be able to configure if they want all attachments to open in Protected View or just those sent from senders outside their Exchange environment.

· Files opened from unsafe locations. An example of an unsafe location is files that are opened from your Temporary Internet Files folder. As an administrator you can extend this list to include directories you feel are also unsafe.

· Files that are blocked by File Block Policy. In Office 2007 we introduced a feature called File Block. This allowed administrators to define file types that should not be opened. When a type was blocked it simply could not be opened. From your feedback we heard that this was overly limiting from a usability aspect since your users still wanted to “read” those files. In Office 2010 these blocked files can now be opened in Protected View and as an administrator you can set policy to indicate if the user should be allowed to leave Protected View (by editing the file) or force them to stay in it. We hope this design will make all the issues and pains you felt go away!

· Office File Validation failures. Office File Validation is a new feature that scans an Office file when it is being opened and validates it against a well-known schema. When there are inconsistences between the file and the schema, the file will fail validation and will open in Protected View. Similar to File Block, policy will be available to determine if the user should be allowed to edit the file or not when a failure occurs.

· File Open Dialog. You can open files in Protected View explicitly by using the Open button:

File open dialog flyout to open in protected view

How does Protected View provide me with a better user experience?


The biggest gain is it lets us remove “are you sure” security prompts while giving you greater protection than you had in the past. For example, if you are an Outlook user like me you may have noticed that each time you open an attachment you are asked a question:

Dialog to open attachments from a trustworthy source

For me it is extremely hard to answer this question without seeing the contents of the file first. In Office 2010 we have removed this dialog and instead we now just open the file directly in Protected View! This allows you to look over the contents and make an informed decision if you really trust the file or not. If you do not, or if you only wanted to read it, you can get your job done and then close it. The reason we are comfortable opening the file directly is because of the many defense in depth checks we now have in place.

In addition to the open prompt, we also removed the Outlook Preview pane prompt shown below:

E-mail prompt to open from trusted sources

Now when you read Word, Excel, PowerPoint and Visio files in the Outlook preview pane you will no longer be prompted asking if you really trust the file first when Protected View is enabled.

What does the Protected View design look like?


Protected View had changed how Word, Excel and PowerPoint are architected. When a file is opened in Protected View there are two instances of the application that are running. To illustrate I will use Word. We have one instance of winword.exe that runs in the context of the account you are logged in as (we call this the “host” process) and we have another instance of winword.exe running in a very isolated process (we call this the “client” process). We also call the isolated process the Office sandbox and you will see these two terms intermixed.

What is the host process?

The best way to describe it is with a picture. The client process is the part of the UI that is highlighted black and everything else is part of the host process as shown below:

Diagram showing host process inside application chrome

When the user clicks on any part in the Host processes UI, because of UIPI, we have a high assurance the action came from the user and do not need to prompt with additional ‘are you sure you did this?’ dialogs. The host process owns the top level application frame window as shown above which includes the window caption, the ribbon, the trust bar, status bar, etc. The host process manages the Protected View and non-Protected View windows and acts as a “broker” for the client process. There is only one instance of the client/sandbox running at a given time and all files opened in Protected View share the same sandbox instance within an application. When all Protected View windows are closed the client process is terminated. When the client needs to perform a privileged task (such as accessing the file system, registry or other system resources) it makes a request to the host process and the host then will broker and perform the action if it deems appropriate.

What is the client process?

As alluded to earlier, the client process is another Windows process that is running in the context of the user account however the token being used is a restricted token. By using a restricted token we were able to remove several rights and privileges this process has. To further lock down the client process we are also running it as a low integrity process. Together the restricted token and low integrity (UIPI) provide the foundations for our Office 2010 sandbox.

As discussed, Protected View is one of the many security defenses in Office 2010. For a malware to actually be able to run in Protected View it will first need to find a way around DEP, ASLR, GS and our new 2010 Office File validation checks. After all that, the malware would need to find a way to break out of the sandbox.

Hopefully now when you think you received a ‘scary’ Word, Excel or PowerPoint file you will be able to open it in Protected View and read it without having to worry that something bad could happen to your computer.

I appreciate you reading this far and stay tuned for more security posts coming soon!

Thanks.
Vikas Malhotra
Security Program Manager
Office Trustworthy Computing

Comments (45)

  1. Anonymous says:

    I cannot save anything in any format in 2010. I get this message:

    Quote “This error occurs if you try to save a Microsoft Office document and the file type for that document has been blocked by a registry policy setting. To help secure your computer, Microsoft or the administrator of this computer implemented a registry policy setting that prevents saving this type of file.

    To save documents with this file type, disable the registry policy setting. For more information, see Microsoft Knowledge Base article 922850.” End Quote

    I am the administrator/owner of all my computers & this article does not tell me how to modify the registry for 2010.

    I’m ready to go abck to 2000!!!

  2. Anonymous says:

    I agree, not being able to Print is a bit frustrating but this is something we have been working on and will be there for Beta2.

  3. Anonymous says:

    How does the Protected View sandbox work on XP which does not have things like UIPI and low priviledge accounts?  Are there any protections against malware infecting the machine?

  4. Anonymous says:

    mary_branscombe –

    We are working hard to incorporate user feedback to improve the product in Beta2 and are also looking for ways to improve the networking issue you mentioned.  I really do not think that Protected View will be a productivity blocker.  When a file is opened in Protected View and you click “Enable Editing” this will create a trust record for that file type and the next time you open the file it will not open in Protected View. If the file contains active content and you enable that content you will never be prompted to take that action again for that file.  For this reason, I really think there is a productivity gain across the board in Office 2010 since we have greatly reduced the number of prompts users will see.  Regarding the trust issue, have you added that UNC share (file://ServerName) to the list of intranet sites in Internet Explorer? You can do that by going to the Intranet options and selecting the advanced button which brings up a dialog that lets you add sites to the intranet zone. Once you do that the Office files should no longer open in Protected View for that server.

    loiner

    To determine if a file is part of the Internet Zone we call into the operating system API MapURLToZone (http://msdn.microsoft.com/en-us/library/ms537133(VS.85).aspx).  An interesting article that explains this scenario can be found here: http://msdn.microsoft.com/en-us/library/bb250483(VS.85).aspx.  I hope this helps better explain what is occurring under the covers.

    LizMcQ

    On platforms that do not support UIPI, such as Windows XP, Protected View is not as robust as it is on the newer Operating Systems. That said, on XP Protected View is able to still leverage the benefits provided by the restricted token feature which does help prevent against attacks.

  5. Anonymous says:

    Thank you for the details on how this works. In my environment (Win 7 RTM), *all* files on the Windows Server 2008 are detected as being from the Internet and opened in Protected View which is a significant productivity hit. I don’t use a proxy and the Local intranet setting is already set to “automatically detect intranet network”. I’ve tried to work around this by telling Office to trust all network sources; this doesn’t stop protected view. I’ve manually added the locations on the server to the Trust center – and I was infuriated that you don’t let me add a root directory on a server so I have to add all the share mount points individually. And this is happening with .XLSX and .DOCX files which couldn’t have code in to start with.

    Protecting users from potentially malicious code in binary files is an excellent feature. What you currently have implemented is a productivity blocker that will be turned off or loathed by every user that comes across it. I hope the experiences of beta users will help you tune it from the latter to the former.

  6. Anonymous says:

    I’ve been playing with this and, in general, I really like the way it works. Avoids lots of issues we see with people opening attachments from emails, editing them and saving the changes back to the original message in Exchange, or worse losing their edits in a temp folder. However, the biggest frustration, in the Tech Preview, is not being able to Print when in Protected view.

  7. Anonymous says:

    I can not save anything in Word 2010. I can not even open word select a blank document, I put the word test on the document, and attempt to close.

    I get the following error.

    This error occurs if you try to save a Microsoft Office document and the file type for that document has been blocked by a registry policy setting. To help secure your computer, Microsoft or the administrator of this computer implemented a registry policy setting that prevents saving this type of file.

    To save documents with this file type, disable the registry policy setting. For more information, see Microsoft Knowledge Base article 922850.

    I have attempted to do what the knowledge base states, but with the removal of Office 2007 the steps are incomplete, or do not apply to 2010 office.

    Can some one help on this issue.

  8. Anonymous says:

    Guess I need to learn to read! In the trust center I checked all the boxes. Then I read “By checking Save, Word PREVENTS saving files of this type.” Duh- I must be blonde!!!

  9. Anonymous says:

    Thanks for this detailed explanation of Protected View and the office sandbox.

    Glad to find that any file can be opened in Protected View through the Open … drop down.

    vanilla

  10. Anonymous says:

    <<In some cases when a file is opened from a network share that you believe is part of your Intranet zone it will open in Protected View and indicate on the trust bar that it originated from an Internet location.  This could occur because of how your proxy is setup or because you have not indicated in your Internet Options – Local intranet setting to “automatically detect intranet network” as shown below:

    >>

    Sorry, but perhaps you could point to a URL that explains in simple terms

    a. why a network share should be regarded as part of an Internet zone in the first place?

    b. which parts of Office use file open APIs that regard network shares as part of the Internet, and which regard them as part of the Windows network file system?

    c. precisely what security options people need to specify to make things accessible – on the file, the Windows share, so-called “IE options”, etc.

    At the moment, for some purposes, it’s an incredible mess. We – the users – have to assume that someone at MS understands it all, but it isn’t completely obvious that that is the case.

    Just by way of example – and on a slightly different front, if I try to open a /Mailmerge data source/ from Word VBA using an HTTP:// URL, I can’t. But if I specify the HTTP URL using the appropriate XML in a .docx or Word 2007 format .xml document, I can. Why?

    Frankly, I think MS has lost the plot in this area and seems to assume that everyone in the world either has an advanced degree in MS networking, or should be able to rely on someone who has. How about spelling some simple stuff out?

  11. Anonymous says:

    I like kind of security in Office

  12. Anonymous says:

    Vikas – can you explain the difference (if any) between using the Trust Center in Office/Options and using the IE intranet sites? How would it differ if I only have Firefox on my system? Will using the IE intranet setting not refuse to trust the server root, and if so do you plan to allow Trust Center to trust the server root?

    Presumably it’s a bug that I have to add the server in the first place, even though I don’t use a proxy and had your suggested settings already enabled in the Internet control panel? Is it also a bug that I’m seeing it on .DOCX and .XLSX files that cannot contain macro code, or is it actually scanning all files, even XML format files that are supposed to not be able to contain code?

  13. Gal says:

    Hey,

    Is it possible to disable protected view? I didn’t manage to find it over the internet.

  14. edson britto de oliveira says:

    gostava de ver o office 2010 na mini barra de funçoes.

  15. Bill says:

    Great.  Now how do I turn it off.  It’s annoying having to press ‘enable editing’ on every document I open.  

    Honestly, it’s enough to make me to move to Google Docs since they don’t have this silly feature.  The straw that broke the camel’s back for my using IE (I’m mainly using Firefox now) was the silly nanny dialogs that come up when moving images from a website to my desktop.  I took an action to move the file, why would I not want to allow it?  

    If a user were intent on editing the file, would there EVER be a case where a user does not select ‘Edit’?  

  16. iman says:

    re: Protected View in Office 2010

  17. hisham says:

    I think it is good FETCHER in this kind of danger internet

  18. Mary Feay says:

    Why is printing scary? I can see why editing might not be a good idea.

  19. Zoran says:

    I think it is good.

  20. mohamad hamdon says:

    think it is good

  21. Brendon says:

    Hi, if the trust centre and trusted locations and file block settings are all correct, and I still can’t save any documents, even after editing the registry, are there any other fixes that you can advise me of?

  22. Gary says:

    Hi,

    i would greatly appreciate it if you could help me with the following,

    i downloaded word 2010, – uninstalled word 2000, – saved all word documents.

    problem; when i open my old word 2000 files in the new word 2010, i find that the word documents that have mixed content, i.e. English and Biblical Greek on the same page, results in that some of the  Biblical Greek characters has changed, – some words / letters are now in squares, others look good,

    thank you for your advice

    Gary

    ghtjhb@webafrica.org.za

  23. CARDIN says:

    met,i am not comprende because c’ist riwt ann englisch

    i am sorry salutations DIDIER CARDIN

  24. Radhakrishna Ghattu says:

    Vikas, ThanQ. I am a little more informed about haweasy I can make my work with the Office.

  25. mahmoud says:

    help me

    i cant downlod sorce office 2010 bita

  26. ramazan says:

    ramazan koyun

  27. Aaron Barr says:

    Personally like a couple of others here posting about the protected view, it is seriously flawed as it is right now. I have gone into the settings and turned it all off but it still comes up on all documents on my pc that I use. Currently I tend to do alot of PC Faxing using a software to convert my .doc files into a .tif file for sending multiple pages. It worked fine with Office 2007, however with Office 2010 it now fails to convert any file becuase of the “Protected View” security feature.

    This option is litterally costing me time and business. If I can not competely turn it off then it is worthless to me becuase I need those files coverted to interact with our Fax Server here in the office. I litterally have between 20-40 General Contractors that I need to fax documents to and if this can not be turned off so it quits messing up the conversion process then its a waste of money for my business and I am sure that many other business’s who have the set up I do will find the same.

    Please dont get me wrong, its a great feature for docs recieved thru email attachments but it is extremly frustrating that any document on my own computer is blocked when I open it is pointless and a waste of my time. Please fix the problem with protected view. If I want to turn it compeltely off then it should let me.

    Sincerely Yours

    Aaron

  28. Mike says:

    I am annoyed by the default Protected View settings.  I like the idea, but I also wish I could mark a location as trusted or mark a file as trusted.

    I’ve tried un-checking the boxes in the Protected View settings, and my files still open in read only.  I learned that when I right click a file and choose “Edit” the file opens as an editable file.

    However, strangely when I right click a file and choose “Open as Read-Only” the file will open as an editable file.

  29. antonio carlos lage siqueira says:

    Otimo. Muito bom mesmo.

  30. mahnaz says:

    Hello, office 2010 is Very Very good for my business.

  31. Anurag G says:

    The feature seems to be good and I feel help us a lot in reading the attached files in protected mode. Now a days we are getting used to register our accounts almost in evry activity and transaction thereby receiving 10-20 mails with attachments everyday some worthy and some not. Earlier we have no option either to save or to decline without seeing the documents even if it was very important only because of some suspicion or being afraid of some kind of trojans or viruses.

    I appreciate i a lot and looking forward to see some more key features included as already discussed above.  

  32. Jase says:

    How do you go about turning protected mode off?  The majority of the docs I open or use are from a reliable source…I’m willing to take my chances.

    Despite choosing the ‘Enable Editing’ option, often it won’t even allow editing at all (mainly in Excel).

    And, more often than not, opening a document in protected view sets off a series of “Beeps” that often never stop until I close the file.

  33. sebah says:

    kiero estos ´programas

  34. ROBERT L WHITE says:

    I HAVE BEEN DOING BETA TESTING FOR SIX YEARS. I LIKE THIS ONE IT WORKS FOR ALL OF US. BETA 2 SHOULD DO IT . I LIKE IT.     R L WHITE

  35. cristal cantillano says:

    buenoo

  36. Theresa Sheehy says:

    I like the Protected View feature in Office 2010 for incoming documents/attachments and look forward to the fine tuning that needs to be done before the final product is released.  Like all programs, it’s great to see the big picture, but it’s just as important to see all the fine details and/or scenarios of the small items (i.e faxing, printing, converting, etc).  Remember one size really doesn’t fit everyone.  

  37. karol says:

    how to turn this off!!!!!!!!!!!! this is ridiculous!!!!

    i have tens of attachemetns every day, and can't affort to waste time on reattaching them to the mail.

    as a program manager you should understand that, Vikas.

  38. Nathan says:

    Hello Office Team and Any one who can help!!!!

    We are testing out Office 2010 beta however running into a few problems with the "Protected View" feature.

    I have setup a rule so that all incoming email gets printed out as we usually receive purchase order's in word format.

    However the Print Rule is unsuccessful in office 2010 for word documents.

    When we receive a word document in outlook 2003 it use to automatically open up word 2003 and print out the document.

    In Outlook 2010 Protected View is preventing this and when i uncheck all the protected view options in word (specifically the "Enable Protected View for files that fail validation" i get an error in outlook when i try to open word document by double clicking the attachment saying: "Office has detected a problem with this file. To help protect your computer this file cannot be opened"

    How do you override protected view?

    Thanks

    Nathan

  39. not impressed says:

    talks down to us like we're infants.

    not impressed at all.

  40. Shoaib says:

    I am always annoyed when some piece of software tries to play clever on my behalf. And I am more annoyed when it doesn't stop doing so, when I tell it to stop.

    I am not interested in Protected View, and I have done all I came to know about to switch it off, but it wont go away. Can you please help us all shouting here, and give us atleast some workaround if there is no straightforward way of doing so.

    You do not expect such things to be left over by a company like Microsoft.

  41. Nick says:

    ok fine, great theoretical feature etc. but why can't I just enable full 'trust' from a local location (e.g. files on my desktop)? why does EVERY document open in 'read-only'?

    I know you guys like to write 'super awesome code', but you're 9/10ths short on USEABILITY.

    E.g. its fine all and well to have triple-DES-twofish-AES-blowfish encryption with a 2048-bit key, and a super random hash generator, but if users can't encrypt/decrypt a file with a single command/keystroke/mouseclick few users are going to use your feature.

    If you're running a billion dollar company, you don't want to have to 'save as' every excel sheet your analysts have into a new version (can't overwrite the previous version, have to have a new name).

  42. Shawn Sabbini says:

    Would be a great feature.  When trying to open a word document from sharepoint I just get an error "Word experienced an error trying to open the file." and word doesn't open the document at all.

    Disabling Protected View for files originating from the internet solves this problem.

    When opening an excel sheet from email, Excel hangs on the splash screen.  Disabling protected view solves this.

  43. Jenkins says:

    I want to turn off Protected View – significant productivity hit.  Please tell us how.

  44. Michael says:

    There are no instructions on how to get to the "Local Internet" dialog.  I don't see anywhere a location to check "Automatically detect intranet network".  Suggestion:  when you put up a dialog in a blog, tell people where it is.  

    I'm just trying to turn off Protected View for files retrieved from our file server.  The trust center wants you to "trust" on a individual folder basis rather than by a mapped drive basis.  This was not well thought out by Microsoft.

  45. Hamilton says:

    Same problem as everyone else.  Reads documents from company server as from the ineternet.  Not a big deal for stand alone docs, but blows up links between workbooks.  Our excel models will not run and update unless we turn-off the protection all together.