QUOTE
Plans to build 'sandbox' around questionable docs in Office 2010 as defense
By Gregg Keizer
July 23, 2009 03:25 PM ET
Computerworld - Microsoft's plan to "sandbox" Office documents in the next version of its application suite is an admission that the company can't keep hackers from exploiting file format bugs, a security analyst said today.
"What's been happening is that Office has lots of vulnerabilities," said John Pescatore, Gartner's primary security analyst. "For the past 18 months, hackers have been fuzzing Office file formats," he said, referring to the practice of "fuzzing," a tactic that relies on automated tools that drop random data into applications to see if, and where, breakdowns occur.
Fuzzing has been a hacker's best friend: Microsoft has repeatedly had to patch file format vulnerabilities in Office applications, most recently in July when it fixed a flaw in Publisher 2007 and in June, when it patched seven vulnerabilities in Excel and two more in Word.
"What's happening is that the bad guys are using fuzzing tools to find vulnerabilities in Office, and now Microsoft is saying, 'Okay, we can't find, let alone fix, every vulnerability. So here's a way to put a sandbox around the vulnerability."
The sandbox technique Pescatore mentioned is a new addition to Office 2010, the upcoming upgrade to Microsoft's bestselling Windows application suite.
By Gregg Keizer
July 23, 2009 03:25 PM ET
Computerworld - Microsoft's plan to "sandbox" Office documents in the next version of its application suite is an admission that the company can't keep hackers from exploiting file format bugs, a security analyst said today.
"What's been happening is that Office has lots of vulnerabilities," said John Pescatore, Gartner's primary security analyst. "For the past 18 months, hackers have been fuzzing Office file formats," he said, referring to the practice of "fuzzing," a tactic that relies on automated tools that drop random data into applications to see if, and where, breakdowns occur.
Fuzzing has been a hacker's best friend: Microsoft has repeatedly had to patch file format vulnerabilities in Office applications, most recently in July when it fixed a flaw in Publisher 2007 and in June, when it patched seven vulnerabilities in Excel and two more in Word.
"What's happening is that the bad guys are using fuzzing tools to find vulnerabilities in Office, and now Microsoft is saying, 'Okay, we can't find, let alone fix, every vulnerability. So here's a way to put a sandbox around the vulnerability."
The sandbox technique Pescatore mentioned is a new addition to Office 2010, the upcoming upgrade to Microsoft's bestselling Windows application suite.
Continued
http://www.computerworld.com/s/article/913...s?taxonomyId=89