Insecure by design: MS Office formats

Last week, Microsoft essentially admitted that its plan to "sandbox" Office documents in Office 2010 is a last ditch defense against unstoppable Microsoft Office formats attacks. As John Pescatore, Gartner’s primary security analyst, told ComputerWorld reporter, Gregg Keizer, "Microsoft is saying, ‘Okay, we can’t find, let alone fix, every vulnerability. So here’s a way to put a sandbox around the vulnerability.’"

There’s no surprise here. Microsoft Office is a set of security holes that masquerades as an office suite, Of course, Microsoft didn’t plan it that way. They just didn’t think it through when they first started developing Office’s proprietary formats.

You see, Office, and Windows for that matter, were designed for single-user, non-networked systems. They were not designed for environments with multiple local or remote users. When Microsoft started dealing with a networked computer universe with Windows for Workgroups in 1991, they didn’t redesign the system from the bottom up. No, indeed, instead they simply added network functionality, often at a low level, without considering what this meant for security.

Even when Microsoft added another architecture, the VMS-inspired Windows NT to its operating system mix, the programmers from Redmond insisted on including Windows 2.x and Windows 3.x application compatibility. So it is that this single-user mentality is still Windows’ foundation almost 30-years later and with it comes Windows and Office’s fundamental insecurity.

Here’s how it’s played out in Office’s document formats. Microsoft wanted to make it as easy as possible for its Windows users to transparently trade data from one program’s documents to another. This was, and is, a feature. It’s what let you set up your PowerPoint presentation or Word documents, for example, to reflect your latest spreadsheet numbers from an Excel spreadsheet without having to copy and paste them.

That’s great. So long as you’re in an environment where no one else can access your data, or-and this point is the heart of the Office formats’ security weakness-the connections between documents. In 1991, without giving any consideration to its security implications, Microsoft introduced NetDDE (Network Dynamic Data Exchange). This made it possible to extend DDE links across the network.

NetDDE links, as I pointed out at the time, "made it possible for multiple users to access and update data on shared files. The promise of this kind of data sharing is almost unlimited. You could, for instance, set up a sales report in Word containing automatically updated sales figures from half a dozen different Excel spreadsheets scattered across the network."

I continued, "That’s the good news. The bad news is that NetDDE can be used without security. In a nutshell, without usage restrictions, NetDDE can be easily abused. For example, you could easily set up a spreadsheet reporting on everyone’s salary based on personnel’s spreadsheets. NetDDE brings not only new power to Windows, it also reminds us that, as Lord Acton wrote, power tends to corrupt and absolute power corrupts absolutely."

In 1991, I was worried about people on the local area network snooping into other people’s data. What I didn’t foresee was that Microsoft would never fix its document security. In fact, they would make it even worse. Microsoft Office documents, thanks to a combination of the later generations of NetDDE, such as VBX, OCX and ActiveX, and baked in support for Office programming tools like Visual Basic for Applications, aren’t really documents at all. They’re really unsecured programs.

You see, when you’re opening an Office document today, you’re not just opening static words, images, or numbers. You’re actually starting a program that uses Microsoft Office as its interpreter. And, no matter whether you’re using Word 2,0 formats or the 2008’s 7,000+ pages mis-mash of ‘standard’ ECMA-376 Office Open XML file formats, there is no built-in network security layer. Instead, there is a mis-mash of fixes for one problem or the other.

The sandbox, which Microsoft introduces in Office 2010, for Office documents, is Microsoft’s surrender to crackers. Short of admitting that they’ve failed publicly and moving to an entirely different set of formats, say the far more secure ODF (Open Document Format), all Microsoft can do is provide a read-only, semi-virtual machine, to let you look at documents from other sites. Of course, once you’ve started editing such a document, you’re out of the sandbox, and, once more, you may think you’re just editing a document, but you’re actually running a program that’s insecure by design.

When Microsoft first gave users this ‘feature,’ its advantage was it let you transparently keep data synced up between different documents and different kinds of documents. Today, that’s still its advantage, but now, instead of living with the possibility of Joe down the hall seeing how much Jacqueline in marketing is making by spying in the company payroll spreadsheet, you have to live with the possibility of every Microsoft document containing malware.

To me, this danger far outweighs any advantage of using Microsoft document formats. That’s why, I use ODF and programs like OpenOffice 3.1 which support it. And, why, I never download Microsoft Office documents from the Web and automatically delete any e-mail messages that contain them. Open document formats aren’t just better because they’re not under the control of a single company, in the case of Microsoft’s Office formats; they’re also fundamentally more secure.

A version of this story first appeared in ComputerWorld.

Comments are closed.