Microsoft refuses to set security targets for Office 2007

The developers who built Microsoft’s Office 2007 will not set a security target for the productivity suite, although they say it will be harder to attack than its predecessor.

Share

The developers who built Microsoft’s Office 2007 will not set a security target for the productivity suite, although they say it will be harder to attack than its predecessor.

The cautious tone contrasts with that of Microsoft executives who have predicted that Windows Vista will be hit by far fewer vulnerabilities than earlier versions of the operating system.

"What would show we were successful?" asked Joshua Edwards, the technical product manager for Office "That we demonstrate the attack surface area is extremely small. But we don't have a specific number of vulnerabilities in the next year that we're shooting for."

Earlier this month, Microsoft rejected reports of flaws in Word 2007.

Edwards defended Word 2007's security, and by extension, security across the Office suite. The new Office Open XML file formats were superior to the binary file formats of previous Office collections, he said.

"Because the XML schema is so well defined, we have a higher degree of resilience to prevent the corruption of those documents than in earlier Office," said Edwards. "If someone has injected code into the document, as we parse them off the disk in real-time we can ignore that document."

Office 2007 was the first suite that Microsoft took through the Security Development Lifecycle (SDL) initiative aimed at developing secure code. Edwards said it was safe to assume that because of SDL, Office was more secure, adding: "But at the same time, it's only part of what we've tried to do with Office security. And it's a process."

Edwards assured Office 2007 users that all legacy code had been thoroughly checked. "Every bit of that code still had to go through the SDL proofing tools," he said.

During the SDL review, the Office 2007 team also checked the Office 2003 code responsible for numerous vulnerabilities throughout 2006 that allowed bugs in Word, Excel and PowerPoint to be used for targeted attacks. "We looked at those to see if they were impacting 2007, but they did not affect the 2007 code base."

Significant security improvements were also made in Office 2007's encryption, in how users interact with the applications to finesse security options and in the tools for stripping out confidential information before passing documents to others, Edwards said.

Some of the security changes made in Office 2007 will also migrate downward to Office 2003 in a future service pack for the older suite, he added.

Find your next job with computerworld UK jobs