MS adds sandboxing to Office 2010

Microsoft has announced plans to introduce sandboxing technology with the next version of its Office suite. Office 2010 will incorporate sandboxing technology so that when users want to simply read Office documents, these files will have no access to other files or information. "Even if the file is malicious, it can’t get out of …

This topic is closed for new posts.

Posted Friday 24th July 2009 12:49 GMT

Jason Bloomberg

Hmmm

Maybe a cut-and-paste editor / DTP package which only stores data and doesn't execute anything would avoid the whole need to have such sand-boxing in the first place.

Of course, that messes up anyone who wants to include dynamic data from another source which needs to execute, so how is such required data going to get executed to be displayed when read-only and sand-boxed to do no harm ?

As soon as you create a backdoor, even with good intent, it is still a backdoor. Books and printed documents don't have this problem :-)

Posted Friday 24th July 2009 13:37 GMT

Tom Chiverton 1

glwt

Good luck with this, given MS are going to be wiring Office deeply together with Sharepoint servers...

Posted Friday 24th July 2009 14:26 GMT

DeFex

wohoo

This is a great way to make a simple word processor and spreadsheet even more slow and bloated. Intel will be pleased!

Posted Friday 24th July 2009 14:26 GMT

Anonymous Coward

erm, I could be wrong here but...

99% of the time I get trojan emails with a "document" attached, it's just a .exe file with an icon to make it look like a word doc

ms are making the classic mistake of solving a problem that they know how to solve rather than the problem that actually exists

Posted Friday 24th July 2009 15:06 GMT

Geoff Mackenzie

Fix it or axe it

Microsoft have been duct-taping on features to Office for a long time now. Based on the tangled heap of special cases that is OOXML, the code base is now crippled by years of neglect and abuse and is probably far too labyrinthine and backward for anyone to really have a sound understanding of it.

Eventually, if you focus exclusively on progressive changes that affect the user experience and neglect the necessary anti-regressive and invisible stuff (what's the incentive if nobody can legally see what a mess it is anyway?), any code base will collapse under the weight of the accumulation of WTFs, hacks and voodoo code holding it together.

If Office is not a twitching, decomposing zombie, it should be possible to find the most potentially dangerous areas and put a bit of time into cleaning them up. Maybe the next release could be exactly like the current one, less 20% of the bloat and 80% of the serious security holes.

If, on the other hand, it's now so degenerate it needs to be permanently quarantined in its own rubber cell, maybe it's time to pull the plug on it.

Some businesses do still have magic spreadsheets performing business-critical functions, but no system lasts forever and keeping MS Office for the sake of a gruesomely unmaintainable Office-based 'application' is only delaying the inevitable.

Obviously MS are going to keep flogging their dead cash-cow as long as at all possible, but only MS are going to benefit if people keep trying to actually use it.

Posted Friday 24th July 2009 16:11 GMT

Stephen Channell

A better sandbox

The big problem with Office is not that it is creaking with generations of duct-tape, but that it is rooted in {OLE, VBA, COM} and they trying to maintain compatibility.

It does not matter whether there are zero/none/null exploits in Office, if the attack document contains a malformed embedded OLE object, a reference to a poor quality Excel addin or VBA code with function references to DLLs.

You can put in a sandbox that stops auto open VBA, and blanks embedded objects, but it would be better to make a clean break with the past.. especially with VBA.. and do something new

Posted Friday 24th July 2009 22:55 GMT

Big-nosed Pengie