MS Will Sandbox, Not Patch, Office 2010 Vulnerabilities

Dennis Faas's picture

Microsoft has a reputation for rarely admitting or accepting defeat in any market. But the company is now waving the white flag of surrender after admitting that they can no longer keep up with hackers when discovering file format bugs in time to stop them from exploitation.

That doesn't mean that Microsoft is prepared to let online deviants have their way with software vulnerabilities. Instead, the company has decided to take a "sandbox" approach to Office documents in the next version of the application suite.

The Sandbox Technique

The sandbox technique will be a new addition to Office 2010 and will feature a "Protected View" setting that isolates Word, Excel and PowerPoint files in a read-only environment. Sandboxing gives minimal access to the rest of the computer and offers zero access to other documents and personal information.

The logic behind this system is that even if a document is suspicious (and later rendered malicious) it is essentially "trapped" inside of a virtual sandbox so that it can do no harm to any other files outside of that particular document.

Hackers Fuzz, Microsoft Chases

A number of security analysts believe that hackers have been using "fuzzing" measures to retrieve personal information and infect computers worldwide. Fuzzing is a tactic that relies on automated tools that drop random data into applications to see if, and where, vulnerabilities exist. (Source:

The whole practice of fuzzing has led Microsoft on an 18-month wild goose chase that has reportedly created more frustration than success.

The sandbox technique is just one of a few new security measures embedded into Office 2010. Other safety features include a more flexible file blocker and "Office File Validation," a practice that was rolled out in Publisher 2007 Service Pack 2 (SP2).

Two More Security Features

The file blocker restricts access to specified document types. Microsoft announced that Office 2010 will let users customize this feature to better manage which formats Word, Excel and PowerPoint open.

Office File Validation, on the other hand, is a system that validates older, pre-XML file formats for Word, Excel and PowerPoint, then blocks those files that do not conform to the documented format. The idea here is that malicious documents would trigger a block from the onset, while the new sandbox feature would then activate and take over from there. (Source:

Microsoft promised that the new security features offered in Office 2010 will have very little impact on the document load time. However, there is always the chance that the system requirements may impact the computer's memory and processor resources during future startups.

Rate this article: 
No votes yet