Security Watch

Off-Cycle Patch from Visual Studio, IE

Plus: Microsoft's security initiative comes out from under the hat; Office in a sandbox

• By Jabulani Leffall
• 07/28/2009

For the security mavens at Redmond, off-cycle or "out of band" patch release announcements are becoming more the rule than the exception. With exploits cropping up all over the place, there's no reason to think a steady flow of patches to fix them will be forthcoming as well.

Hackers, of course, don't care whether patches are in or out of band. This is the second "out of band" patch for IE in less than a year with the last one coming in December ahead of a massive regular release cycle.

Redmond gave the advanced nod for two patches, released today. One bulletin gets the "moderate" tag, for the Microsoft Visual Studio product line; the second one is "critical" and contains "defense-in-depth" changes to Internet Explorer that address "attack vectors related to the Visual Studio bulletin."

There's certainly a lot to talk about as the Black Hat security conference kicks off this week.

Passing the Hat
Speaking of Black Hat, Microsoft is extending its momentum from last year, when it launched its Security Development Life Cycle framework, with its call to arms for defense against hackers and automated bugs.

Redmond's plan this year is three-fold: first it will issue a Security Update Guide, with which it says customer can better "manage risk," and create planning paradigms for patch releases and security updates.

Second on the agenda is Project Quant, an online information resource that aims to provide organizations with a single but customizable template for evaluating both the actual and opportunity costs of patch installation processes.

Rounding out the three-pronged pronouncement is Office Visualization Tool, which is timely given the fact that Office suite applications such as Word, Excel, PowerPoint and various viewer files have been popular attack vectors.

As part of its big pre-conference media blitz, Redmond also let its flag flap a little, touting the growth of its Microsoft Active Protections Program, or MAPP. This is an initiative where Redmond has enlisted the help of scores of channel partners and third-party vendors in its push for a sort of "kumbayah" security collaboration atmosphere with known competitors and not so congenial vendors.

Microsoft said that as of this month, more than 47 global partners have joined MAPP since the program's launch. "As a result, customers are better protected from threats more quickly," Redmond said in its press release.

Office in a Sandbox
There's trouble with Office and it doesn't have anything to do with the status of the popular sitcom about a paper company. Brad Albrecht, a senior security program manager with the Office team, says Office "has had the misfortune of becoming one of the next big targets for hackers to attack."

In a company blog this week, Albrecht said that hackers "have been going after many of our file-format parsers and how we read Office files and that despite lots of work to fix the bugs, "we can't find everything... we have to take a more proactive approach and build Office to be more resilient to attack."

Albrecht said Office 2010 will feature a "Protected View" function that will box off or isolate downloaded Word, Excel and PowerPoint files in a read-only environment, until their security signature can be fully verified by the individual enterprise network.

Such a practice is called sandboxing, where applications, individual documents or documents come with limited access to keep code from jumping out of a file and onto an enterprise network through a compromised workstation.

To cement the process, Office 2010 will have flexible file blockers and a suite-wide rollout of "Office File Validation," a practice that was once only exclusive to Publisher 2007 Service Pack 2 (SP2).