Microsoft has released a Office 2010 Security Whitepaper on Keeping Enterprise Data Safe with Office 2010, and it is now available for download from Microsoft. This whitepaper highlights the new security features and enhancements introduced in Microsoft Office 2010 that help protect organizations from exploits targeting users who use Office applications in their daily work.
Since the release of Office 2007 the threat landscape enterprises face has continued to evolve. End-user applications are increasingly targeted as attack vectors by malware developers, and Office products continue to experience greater numbers and more varied forms of attack. Macro exploits are no longer the greatest risk Office customers face today. Instead, file format exploits, which employ malformed Word, Excel or PowerPoint files saved using the older binary file formats (.doc, .xls or .ppt) to try and create buffer overflow conditions that can be used to elevate privileges and compromise system security, have now become a major concern for uses of Microsoft Office applications.
To address both new and continuing security concerns in this space, the Office engineering team focused on three key goals during the development of Office 2010:
- Improving the Office security engineering processes
- Providing effective, easy-to-use protection technologies for Office users
- Strengthening Office core security features and technologies
The paper begins by describing the evolving threat landscape that drove the Office engineering team to make these improvements and how Office security has evolved through different versions.
The paper then goes on to describe the three security goals that guided the Office development process, namely improving the Office security engineering processes, providing effective and easy-to-use protection technologies for Office users, and strengthening Office core security features and technologies.
The Office defense-in-depth protection model is described next, after which key security technologies such as Office File Validation, Protected View and Trusted Documents are demonstrated in detail.
The paper concludes by briefly examining other Office 2010 security improvements including Data Execution Prevention, ActiveX kill bit, password complexity requirements, and encryption and digital signature improvements.
Download page: Microsoft.
Microsoft Office 2010 Product Guides may also interest you!