This is the Trace Id: 9fca8bab5576b37b99acc9bc0a95991f
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Mission Cyber Defense Operations Center Coordinated Vulnerability Disclosure Social Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

Office Security Engineering: BlueHat v9 Presentation Revisited

BlueHat
/ By bluehat /

Hi, this is Tom Gallagher from the Office Trustworthy Computing team. At Blue Hat v9, David Conger and I presented some of the security engineering work that we were doing to help ensure the security of Office 2010. We don’t want a single bug in our parsing code to allow arbitrary code to harm a customer’s machine by doing things like installing a rootkit. While fuzzing remains an important piece of our security efforts, we’ve taken a layer approach to provide protection against bugs that we may have missed. Key layers of our protection include Office file validation and a sandboxed viewing mode known as Protected View for Word, PowerPoint, and Excel.

After our Blue Hat presentation, we had the privilege of attending and presenting at CanSecWest. For me one of the most interesting parts of security conferences is getting to talk with others about what they are working on. Several people working for both software vendors and security consulting companies were able to talk about our current fuzzing work and challenges over dinner. People and organizations including Microsoft continue to make large investments in finding fuzz bugs. There are a lot of creative ideas that are being explored and will likely continue to be an area of focus for the near future.

The Security Development Lifecycle (SDL) provides a great baseline to help teams ensure we ship secure products. The SDL has evolved since its inception in 2004; the tools and guidance have improved with the help of many product teams across Microsoft. Office is one the contributors of both tools and guidance for the SDL. In Office, we often create additional recommendations and requirements for our code and “dogfood” these ourselves before recommending that these guidelines become part of the official SDL. Last week, Didier from the Microsoft Security Engineering Center made a good blog post about Office’s SDL efforts which outlines many of the specifics.

While we have shipped Office 2010, we know people will continue to attack our code and our efforts to find vulnerabilities haven’t stopped either. Over the past month, we’ve continued to make additional improvements to our Distributed Fuzzing Framework and are now consistently completing over 20 million iterations each weekend. We’re also adding additional fuzzers and tweaks to our fuzzing job scheduler. I’m looking forward to talking more about our latest work at SyScan in Singapore next month and in HangZhou in early July.

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads