3. Don't trust third-party libraries
Parsing Office's own XML-based file formats is easy enough. But in practice, real-world Office documents contain much more than just ASCII data. They might also contain images, audio, video, or even code objects embedded from other applications.
Years of testing Office 2007 led Microsoft engineers to an unexpected conclusion: Most of the critical bugs they found weren't the fault of Office code per se, but were the result of flaws in the core image-processing libraries used to render JPEGs, GIFs, and other graphics.
For Office 2010, Microsoft has switched its image-processing libraries to Windows Imaging Component, which is based on pluggable codecs. For developers of other applications, however, the lesson is clear: Don't assume that even a widely used library will be free from defects. Test the code you draw from other sources as well as your own.
4. Don't rely on users to enforce security
Too many desktop applications use a security model that boils down to asking the user: "The action you are about to take poses a security risk. Do you want to go ahead anyway (Y/N)?"
This approach is not only lazy but dangerous. What makes a specific action a security risk? Just how risky is it? And for that matter, what does "security" even mean in this context? Lacking any meaningful guidance, the average user will just click Yes.
Offering more detailed warning messages doesn't help, either. Users who issue commands expect the computer to obey their commands. They don't want to argue, and they don't have time to read essays about software vulnerabilities.
Instead, Office 2010 takes a proactive approach to security. The main goal of processes like file validation is to push more security choices into the background, rather than confronting users with dialog boxes. By making basic, rational decisions behind the scenes, in advance of user interaction, the new Office apps help take the guesswork out of vulnerability management.
5. Prefer degraded user experience to outright denial
When older versions of Office encountered security risks, users really had only two choices: They could proceed as usual -- succumbing to the threat -- or they could not open the file at all. Neither choice was ideal.
Office 2010 tries to offer a middle ground whenever possible, by giving users a degraded experience rather than denying risky actions outright. For example, if Word 2010 encounters a document containing dangerous macros, it might open the document with macros disabled. The user still gets a warning message, but the document opens anyway. Text is visible, but enabling macros requires extra confirmation steps.
This philosophy of "meeting the user halfway" is one of the most important concepts underlying the new Office security model. As long as security procedures create a tug of war between users and software, users will always find ways to "win" -- thus, subverting the very security measures designed to protect them. By offering a gradual, multilayered security model, Office 2010 tries to make security a partnership with the user -- and that's a lesson that any application developer can take to heart.
Ad Choices