Office 2010 protects you – from your own documents
By Simon Bisson & Mary Branscombe in Editorial
Posted in Beta, Android, Applications, Office, Security, Networking, Microsoft on
Remember macro viruses? Trojans and bots have taken over from them in the virus top ten, but there could easily still be binary Office documents lurking in your business’s fileservers with unwanted code in them. The XML file formats introduced with Office 2007 mean you know when a document has a macro by the file extension (an XLSX file can’t have code in, an XLSM can) but even though XML files are smaller as well as more secure, not everyone wants to spend the time to convert a backlog of many years. So to protect you from anything worrying, Office 2010 introduces a Protected View that locks documents when you open them, and runs in an isolated, low-integrity process with a restricted token (rather like combining the protected mode that IE 8 runs in with the secure desktop you see with UAC elevation prompts - Protected View uses the same User Interface Privilege Isolation).
As the Office engineering blog post puts it, “For a malware to actually be able to run in Protected View it will first need to find a way around DEP, ASLR, GS and our new 2010 Office File validation checks. After all that, the malware would need to find a way to break out of the sandbox.”
The Office team is confident enough in Protected View that opening and previewing attachments from Outlook will get less annoying; you won’t have to say yes, you trust every different type of document to open and preview individually the first time you come across it. It seems like a welcome security measure that will make life easier too. Sadly, as implemented it’s currently a productivity blocker that will be turned off or loathed by every user that comes across it.
On my system at least, every single document I open in Office 2010, binary or XML, from the office network is opened in Protected Mode and tagged as coming from ‘an unsafe location’. That’s supposed to be for documents downloaded from the Internet (”When a file is downloaded from the Internet the Windows Attachment Execution Service places a marker in the file’s alternate data stream to indicate it came from the Internet zone,” says the Office Engineering blog) and I’m kind of offended that Microsoft is telling me that our network isn’t secure - it is Windows Server 2008 we’re running. I’m also losing time on every document, having to click through before I can start editing.
I tried turning Protected View off; you can’t. You can go into the Trust center, ignoring the sign that tells you not to go in there and not to change anything, and tell Office to trust network documents (again, ignoring the warning that a network is a scary place and you shouldn’t be trusting it) but that didn’t fix it. I had to manually add the file shares on the server, mount point by mount point. You can’t just give office the name of your file server and trust the whole thing; Office refuses to mark the root of the server as safe.
This isn’t supposed to happen, says Microsoft. In some cases, the proxy settings are to blame (check out The LIZ and Proxies: the surprising connection for an explanation by Eric Lawrence of the IE team of why proxies are involved in the intranet at all. We don’t use a proxy. Maybe the Local intranet setting in Internet Options isn’t set to ‘Automatically detect’? It is, as it happen.
Ah, says the Office team; it’s a bug, and they’re working on it. That’s good news; if I only have to put up with this until the beta of Office 2010 this autumn, that’s fair enough - you expect problems when you use a ‘technical preview’ (or alpha code as we used to call it).
But the fact that Office 2010 is relying on Internet Explorer options that may or may not apply if you don’t have Internet Explorer on your system is a little worrying (Firefox doesn’t use security zones, for example). And Simon, who is joined to the domain doesn’t see Protected View on network documents. So the underpinnings of Protected view seem to be a tangle of Internet Explorer, Active Directory and Microsoft network settings; that’s fine for an all-Microsoft business - like Microsoft. It’s less useful for the rest of the world where heterogeneous networks are the norm and security is important - but will always get demoted if it gets in the way of getting your job done. Let’s hope the bug fix does more than just tweak things; Protected View uses a spiffy new architecture inside Windows and it needs to take a clear and manageable approach to defining what a ’safe’ or ‘unsafe’ location actually is, or it’s going to be unpopular and insecure (cue everyone copying documents onto their laptop to edit them without the nagging and leaving them in the pub car park).
-Mary
Not yet rated
Loading ...
Don’t like the ribbon? You will
By Simon Bisson & Mary Branscombe in Editorial
Posted in Applications, Office, Microsoft on
You have to get used to the Office 2010 ribbon - and now it’s a lot easier to get used to.
The statistics from Office 2007 users show that the ribbon does what it was designed to do in terms of exposing more of the features that are in the application (because 80% of new feature requests were for features that are already in Office, just not where people were finding them). More people use more of the features in Office 2007 than ever before, says Chris Bryant from the Office team.
Not everyone likes the ribbon and for some people, Microsoft learned the lesson of how multiple interface options increase support costs rather too well with Office 2007 and Windows 7. Having gone to the effort of developing a logical user interface that’s more productive than the old muddle, Microsoft didn’t allow users to stay with old and inferior if they wanted the features that went with the new and improved interface. Quite where users who want new versions of Office without the ribbon think the new features would go is a mystery - and personally speaking, I embraced the ribbon, even though not all of the commands were quite where I thought they should be, on the grounds that I’d been nagging Microsoft for years to tidy up the old Office interface and find logical places for the extra commands and features they’d been cramming in to the old dialogs like pushing socks into a drawer you haven’t been able to close for months.
I know where every feature in the old Office interface was and sometimes I have to look in two tabs to find a specific command so you might expect me to complain about it - but I don’t (much). In Office 2003 the ribbon isn’t perfect but it is still a huge improvement and if a feature is in the wrong place on the ribbon I put it on the quick access toolbar.
And Office 2010 addresses almost every complaint about the ribbon (although if you’re one of the people who hate the ribbon because you have laboriously learned the obscure location of commands that are now clearly and logically arranged in the tabs, then your issue is more about forgiving Microsoft for past sins, abandoning the time you invested and stepping out of your comfort zone - and Microsoft can’t do much about that). If you don’t like features you never use taking up screen space, you can remove commands from tabs - or entire tabs. If your issue was that, say, proofing tools don’t belong under Review with the tools for working with comments on someone else’s document, then you can either move them to the tab where you think they fit better or create a whole new tab and put those commands in what you think is a logical group. And if you dislike the ribbon because you have to switch between tabs (which is no more work that opening menus and dialog boxes, but may feel like more work because you’re comparing it to clicking buttons that are right there in front of you on the ribbon), you can make your own ‘home’ tab for each application that has the tools you use at the full size of the ribbon rather than crammed onto the quick access toolbar. You can completely customise the ribbon and make something that increases productivity generally increase your own productivity too.
Mary
Not yet rated
Loading ...
Tag cloud
Archives
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
Most commented posts
- Java's SSVAGENT.EXE: training the monkey
128 comments
- When Windows 7 upgrades won’t hibernate (the solution)
- Do you need IPv6 for DirectAccess? Yes and No
- Chrome OS: what happens when "always connected", isn't?
- The ColdFusion Renaissance
- Make Adobe Acrobat Pro deactivate
- Is there a showstopper bug in Windows 7 CHKDSK?
- There’s a reason smartphones are locked down
- At sixes and Windows 7s
- The LHC isn
Highest Rated Blog Posts
- Songs of distant satellites (100%)
- Nobody knows what Web 2.0 really is (100%)
- Log in and lock in (100%)
- Top tips for speeding up Vista (100%)
- Mommy, why is there a home server in the office? (100%)
- Employees are our most valuable asset (snigger) (100%)
- Locking down IT or blocking creativity (100%)
- Consumer BlackBerrys are good for business (100%)
- HD Trek (100%)
- Join the (beta) community (100%)
