In March of 2006, Microsoft released only two new Security Bulletins. One was rated as important and the other was critical. Critical Security Bulletin MS06-012 pertains to vulnerabilities in Microsoft Office that could allow a successful attacker to take complete control of a vulnerable system. In February 2006, a flaw, rated as important, was announced regarding PowerPoint (MS06-010).
It is imperative that users secure and protect their Microsoft Office programs as much as the operating system and Web browser they use. The overall security of the computer is only as strong as its weakest point, and Microsoft Office products could be that point. Follow these tips to lock down your Microsoft Office:
- Make sure macro protection is on: Macros still represent a potential risk if macros from unknown or untrusted sources are executed. Macro security should be turned on to ensure macros are disabled or that the user is asked before macros are run. This has to be done on a product-by-product basis, usually from within the Options settings.
- Patch and update your Office products: Until recently, users had to visit the Microsoft Office Web site to manually initiate a scan for new patches for Microsoft Office products. Use Automatic Updates or scan your computer from the Windows Update site using current software to identify and apply patches for both the Windows operating system and Office products as well as other Microsoft applications. Regardless of how you do it, check frequently for new patches and apply those that affect your system.
- Follow standard computer security precautions: No matter what the attack or exploit is, common sense and computer security fundamentals are always a good idea. Ensure that your systems are protected by a firewall and have current, updated antivirus software running.
- Remove hidden metadata: This is more of a confidentiality and privacy concern than a security issue, but most users don't realize the volume of information hidden in the background of many Microsoft Office documents, particularly Microsoft Word. Even if you delete sensitive information like credit card or social security numbers from a document, that information is retained in the hidden metadata. In the options for Microsoft Word, you can disable FastSave. You can also set the Privacy options to "Remove personal information from file properties on save." There are also tools to remove the hidden data, such as the free Remove Hidden Data add-in from Microsoft.
About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. Bradley is the co-author of Hacker's Challenge 3 and he is the About.com Guide for Internet / Network Security providing a broad range of information security tips, advice, reviews and information. He also contributes frequently to other industry publications. For a complete list of his freelance contributions, visit S3KUR3.
This was first published in May 2006