Office 2010’s Web tools raise security questions

Yardena arar By Yardena Arar

Microsoft’s newest Office adds some nifty Internet features, including easy access to shared documents via SkyDrive and PowerPoint Broadcast.

But putting personal and business information into the cloud opens up potential security risks that all Office 2010 users should be aware of.

Microsoft says it has done its best to balance conflicting demands of convenience and security. Still, security experts say Office 2010’s Web-connectedness could present new opportunities for snoops and hackers.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



This concern isn’t about some obscure Office capability — these potential threats touch on at least two of the suite’s coolest new features: SkyDrive and PowerPoint Broadcast. The former lets you easily share documents with colleagues, either via Office desktop apps or the new Office Web Apps. And with a simple Web link, anyone with a free Windows Live account can now run a PowerPoint 2010 slideshow, viewable by any remote user with a desktop browser.

At the very least, people who use these features should understand exactly what degree of security is and isn’t provided.

You get secure transit, but unencrypted storage

As Michael Lasky reported in his June 24 Top Story, SkyDrive uses SSL encryption to protect data in transit from your PC to Microsoft’s servers. But once a file arrives at its destination, security depends almost entirely on user authentication — password protection, to be more specific. “If anyone manages to compromise their credential system, you have a problem,” says Nasuni CEO Andres Rodriguez. Nasuni sells businesses client-server technology that encrypts sensitive documents before they’re stored online.

SkyDrive’s dependence on user authentication is no different from that of many other Web applications that manipulate stored data such as Web-based e-mail; none encrypt the data on their servers, Rodriguez says. “There’s no encryption at rest. There can’t be. The Microsoft servers have to be able to understand that data [the format] to represent it to you [via Office desktop or Web apps],” he explains. Thus, security measures must focus on controlling access to servers, whether by physical means or by hacking or bypassing the password system.

In an e-mail, Microsoft spokesman Scott Massey described the measures in place to provide such protection. “Once your files are on our servers, we work to prevent hackers from accessing your data by employing sophisticated physical and electronic security measures. We also store multiple copies of your file on different servers and hard drives to help protect your data from hardware failure.”

Businesses face biggest cloud-computing threat

For most consumers, Microsoft’s cloud-security safeguards are most likely superior to their own, especially in terms of redundant data backups. But businesses may be uncomfortable with the many ways most Web services (not just SkyDrive) can be compromised — even when individual business users are careful.

“The problem could be with the [business] owner setting the incorrect permissions, or a bug in the hosting provider’s solution which could leak potentially damaging information,” says Symantec Security Response researcher Vikram Thakur.

Thakur points out that, since one reason for using SkyDrive is to easily share documents, permission settings are vitally important. “One minor setting ignored could potentially allow your files to be shared with everyone.”

“I’m not sure that an enterprise would be happy that it’s that easy to put Office documents on SkyDrive,” says Adi Ruppin of Confidela, whose WatchDox add-ons for Office encrypt documents before they are sent to others. Ruppin says Office 2010’s Web features appear to be designed with sharing rather than security in mind. He adds, “Once you put stuff online and you share it, you lose control.”

Nasuni’s Rodriguez concurs: “This model of running applications in the cloud may be appealing to consumers, but many businesses are going to have a problem with it.” Businesses such as Nasuni and Confidela are, of course, depending on that perception.

PowerPoint Broadcast opens up potential risks

The new broadcasting feature in PowerPoint 2010 is impressive in action: click the broadcast button in the slideshow tab and sign in to your Windows Live account. Within a few seconds (while the presentation is uploaded to Microsoft’s servers), a pop-up window presents you with a URL to distribute to your audience — usually via e-mail or instant message. (See Figure 1.) When they click on the link, they will see your slides in their browser — with you controlling the presentation.

But the potential for security breaches may be greater here than with SkyDrive. The presentation is not sent using SSL encryption — it’s a garden-variety http:// URL. The primary protection from hackers and snoopers is each presentation’s unique and rather lengthy assigned ID, which is embedded in the URL.

PowerPoint broadcast invitation
Figure 1. PowerPoint 2010 includes the ability to quickly broadcast live presentations through the use of a uniquely coded link.

Microsoft spokesman Massey says the presentations are quickly deleted from Microsoft’s servers once the broadcast ends. But Rodriguez says the threat here is not so much to document privacy as it is to PC security. “This is just an unsigned, unsecure connection to someone else.” He adds that a hacker who hijacks the link could potentially use it to distribute malware.

Business customers have security options not available to consumers using the free Web offerings. In his e-mail, Massey wrote, “For business use, access control is more important. When customers use the broadcast service paired with on-premise SharePoint servers or our upcoming cloud offerings, additional access controls become available due to the additional security layers those products will provide.”

Treat Office 2010 as you would any Web app

While businesses can justify the expense of a SharePoint server or data protection services such as those offered by Confidela or Nasuni, they will still deploy Office 2010 on many thousands of business desktops. IT departments will have to plan for the potential security risks Office 2010 opens. The solution may lie with providing security training for Office users and possibly disabling some of Office’s Web capabilities via the Group Policy options.

Consumers have fewer options: you might not want to store sensitive documents on SkyDrive, which means forgoing the use of Microsoft’s free Web apps.

But remember, this potential privacy threat exists for just about all consumer Web services, not just SkyDrive. The difference is that using SkyDrive and the other Microsoft productivity apps could increase the likelihood that you’ll store more of your confidential information online, where security is more difficult to manage.

And what about protecting against a hijacked PowerPoint Broadcast link? Treat it as you would any link or file attachment that arrives in e-mail or instant message: check to make sure it comes from the person it purports to come from.

Have more info on this subject? Post your tip in the WS Columns forum.

WS contributing editor Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor of PC World magazine from 1996 to 2009.
= Paid content

All Windows Secrets articles posted on 2010-07-01:

Yardena Arar

About Yardena Arar

Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor at PC World magazine from 1996 to 2009, and is now a PC World contributing editor.