5

I am designing a highly restricted workstation build for a secure environment. At the minute this is planned to use Windows 7, but I am considering Linux. The users will on occasion open documents from external sources, and I need there should be virtually zero possibility of these documents breaking into the workstation.

Microsoft Office has a long history of security vulnerabilities, a lot around macros, but also buffer overruns and other vulnerabilities. Open Office has a somewhat better history, but has also suffered serious flaws. Given the history of Office vulnerabilities, I cannot recommend Microsoft or Open Office for this environment.

Users do need some kind of office suite, but a basic one would suffice. So here's my question:

Is there a simple office suite that is highly secure?

paj28
  • 32,736
  • 8
  • 92
  • 130

5 Answers5

6

Remember the I in the CIA triad - Integrity. It is also a security failure if these sensitive Word documents and Excel spreadsheets from outside don't convert properly when you open them in your office suite.

I fear you may have to accept that you need to run a proper copy of Office and put controls around that - for example, by opening them in a disposable VM that you throw away every time you use it. This is easier to do than you might think - most VM hosts allow you to easily roll back to a previous snapshot.

Graham Hill
  • 15,394
  • 37
  • 62
  • Thanks, this is a pragmatic approach, especially when combined with lock downs that John added below. I am going to open a separate question about virtualisation solutions, bearing in mind these are non-technical users. I'm going to hold of on accepting your answer for now, as I'm still hoping someone will recommend an Office suite that's trustworthy enough not to need separation. – paj28 Oct 10 '13 at 09:35
4

it seems as thought you have requirements to:

  • view office documents from external sources
  • a secure system that you wish to shield from an attack bourne by use of office tools

It seems to me that separation is the answer. This comes in varying strengths:

  • Air Gap: Is there a strong requirement for your secure system to also connect to external sources and view untrusted documents? if the system is highly secure then the air gap approach is the best answer and I have deployed this approach many times. i.e. just deploy another desktop in the office that is connected to the internet/external source and is managed accordingly.

  • Remote: Let your secure desktops use RDP (etc) to connect to a shared VM environment (perhaps hosted centrally) that has all the relevant office and internet/external access capabilties. You could also use Citrix for this approach. The concept is that the high risk servcies are managed centrally and can be refreshed each night.

  • Local: use a local Virtual Machine to run office tools separately from the main operating system.

I don't think the choice of actual office suite really matters in this discussion.

Callum Wilson
  • 2,533
  • 10
  • 15
  • Thanks... I should add that these documents are themselves highly sensitive, and also they will be exchanged with multiple parties. If we separate documents from the workstation, this protects the workstation, but does not protect the documents. I feel that creating a separate VM for every external party will not be practical. Hence the desire for a trustworthy office suite. – paj28 Oct 09 '13 at 14:43
  • No software is so secure one can fully trust. To trust is already failure. Especially if the software is closed source and nobody can really proof it is secure. So you better to separate rights of the user logged into workstation and user rights a office suite runs under. If a document would contain malicious code, it should not be possible to read the user's data. This approach becomes more possible to be done with Linux and SELinux. Also remember that malicious code could make screenshot of the screen... Check qubes-os.org for their design. The same is related to internet browsing. – jirib Oct 09 '13 at 17:47
  • Please don't get too hung up on "fully trust". I would say, for example, that notepad is secure enough for these purposes. I realise it is theoretically possible for notepad to have bugs and backdoors, but it would be secure enough. The thing is, they need just a bit more functionality than notepad. – paj28 Oct 10 '13 at 09:13
1

I +1'd Graham's good answer above, but it needs much more than I could add in the comments.

Use Microsoft Office 2013 (in the VM.) Reserve this VM and copy of Office only for dealing with the sensitive files - do not reuse it for other purposes or documents. The intent is to prevent with this is opening an infected file from someone that might be specifically designed to leak information about your secrets.

In the Word options, you'll need to strengthen the settings. Be sure it's set to save files in Word 2013 .docx format. Do not save files to be compatible with earlier versions of Word. Do not accept documents from earlier versions of Word. Do not accept documents with macros, and do not enable macros.

In options, open the Trust Center. In Trusted Documents, disable trusted documents. Disable Add-Ins. Disable ActiveX. Disable all macros. In File Block Settings, check the boxes for "Open" and "Save" for all versions of Word Binary documents, and Legacy converters. These choices help you avoid opening a file of the types that historically enabled viruses. The modern versions of Word store the documents in a compressed XML archive, and is less vulnerable to malware in the same way.

In the Privacy options, disable any options that involve sending files to Microsoft.

Exercise similar caution for the other installed Office tools, such as Excel, Outlook, and PowerPoint.

You need to consider the other people in the document exchange. Are you interested in tracking changes by users? Are you more concerned about protecting the privacy of each contributor? There are settings that enable or disable documents with "revision tracking". I find such tracking invaluable for shared document reviewing, but your work model may be different. There are options to disable tracking, and to strip "personal information" before saving.

Of course, there's another approach, and that might be to use the simplest possible text editor to perform your authoring tasks. A tool like Notepad works on text-only files, and is incapable of infecting (or being infected by) a simple text document. A text document "is what it is", and hides nothing, providing a very trustworthy artifact to handle. You could do your developmental rounds using text, and only formatting it for publication using Word at the end of the process.

Similarly, you might consider improving upon the text formatting by using HTML, but once you begin down that path you're placing the data in an increasingly complex container. An HTML editor such as FrontPage hides a lot of details inside the markup language; furthermore, HTML could easily include (or have injected) a malicious JavaScript that would subvert all your precautions.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • Thanks, useful advice. With all those lockdowns, would this attack be prevented? http://www.f-secure.com/weblog/archives/00002226.html – paj28 Oct 10 '13 at 09:27
  • Unfortunately, they need just a bit more functionality than plain text. And I have ruled out HTML entirely as all mainstream web browsers have a long history of security vulnerabilities. – paj28 Oct 10 '13 at 09:27
  • Browsers with disabled javascript aren't *that* bad compared to comparable software. – CodesInChaos Oct 10 '13 at 12:59
  • @paj28, if you'd followed them and carefully applied them to all the Office suite applications, yes, you'd have been safe from that exact attack. You would have to have gone into Excel's Trust Center and disabled all documents other than "Excel 2007 and later Workbooks and templates", including disabling Excel 2007 Binary workbooks, plus follow all the other recommendations above. That doesn't mean a different phish won't get you, but the more you refuse to read old files, the safer you are. – John Deters Oct 10 '13 at 19:37
  • @John Deters You can embed binary objects in Office 2007 files, so I don't think disabling legacy files alone blocks this attack - although perhaps your other suggestions do. All told, this is useful advice for reducing exposure, but I'm not convinced it will block all attacks. Office is just too large and complex; a trustworthy office suite would have to be simpler. – paj28 Oct 10 '13 at 20:42
  • @CodesInChaos, I understand paj28's reluctance. It's not just their secret documents the browser could open, but it's the broad variety of everything else it can do by default - read a certificate, display a font, render an image, etc. Frankly, those risks exist in every Office suite, too, but at some point they have to accept some risk. I think they need to address that with careful procedures. – John Deters Oct 11 '13 at 14:10
1

Short answer

No, there isn't one simple and highly secure office suite!

Long answer

If you want to protect you against any form of propagation, then your question is pretty relevant. Even if no one can mathematically prove that any Microsoft Office compatible suite is better in term of security than the actual n°1 (in market shares and in target size), any alternative will create a break within any chain of malware propagation.

For the exact same purpose I choosed to use an operating system different of n°1 target which is Windows 7, and with a software suite which is different of n°1 target which is Microsoft Office.

I choosed to build such a fortress environment on top of an hardened MacOS X, with OpenOffice.

I can't say this is any better solution. But it is clearly breaking 2 chains of malware propagation: at the OS level and at one target software level. I think that the same kind of fortress environmnent can be built on top of other Unixes with an hardened configuration (close everything that you don't use, don't know or don't trust).

To consolidate this environment one step further, I also choosed an anti-virus which isn't any better than any other but isn't the n°1 target. I choosed as an anti-virus clamav.

And finally, I made a specific account to serve as a SAS to import any Office compatible or any other format of documents. This account isn't admin, and isn't used by any client user. This account will just run the anti-virus on any imported file and then deposit it in a shared directory where any other account will be able to read it directly.

This computer isn't connected to the local network, but during controlled update procedures, and moreover all its network interfaces are turned off.

dan
  • 3,033
  • 14
  • 34
-2

No other office Suite is as secure as Mircosoft Office . Reason is what you have mentioned . It has been attacked a lot hence it has been secured a lot by patches/updates . Never think that an unknown office suite that you are using is more secure than microsoft office as it have less "Cve's" around it , Its Simply because impact and monetary benefit around exploiting a lesser known office variant is less compared to microsoft office , so less people spend time with it . Once it is popular it will have as much bugs as office . Microsoft Windows Vs Mac OS is perfect case study of this scenario .

oldnoob
  • 300
  • 1
  • 3
  • → Cherokee: you are right `Microsoft Office` is the n°1 in test of security vulnerabilities. Tests comming from `Microsoft` itself and tests coming from criminals. But if they were also n°1 in security, they would have lost this position of leader many years ago. Why would attacker continue to test against a rock solid wall? Do you imagine cyber criminals that stupid (well I have to admit some of them are ☺)? They continue to test because of 2 factors: `size of target × number of holes`. `Microsoft Office` is a huge and easy prey. – dan Oct 10 '13 at 07:51
  • Hi Daniel , I agree with your assessment but i would also like to add the factor of "impact" . Impact of a vuln in MS Office is exponentially more than lets say Libre Open Office . So most of the "good" researchers would be focusing on MsOffice . Once the vulnerabilities starts to dry out researchers will more to other products , but that does not seem to be happening anytime soon . – oldnoob Oct 10 '13 at 09:42