What's all the fuss about Microsoft "Symbols"?
"Releasing symbols is a step towards making Office easier for researchers to audit."
Microsoft will start releasing debugging symbols for its Office software as of today, a move which security professionals have welcomed, and a reverse of the company’s previous policy.
Debugging symbols contain information about a software binary’s operations, such as locations of variables or functions within the binary. By using symbols, a researcher can understand how a program works much more easily – but until now, these have never been available for Microsoft Office.
“Microsoft releasing symbols for Office means that security researchers can spend their time focused on hunting for vulnerabilities rather than trying to figure out what functions are even supposed to be doing,” said Maddie Stone, security researcher at Google Project Zero, in an email to The Stack.
In a blog post, Microsoft said symbols for Office would be available from the Microsoft Symbol Server from today, covering the Current Channel/July Fork Build 16.0.15601.20037/ Version 2208, and the Beta Channel/DevMain Build 16.0.15606.20000/ Version 2209 versions of Office.
What are Microsoft Office Symbols?
“Symbols provide additional information to better enable security researchers to find and report security issues in our Office products to help protect customers,” said Sparsh Saxena and Shane Guthrie, product managers for Office at Microsoft, in the blog post.
“Symbols allow researchers to create more detailed and actionable reports, including stack traces from tools like Process Monitor, WinDbg, or Visual Studio, which help our engineers fix issues faster,” they added, also noting symbols can be used to improve Office’s performance.
Stone explained the significance of Microsoft’s move: “Microsoft Office is a closed source product, which means that source code is not available publicly. Therefore to analyze the code and try to find vulnerabilities security researchers have to reverse engineer the compiled product from machine code, or assembly.”
She said most products are stripped of symbols, leaving researchers to examine every function within a binary, without any information on its purpose, and work out what it is for. Only after this process is complete can they start any substantive work.
“This means that there is a substantial upfront investment of time and energy required before you can even begin doing security reviews and analysis. Microsoft already has all these symbols so releasing them is a step towards making Microsoft Office easier for security researchers to audit, giving them more time for analysis that will have a greater security impact,” said Stone.
See also: Microsoft zero day “Follina” demystified: What you need to know
Reaction from the infosec community was generally extremely positive, with some researchers expressing disbelief at Microsoft’s move:
https://twitter.com/HaifeiLi/status/1556657193545478144 https://twitter.com/maddiestone/status/1556673877505257472
Others predicted the release of Office symbols would spur researchers to hunt down old vulnerabilities, or would result in other surprises.
https://twitter.com/a_profligate/status/1556703703880572934 https://twitter.com/withzombies/status/1556665055068000258
We will be interested to see what emerges from the resulting research over the coming weeks and months.