Office’s Protected View does more under the hood than you think.
One step is stopping macros, which is basically code that executes within Word to, say, make custom tables or layouts. This code can also sometimes contain commands that go outside of the program scope and into the system (it can delete files, change system settings, etc.) which can have some legitimate uses (say, taking hundreds of Word documents and merging them into one, then deleting the originals afterwards) but are often used for doing Bad Things to your computer.
It also opens the file in a low-integrity process, basically Word telling Windows “let’s open this weird file but it may hack me and make me do crazy dangerous stuff, so don’t trust anything I say from now on”; for context, processes can only see and change data from other programs in the same integrity level or below, so a low-integrity process can only access other low-integrity programs (basically none, most programs run in normal or high-integrity mode, with low-integrity being used exclusively for preventing potentially bad programs from interacting with the rest of the system).
Latest Answers