07.12.08

Gemini version available ♊︎

Taking Microsoft OOXML to Task

Posted in ISO, Microsoft, Open XML, OpenDocument, Security at 2:13 pm by Dr. Roy Schestowitz

Any Windows/Office debuggers in the audience?

The following is a reproduction of a new post from Rex Ballard (I started this discussion thread), whose previous post we quoted the other day.


Message-ID: <31a66169-d9e7-4715-9e9e-e3488ebd36a9@25g2000hsx.googlegroups.com>
From: Rex Ballard <rex.ballard@gmail.com>
Newsgroups: comp.os.linux.advocacy
Subject: Re: Leaked ISO Document Reveals Crooked ISO Amid MS OOXML Corruptions
Date: Sat, 12 Jul 2008 08:20:23 -0700 (PDT)

[...]

ODF is a comprehensive document that provides detailed specifications
from the high level document content down to the smallest elements of
scalable vector graphics. There are some “standard” mime object types
that are supported, such as PNG and JPEG, but other embedded formats
must be installed using plug-ins which have to be authenticated by the
user and by the system at installation time, and cannot be installed
by the content. Furthermore, the installed content can easily be
identified as trustworthy or not, and can be restricted in it’s
capabilities.

OpenXML on the other hand, is a high-level specification which
describes the high level envelopes used to embed binary objects which
are included in the content. The content itself contains the binary
code which can call any function in any Microsoft library and has all
permissions of the person opening the document. If a user account is
set up as “Administrator”, then the application can mess with the
registry, create, download, and hide files, can execute applications
in those files, can install any number of new viruses, and generally
wreak havoc on the system.

I’ll leave it to others to document the exact details (as I said, I’m
busy these days), but I’m sure anyone who tries to publish these
vulnerabilites will probably find themselves getting the same
treatment that Tracy Reed of Ultraviolet.org got when he tried to
publish his warnings about ActiveX controls back in 1997. Microsoft
got a court injunction against him, and forced him to take down the
content, claiming that it was being used to encourage hacking, and was
damaging the Microsoft brand.

“I got a couple of docx documents and had trouble getting them to open, even with the plug-in for Office XP. Next thing I know, I get a notice from my registry auditor that I have 1300 new registry errors.”Over the last 10 years,
we’ve seen these very same
techniques, documented back in 1997,
used widely to spread viruses including
Melissa, Nimda, Sky, BugBear, and about
250,000 other viruses, worms,
and malware, not including spy-ware and
other “Microsoft Authorized”
invasions of our privacy.

I got a couple of docx documents and had trouble getting them to open,
even with the plug-in for Office XP. Next thing I know, I get a
notice from my registry auditor that I have 1300 new registry errors.
And suddenly, my PC is churning the disk-drive and the network
connection at 3:00 AM (I’m getting old and have to get up), and the
network shows that I’m uploading something at full speed, even though
my computer is supposedly sleeping.

It isn’t a back-up program that I’m running.

I would encourage COLA readers and OSS advocates to explore this in
more detail.

get someone with Office 2007 to send you a docx file.
unzip it using pkzip or winzip or unzip.

look at the binary files.

replace one binary object with another.

zip up the document,

see if your office-2007 user can read the “enhanced” document.

For those of you with OLE programming skills, create an OLE object
that creates a file, and e-mails that file to you using smtp.

Send a document with this new ole object embedded (along with the
others) and see if you get an e-mail.

I haven’t tried this, and I don’t know if it will work. I’m not sure
how hard it would be to make it work. I just think it might be an
interesting project worth investigating, especially if you are
considering the migration of a few thousand users to Vista and Office
2007.

I’d love to see what the results turn out to be. After all, if it’s
that easy to take control of a recipient’s machine just by sending
them a “trusted” Word, Excel, or PowerPoint attachment, just think how
much chaos a really aggressive malicious hacker, with a goal of
obtaining marketable information about your business, could do.


Does ISO really want to approve such a ‘virus’? As an international standard even? If someone tests the above, please post the outcome here or elsewhere. It would prove invaluable.

The last time a chain of ISO problems was cited, Ian Easson challenged an argument from Groklaw. He might wish read the following lengthy follow-up. ISO is in a deeper puddle of mud than before.

Brazil is a P member of SC 34, so according to my reading of the clause, it has the right to appeal if any of the three above issues apply, and arguably they all do. According to South Africa, if the issue is ISO’s reputation, or if there is a matter of principle involved, Brazil can appeal. Even point three could apply, in that Brazil raises matters such as incorrect tabulation of votes, which, if true, one would hope ISO wasn’t aware of.

[...]

Why did they bother to go, one might ask? Why vote, if votes disappear from the record? By my reading, Brazil paints a picture of an orchestrated event, tilted away from criticism or a negative result and a refusal to give substantive consideration to issues delegates wanted to discuss, due to time constraints Brazil calls arbitrary, and worse.

For details about the BRM in question, see [1, 2, 3, 4, 5, 6, 7, 8] and have your jaw sink to the floor. It was a bad plan from the get-go [1, 2, 3, 4, 5], but Emperor Microsoft was in a hurry and it even used its lobbyist Jan Van Den Beld to change the rules ‘on the fly’.

OOXML protests in India
From the Campaign for Document Freedom

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. GNU Turns 38 (Midday Today or 12:35:59 EST) and RMS Talks to Polish Medical Professionals This Evening

    Today GNU turns 38. Last week over 5,000 people watched the RMS talk in Ukraine using our WebM version of it; in a few hours RMS will speak in Poland and we’ll try to find a stream if one becomes available (we shall update this page).



  2. IRC Proceedings: Sunday, September 26, 2021

    IRC logs for Sunday, September 26, 2021



  3. Links 27/9/2021: Librem 14 Reviewed, Linux 5.15 RC3 is Out

    Links for the day



  4. Links 26/9/2021: GNU Wget2 2.0.0 and MenuLibre 2.2.3 Released

    Links for the day



  5. How Basic Laws and Fundamental Rights Got Crushed in the European Patent Office

    Our next series will show the sheer hypocrisy of the EPO, hiding behind the veil of (patent) law while so shamelessly violating just about every law in the books without facing any form of accountability



  6. Regrettable Acts of Self-Harm: OpenMandriva and Mozilla Being Outsourced to Microsoft Proprietary Software and Monopoly

    In another blow to software freedom, OpenMandriva and Mozilla decide to abandon their own systems and use proprietary software from Microsoft instead



  7. Links 26/9/2021: Mozilla Spends on PR, OpenMandriva Outsourcing to Microsoft

    Links for the day



  8. IRC Proceedings: Saturday, September 25, 2021

    IRC logs for Saturday, September 25, 2021



  9. Links 25/9/2021: GNU/Linux Recognition in Mainstream Media and Wine-Staging 6.18

    Links for the day



  10. Reminder: GNU Turns 38 This Monday Around Midday (When GNU's Founder Gives Talk in Poland)

    With media and Torvalds speaking again about anniversaries (this has gone on for the past week because Torvalds wrote about it yet again), it is important to recall the announcement that got the ball rolling and basically started it all (the GNU/Linux operating system) because it was in 1983, not 1991. We reproduce in full the announcement.



  11. Links 25/9/2021: Wine 6.18 and Chromium Complier Woes

    Links for the day



  12. [Meme] When the EPO Watches Everything ('Dissidents', Media, Etc.) and Isn't Being Watched by Anybody

    The EPO is taking Europe for a wild ride; Everything is a vehicle for the very same agenda, with nobody left to hold it accountable or ask any tough questions… (even the media is in the EPO’s back pocket or back seat)



  13. Virtual Oversight

    “eMeetings” that simulate an impression of oversight are like ‘ViCo’ to simulate access to justice; will that ever change and will oversight be restored at EPOnia, Europe’s second-largest institution?



  14. The Corporate Coup Against the Soul of the Free Software Community Is Not Over

    The erosion of community role in the development of GNU/Linux is a growing problem; part of the problem is that large corporations target technical and philosophical (perceived) leaders in coordinated smear campaigns, led by media they own



  15. IRC Proceedings: Friday, September 24, 2021

    IRC logs for Friday, September 24, 2021



  16. Links 24/9/2021: GNU Coreutils 9.0, BattlEye GNU/Linux Support

    Links for the day



  17. [Meme] 'Linux' Foundation is Greenwashing Microsoft Again, Misusing the Linux Brand Like Nobody's Business

    Microsoft has weaponised the Linux brand to dub a toxic company like itself (helping notoriously polluting companies and generating lots of waste, both directly and through planned obsolescence, inefficient software, DRM, etc.) as "green"



  18. Richard Stallman to Speak (in Person) in Poland, Dedicate the Talk to Medical Professionals

    Days after his talk in Ukraine Richard Stallman plans to do the same in Poland (just announced)



  19. Links 24/9/2021: 30 Years of Europe’s First Root Name Server, Repairability of Laptops Discussed

    Links for the day



  20. ZDNet Has Failed

    ZDNet is on the decline and its demise appears to have greatly accelerated in recent months; we take a quick look at this month's coverage and explain the conflict of interest (it's PR, not news, and it's far too shallow/blatant to simply overlook)



  21. [Meme] Some People Are Just Above the Law

    A lot of people are still flabbergasted or at least baffled/miffed to discover that some people are in effect above the law; not even Europol and Interpol can apprehend and hold them accountable; that needs to change. Had Benoît Battistelli worked for France Télécom S.A. (not the EPO), would he be arrested? What about António Campinos and his drunk son?



  22. NPR and PBS, Both Funded by Bill Gates, Try to Save Him

    Bill Gates continues to corrupt the media and corrupt social control media (such as Twitter) using his money



  23. The EPO Must Forsake Its Diplomatic Immunity and Quit Pretending It's About Patent Law (or Any Law)

    There's no sign of the EPO actually trying to obey the law and correct the mistakes of the past; to make matters worse, the existing administration adds yet more corruption to an already-massive pile while dismissing any form of oversight



  24. IRC Proceedings: Thursday, September 23, 2021

    IRC logs for Thursday, September 23, 2021



  25. Links 24/9/2021: Ubuntu 21.10 Beta, Istio 1.11.3, and More Milestones for Steam Deck

    Links for the day



  26. [Meme] President Campinos Addresses the Legacy of Battistelli's “Strike Regulations”

    A sequence of four EPO memes about those infamous and unlawful “strike regulations” that Benoît Battistelli and António Campinos have exploited to abuse thousands of workers



  27. [Meme] Bill Gates Keeps Digging Himself Deeper in the Grave Each Time He Speaks

    These sorts of ‘interviews’ with Gates’ own propaganda mills (he also pays Twitter now) aren’t going to improve his image; people aren’t infinitely gullible (Source)



  28. Linux Foundation and Other 'Diploma Mills' Say There's Demand for Their Products in Their New 'Research' (Marketing)

    The so-called ‘Linux’ Foundation (LF), together with edX, are basically marketing their services and products, but this is disguised as 'research' (a false narrative widely parroted by shallow and paid-for media partners of theirs), piggybacking brands like “Linux” and buzzwords like “Open Source” (even when they promote proprietary things, e.g. memorisation of proprietary GUIs)



  29. [Meme] The EPO's Carte Blanche and 'Diplomatic Immunity' Card

    EPO staff is being taken for another ride by António Campinos and his cohorts, whose popularity among staff has likely gone down to sub-zero levels already (even faster than Benoît Battistelli)



  30. As Expected, Minimal Pseudo Compliance From EPO Management, Adding Insult to Injury

    SUEPO Central, the core of the staff union of EPO staff (almost 7,000 workers at the EPO, most of whom are SUEPO members), has strong words about the EPO's attitude and stance, which is perhaps unsurprising but still extremely disappointing


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts