EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

07.12.08

Taking Microsoft OOXML to Task

Posted in ISO, Microsoft, Open XML, OpenDocument, Security at 2:13 pm by Dr. Roy Schestowitz

Any Windows/Office debuggers in the audience?

The following is a reproduction of a new post from Rex Ballard (I started this discussion thread), whose previous post we quoted the other day.


Message-ID: <31a66169-d9e7-4715-9e9e-e3488ebd36a9@25g2000hsx.googlegroups.com>
From: Rex Ballard <rex.ballard@gmail.com>
Newsgroups: comp.os.linux.advocacy
Subject: Re: Leaked ISO Document Reveals Crooked ISO Amid MS OOXML Corruptions
Date: Sat, 12 Jul 2008 08:20:23 -0700 (PDT)

[...]

ODF is a comprehensive document that provides detailed specifications
from the high level document content down to the smallest elements of
scalable vector graphics. There are some “standard” mime object types
that are supported, such as PNG and JPEG, but other embedded formats
must be installed using plug-ins which have to be authenticated by the
user and by the system at installation time, and cannot be installed
by the content. Furthermore, the installed content can easily be
identified as trustworthy or not, and can be restricted in it’s
capabilities.

OpenXML on the other hand, is a high-level specification which
describes the high level envelopes used to embed binary objects which
are included in the content. The content itself contains the binary
code which can call any function in any Microsoft library and has all
permissions of the person opening the document. If a user account is
set up as “Administrator”, then the application can mess with the
registry, create, download, and hide files, can execute applications
in those files, can install any number of new viruses, and generally
wreak havoc on the system.

I’ll leave it to others to document the exact details (as I said, I’m
busy these days), but I’m sure anyone who tries to publish these
vulnerabilites will probably find themselves getting the same
treatment that Tracy Reed of Ultraviolet.org got when he tried to
publish his warnings about ActiveX controls back in 1997. Microsoft
got a court injunction against him, and forced him to take down the
content, claiming that it was being used to encourage hacking, and was
damaging the Microsoft brand.

“I got a couple of docx documents and had trouble getting them to open, even with the plug-in for Office XP. Next thing I know, I get a notice from my registry auditor that I have 1300 new registry errors.”Over the last 10 years,
we’ve seen these very same
techniques, documented back in 1997,
used widely to spread viruses including
Melissa, Nimda, Sky, BugBear, and about
250,000 other viruses, worms,
and malware, not including spy-ware and
other “Microsoft Authorized”
invasions of our privacy.

I got a couple of docx documents and had trouble getting them to open,
even with the plug-in for Office XP. Next thing I know, I get a
notice from my registry auditor that I have 1300 new registry errors.
And suddenly, my PC is churning the disk-drive and the network
connection at 3:00 AM (I’m getting old and have to get up), and the
network shows that I’m uploading something at full speed, even though
my computer is supposedly sleeping.

It isn’t a back-up program that I’m running.

I would encourage COLA readers and OSS advocates to explore this in
more detail.

get someone with Office 2007 to send you a docx file.
unzip it using pkzip or winzip or unzip.

look at the binary files.

replace one binary object with another.

zip up the document,

see if your office-2007 user can read the “enhanced” document.

For those of you with OLE programming skills, create an OLE object
that creates a file, and e-mails that file to you using smtp.

Send a document with this new ole object embedded (along with the
others) and see if you get an e-mail.

I haven’t tried this, and I don’t know if it will work. I’m not sure
how hard it would be to make it work. I just think it might be an
interesting project worth investigating, especially if you are
considering the migration of a few thousand users to Vista and Office
2007.

I’d love to see what the results turn out to be. After all, if it’s
that easy to take control of a recipient’s machine just by sending
them a “trusted” Word, Excel, or PowerPoint attachment, just think how
much chaos a really aggressive malicious hacker, with a goal of
obtaining marketable information about your business, could do.


Does ISO really want to approve such a ‘virus’? As an international standard even? If someone tests the above, please post the outcome here or elsewhere. It would prove invaluable.

The last time a chain of ISO problems was cited, Ian Easson challenged an argument from Groklaw. He might wish read the following lengthy follow-up. ISO is in a deeper puddle of mud than before.

Brazil is a P member of SC 34, so according to my reading of the clause, it has the right to appeal if any of the three above issues apply, and arguably they all do. According to South Africa, if the issue is ISO’s reputation, or if there is a matter of principle involved, Brazil can appeal. Even point three could apply, in that Brazil raises matters such as incorrect tabulation of votes, which, if true, one would hope ISO wasn’t aware of.

[...]

Why did they bother to go, one might ask? Why vote, if votes disappear from the record? By my reading, Brazil paints a picture of an orchestrated event, tilted away from criticism or a negative result and a refusal to give substantive consideration to issues delegates wanted to discuss, due to time constraints Brazil calls arbitrary, and worse.

For details about the BRM in question, see [1, 2, 3, 4, 5, 6, 7, 8] and have your jaw sink to the floor. It was a bad plan from the get-go [1, 2, 3, 4, 5], but Emperor Microsoft was in a hurry and it even used its lobbyist Jan Van Den Beld to change the rules ‘on the fly’.

OOXML protests in India
From the Campaign for Document Freedom

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email
  • Slashdot

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Faking 'Progress' to Distract From True Justice or From a Full, Meaningful Reform

    Activism for truly meaningful change doesn't stop at superficialities and cosmetic changes (which merely give a false sense/impression of accomplishment, resulting in inaction); we need to regularly consider how to dismantle injustice, not based on the criteria set by oligarchs-owned media, rallying gullible mobs to appease only big egos



  2. IRC Proceedings: Thursday, September 24, 2020

    IRC logs for Thursday, September 24, 2020



  3. Richard Stallman: New Interview About Privacy (Published This Morning)

    “The last few months have put data protection back in the spotlight. During a crisis of this kind, do we have to choose between safety and privacy? We talked about this with Richard Stallman, digital privacy activist and the founder of the Free Software Movement,” RT says



  4. Links 25/9/2020: PostgreSQL 13, DragonFly 5.8.2 and Python 3.8.6

    Links for the day



  5. Code of Ethics Versus Code of Conduct in Action

    Reprinted from Daniel Pocock's Web site



  6. Linux Foundation: “Transformation Through Open Source” is Proprietary Software That Rejects Linux

    The Linux Foundation, run by proprietary software companies that don’t really care about Linux, is still a lot more about openwashing (perception management techniques) than about “Open Source” or even Linux (which most of the Foundation rejects)



  7. Links 24/9/2020: KaOS 2020.09, Arch Conf 2020 Coming, IBM Z Day 2020 Ends

    Links for the day



  8. At ZDNet, in 2020, “Linux” Means Microsoft and Windows

    The incredible charade of ZDNet carries on; the site whose parent company went bust last December isn’t even trying to hide its true agenda



  9. Red Hat is Spamming People in Order to Promote Its Sites and Its Products, Subscribing People to Mass-Marketing Lists Without the Recipients' Consent

    "Engagements" from Red Hat; have the IBM-led marketing people gone overboard, subscribing lots of people to marketing spam without bothering to ask for consent?



  10. “If I'm the Father of Open Source, It Was Done by Artificial Insemination With Stolen Sperm”

    The father of the Free software movement, Richard Stallman, is being wrongly compared to some patron of an “open source” ‘movement’ (an early effort to cancel Stallman and the FSF), which is basically a hostile corporations-led ploy these days



  11. IRC Proceedings: Wednesday, September 23, 2020

    IRC logs for Wednesday, September 23, 2020



  12. The Second Wave (of Free/Libre Software)

    Despite some major setbacks and new threats to digital freedom (autonomy is perhaps a more suitable term), progress is being made and activism must adapt to tackle newer trends



  13. Exploring the Relationship Between Red Hat and Microsoft: They're Barely Even Rivals Anymore

    The ‘older Microsoft’ (serial monopolist IBM) bought Red Hat, but evidence shows that one would be wrong to assume Red Hat really competes against Microsoft (any more than Novell did; there’s a strong relationship)



  14. Microsoft Lost More Than 15 Million Web Domains in One Month!

    Microsoft's presence on the Web is being reduced to ridiculously low levels; sooner or later Microsoft will turn from 'king' of parked (unused) domains to master of nothing



  15. Links 23/9/2020: Lenovo's Deeper GNU/Linux Dive and Tor Browser 10/Tails 4.10

    Links for the day



  16. IRC Proceedings: Tuesday, September 22, 2020

    IRC logs for Tuesday, September 22, 2020



  17. The Latest Greenwashing Campaign by the EPO is Just 'Chinese Propaganda'

    When the EPO speaks of “innovation” and “clean energy transition” it means nothing but patents on batteries, in effect monopolies being granted in Europe (to a lot of Asian — not European — companies)



  18. Links 23/9/2020: Librem 14 Shipping in December, Linux Journal Returns, Istio 1.6.10 Released, Release Candidate 3 of LLVM 11.0

    Links for the day



  19. Welcome Back, Linux Journal!

    Linux Journal is coming back under the ownership/umbrella of Slashdot folks, who are sadly preoccupied and obsessed with Microsoft talking points and PR campaigns



  20. What the Efforts to Remove Dr. Stallman Reveal About the Agenda of Large Corporations (Looking to Absorb the Competition, Remove Freedom, Spread Proprietary Software in 'Open' Clothing)

    Richard Stallman's (RMS) positions and foresight are usually correct; at the moment we're losing access to key people whose leadership positions are essential for the independence of cornerstone projects



  21. Links 22/9/2020: Tails 4.11, Linux Lite 5.2 RC1

    Links for the day



  22. Minimalism for Maximisation of Productivity and Clutter Mitigation

    Unfortunately, GNU/Linux (especially the latter, Linux) embraces bloat and anti-features in pursuit of sales (appeasing large corporations, not users’ needs), reducing the modularity, reliability and productivity of computer systems in the name of helping “dumb” users (they keep telling us people are very dumb and those who disagree are “elitist” and “extremist” or even “neckbeards” — in effect insulting every person out there)



  23. IRC Proceedings: Monday, September 21, 2020

    IRC logs for Monday, September 21, 2020



  24. Post-Coronavirus Linux.com Became Nothing But a SPAM Site

    As per the Linux Foundation‘s very own brochure, scripted and fake ‘interviews’ are to be produced and then edited/negotiated (before publication) with the sponsor… in Linux.com as the platform. This is corruption (or marketing, one might call them de facto ads presented as fake ‘articles’).



  25. Erosion of Free Speech and Tolerance of Opposing Viewpoints in Free Software Communities

    The concept of free speech is being reinvented by oversensitive people who nowadays expand the list of exclusions/exemptions (from scope of 'permissible' speech) to politics and criticism of large and highly abusive corporations



  26. Links 21/9/2020: PlasmaShell With Vulkan, Plasma Beta Review Day, OpenMediaVault 5.5.11

    Links for the day



  27. Guest Post: The Worrying State of Political Judgement in Free Software Communities

    A look at what Mozilla has become and what that teaches us about the Web and about software



  28. Links 21/9/2020: KTechLab 0.50.0, Linux 5.9 RC6

    Links for the day



  29. IRC Proceedings: Sunday, September 20, 2020

    IRC logs for Sunday, September 20, 2020



  30. Git is Free Software, GitHub is Proprietary Trap

    More and more people all around the world understand that putting their fruit of labour in Microsoft's proprietary (but 'free') prison is misguided; the only vault they have is for human beings, not code


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts