EditorsAbout the SiteComes vs. MicrosoftUsing This Web SiteSite ArchivesCredibility IndexOOXMLOpenDocumentPatentsNovellNews DigestSite NewsRSS

07.12.08

Taking Microsoft OOXML to Task

Posted in ISO, Microsoft, Open XML, OpenDocument, Security at 2:13 pm by Dr. Roy Schestowitz

Any Windows/Office debuggers in the audience?

The following is a reproduction of a new post from Rex Ballard (I started this discussion thread), whose previous post we quoted the other day.


Message-ID: <31a66169-d9e7-4715-9e9e-e3488ebd36a9@25g2000hsx.googlegroups.com>
From: Rex Ballard <rex.ballard@gmail.com>
Newsgroups: comp.os.linux.advocacy
Subject: Re: Leaked ISO Document Reveals Crooked ISO Amid MS OOXML Corruptions
Date: Sat, 12 Jul 2008 08:20:23 -0700 (PDT)

[...]

ODF is a comprehensive document that provides detailed specifications
from the high level document content down to the smallest elements of
scalable vector graphics. There are some “standard” mime object types
that are supported, such as PNG and JPEG, but other embedded formats
must be installed using plug-ins which have to be authenticated by the
user and by the system at installation time, and cannot be installed
by the content. Furthermore, the installed content can easily be
identified as trustworthy or not, and can be restricted in it’s
capabilities.

OpenXML on the other hand, is a high-level specification which
describes the high level envelopes used to embed binary objects which
are included in the content. The content itself contains the binary
code which can call any function in any Microsoft library and has all
permissions of the person opening the document. If a user account is
set up as “Administrator”, then the application can mess with the
registry, create, download, and hide files, can execute applications
in those files, can install any number of new viruses, and generally
wreak havoc on the system.

I’ll leave it to others to document the exact details (as I said, I’m
busy these days), but I’m sure anyone who tries to publish these
vulnerabilites will probably find themselves getting the same
treatment that Tracy Reed of Ultraviolet.org got when he tried to
publish his warnings about ActiveX controls back in 1997. Microsoft
got a court injunction against him, and forced him to take down the
content, claiming that it was being used to encourage hacking, and was
damaging the Microsoft brand.

“I got a couple of docx documents and had trouble getting them to open, even with the plug-in for Office XP. Next thing I know, I get a notice from my registry auditor that I have 1300 new registry errors.”Over the last 10 years,
we’ve seen these very same
techniques, documented back in 1997,
used widely to spread viruses including
Melissa, Nimda, Sky, BugBear, and about
250,000 other viruses, worms,
and malware, not including spy-ware and
other “Microsoft Authorized”
invasions of our privacy.

I got a couple of docx documents and had trouble getting them to open,
even with the plug-in for Office XP. Next thing I know, I get a
notice from my registry auditor that I have 1300 new registry errors.
And suddenly, my PC is churning the disk-drive and the network
connection at 3:00 AM (I’m getting old and have to get up), and the
network shows that I’m uploading something at full speed, even though
my computer is supposedly sleeping.

It isn’t a back-up program that I’m running.

I would encourage COLA readers and OSS advocates to explore this in
more detail.

get someone with Office 2007 to send you a docx file.
unzip it using pkzip or winzip or unzip.

look at the binary files.

replace one binary object with another.

zip up the document,

see if your office-2007 user can read the “enhanced” document.

For those of you with OLE programming skills, create an OLE object
that creates a file, and e-mails that file to you using smtp.

Send a document with this new ole object embedded (along with the
others) and see if you get an e-mail.

I haven’t tried this, and I don’t know if it will work. I’m not sure
how hard it would be to make it work. I just think it might be an
interesting project worth investigating, especially if you are
considering the migration of a few thousand users to Vista and Office
2007.

I’d love to see what the results turn out to be. After all, if it’s
that easy to take control of a recipient’s machine just by sending
them a “trusted” Word, Excel, or PowerPoint attachment, just think how
much chaos a really aggressive malicious hacker, with a goal of
obtaining marketable information about your business, could do.


Does ISO really want to approve such a ‘virus’? As an international standard even? If someone tests the above, please post the outcome here or elsewhere. It would prove invaluable.

The last time a chain of ISO problems was cited, Ian Easson challenged an argument from Groklaw. He might wish read the following lengthy follow-up. ISO is in a deeper puddle of mud than before.

Brazil is a P member of SC 34, so according to my reading of the clause, it has the right to appeal if any of the three above issues apply, and arguably they all do. According to South Africa, if the issue is ISO’s reputation, or if there is a matter of principle involved, Brazil can appeal. Even point three could apply, in that Brazil raises matters such as incorrect tabulation of votes, which, if true, one would hope ISO wasn’t aware of.

[...]

Why did they bother to go, one might ask? Why vote, if votes disappear from the record? By my reading, Brazil paints a picture of an orchestrated event, tilted away from criticism or a negative result and a refusal to give substantive consideration to issues delegates wanted to discuss, due to time constraints Brazil calls arbitrary, and worse.

For details about the BRM in question, see [1, 2, 3, 4, 5, 6, 7, 8] and have your jaw sink to the floor. It was a bad plan from the get-go [1, 2, 3, 4, 5], but Emperor Microsoft was in a hurry and it even used its lobbyist Jan Van Den Beld to change the rules ‘on the fly’.

OOXML protests in India
From the Campaign for Document Freedom

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Reddit
  • co.mments
  • DZone
  • email
  • Google Bookmarks
  • LinkedIn
  • NewsVine
  • Print
  • Technorati
  • TwitThis
  • Facebook

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Links 18/9/2019: Fedora Linux 31 Beta, PCLinuxOS 2019.09 Update

    Links for the day



  2. Links 17/9/2019: CentOS 7.7 and Funtoo Linux 1.4 Released

    Links for the day



  3. EPO is Not European

    Internationalists and patent trolls are those who stand to benefit from the 'globalisation' of low-quality and law-breaking patents such as patents on algorithms, nature and life itself; the EPO isn't equipped to serve its original goals anymore



  4. The EPO's Central Staff Committee and SUEPO (Staff Union) Respond to “Fascist Bills” Supported by EPO President António Campinos

    Raw material pertaining to the latest Campinos "scandal"; what Campinos said, what the Central Staff Committee (CSC) said, and what SUEPO said



  5. Storm Brewing in the European Patent Office After a Hot Summer

    Things aren't rosy in EPOnia (to say the least); in fact, things have been getting a lot worse lately, but the public wouldn't know judging by what media tells the public (almost nothing)



  6. Why I Once Called for Richard Stallman to Step Down

    Guest post from the developer who recently authored "Getting Stallman Wrong Means Getting The 21st Century Wrong"



  7. As Richard Stallman Resigns Let's Consider Why GNU/Linux Without Stallman and Torvalds Would be a Victory to Microsoft

    Stallman has been ejected after a lot of intentionally misleading press coverage; this is a dark day for Software Freedom



  8. Links 16/9/2019: GNU Linux-libre 5.3, GNU World Order 13×38, Vista 10 Breaks Itself Again

    Links for the day



  9. Links 16/9/2019: Qt Quick on Vulkan, Metal, and Direct3D; BlackWeb 1.2 Reviewed

    Links for the day



  10. Richard Stallman's Controversial Views Are Nothing New and They Distract From Bill Gates' Vastly Worse Role

    It's easier to attack Richard Stallman (RMS) using politics (than using his views on software) and media focus on Stallman's personal views on sexuality bears some resemblance to the push against Linus Torvalds, which leans largely on the false perception that he is sexist, rude and intolerant



  11. Links 16/9/2019: Linux 5.3, EasyOS Releases, Media Backlash Against RMS

    Links for the day



  12. Openwashing Report on Open Networking Foundation (ONF): When Open Source Means Collaboration Among Giant Spying Companies

    Massive telecommunications oligopolies (telecoms) are being described as ethical and responsible by means of openwashing; they even have their own front groups for that obscene mischaracterisation and ONF is one of those



  13. 'Open Source' You Cannot Run Without Renting or 'Licensing' Windows From Microsoft

    When so-called ‘open source’ programs strictly require Vista 10 (or similar) to run, how open are they really and does that not redefine the nature of Open Source while betraying everything Free/libre software stands for?



  14. All About Control: Microsoft is Not Open Source But an Open Source Censor/Spy and GitHub/LinkedIn/Skype Are Its Proprietary Censorship/Surveillance Tools

    All the big companies which Microsoft bought in recent years are proprietary software and all of the company’s big products remain proprietary software; all that “Open Source” is to Microsoft is “something to control and censor“



  15. The Sad State of GNU/Linux News Sites

    The ‘media coup’ of corporate giants (that claim to be 'friends') means that history of GNU/Linux is being distorted and lied about; it also explains prevalent lies such as "Microsoft loves Linux" and denial of GNU/Free software



  16. EPO President Along With Bristows, Managing IP and Other Team UPC Boosters Are Lobbying for Software Patents in Clear and Direct Violation of the EPC

    A calm interpretation of the latest wave of lobbying from litigation professionals, i.e. people who profit when there are lots of patent disputes and even expensive lawsuits which may be totally frivolous (for example, based upon fake patents that aren't EPC-compliant)



  17. Links 15/9/2019: Radeon ROCm 2.7.2, KDE Frameworks 5.62.0, PineTime and Bison 3.4.2

    Links for the day



  18. Illegal/Invalid Patents (IPs) Have Become the 'Norm' in Europe

    Normalisation of invalid patents (granted by the EPO in defiance of the EPC) is a serious problem, but patent law firms continue to exploit that while this whole 'patent bubble' lasts (apparently the number of applications will continue to decrease because the perceived value of European Patents diminishes)



  19. Patent Maximalists, Orbiting the European Patent Office, Work to 'Globalise' a System of Monopolies on Everything

    Monopolies on just about everything are being granted in defiance of the EPC and there are those looking to make this violation ‘unitary’, even worldwide if not just EU-wide



  20. Unitary Patent (UPC) Promotion by Team Battistelli 'Metastasising' in Private Law Firms

    The EPO's Albert Keyack (Team Battistelli) is now in Team UPC as Vice President of Kilburn & Strode LLP; he already fills the media with lies about the UPC, as one can expect



  21. Microsoft Targets GNU/Linux Advocates With Phony Charm Offensives and Fake 'Love'

    The ways Microsoft depresses GNU/Linux advocacy and discourages enthusiasm for Software Freedom is not hard to see; it's worth considering and understanding some of these tactics (mostly assimilation-centric and love-themed), which can otherwise go unnoticed



  22. Proprietary Software Giants Tell Open Source 'Communities' That Proprietary Software Giants Are 'Friends'

    The openwashing services of the so-called 'Linux' Foundation are working; companies that are inherently against Open Source are being called "Open" and some people are willing to swallow this bait (so-called 'compromise' which is actually surrender to proprietary software regimes)



  23. Microsoft Pays the Linux Foundation for Academy Software Foundation, Which the Linux Foundation is Outsourcing to Microsoft

    Microsoft has just bought some more seats and more control over Free/Open Source software; all it had to do was shell out some 'slush funds'



  24. Links 14/9/2019: SUSE CaaS Platform, Huawei Laptops With GNU/Linux

    Links for the day



  25. Links 13/9/2019: Catfish 1.4.10, GNOME Firmware 3.34.0 Release

    Links for the day



  26. Links 12/9/2019: GNU/Linux at Huawei, GNOME 3.34 Released

    Links for the day



  27. Links 12/9/2019: Manjaro 18.1 and KaOS 2019.09 Releases

    Links for the day



  28. EPO: Give Us Low-Quality Patent Applications, Patent Trolls Have Use for Those

    What good is the EPC when the EPO feels free to ignore it and nobody holds the EPO accountable for it? At the moment we're living in a post-EPC Europe where the only thing that counts is co-called 'products' (i.e. quantity, not quality).



  29. Coverage for Sponsors: What the Linux Foundation Does is Indistinguishable From Marketing Agencies' Functions

    The marketing agency that controls the name "Linux" is hardly showing any interest in technology or in journalism; it's just buying media coverage for sponsors and this is what it boils down to for the most part (at great expense)



  30. Watch Out, Linus Torvalds: Microsoft Bought Tons of Git Repositories and Now It Goes After Linux

    Microsoft reminds us how E.E.E. tactics work; Microsoft is just hijacking its competition and misleading the market (claiming the competition to be its own, having "extended" it Microsoft's way with proprietary code)


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts