02.25.09

Gemini version available ♊︎

Confirmed: Microsoft OOXML a Security Hazard

Posted in Formats, Google, Microsoft, Open XML, OpenOffice, Security at 1:58 pm by Dr. Roy Schestowitz

flickr:2400867976

SEVERAL MONTHS ago we warned that OOXML is not secure. Its dependence on a particular platform and office suite rendered it insecure by design just like those ‘origin’ formats, namely binaries, which it merely shuffled around (reassembled).

It is now official and also confirmed that OOXML files are not just insecure but there are also persistent attacks against new flaws (without any security patches being available, i.e. zero-day). To quote one of the more recent reports:

Some Open XML based products as Microsoft Excel are affected by a security flaw and the Trojan.Mdropper.AC.

There is fairly wide coverage of this problem, e.g. in:

Microsoft’s Excel spreadsheet program has a 0-day vulnerability that attackers are exploiting on the Internet, according to security vendor Symantec.

A 0-day vulnerability is one that does not have a patch and is actively being used to attack computers when it is publicly revealed.

Heise Online calls this vulnerability “critical” (highest level of severity by another one Microsoft’s ‘standards’).

According to unconfirmed reports, the anti-virus manufacturer Symantec has found a trojan that seems to use a security hole in Microsoft Excel to remotely execute code on a user’s system. The attack is triggered by opening a maliciously crafted Excel file, causing an unspecified remote code-execution vulnerability.

One reader points out that “Microsoft is continuing its war against a universal office format.

“Notice in particular: ‘will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System

“What kind of hell is this causing in agencies, big businesses and schools? It’s not like they don’t have or could live with out the terabytes of electronic records now locked out by the kludge outlined above.”

Such problems could first be seen a year ago when Microsoft’s OOXML crimes were still prevalent. To make matters worse, Microsoft will continue to drift further away from ECMA OOXML, probably to gravitate in its own proprietary direction. Office 14, for example, is not committed to any real standards and according to yesterday’s report from Mary Jo Foley, it’s already delayed anyway.

Ballmer: Office 14 not this year

[...]

However, last year, more than a few times execs slipped up and indicated Office 14 would ship in 2009.

Things are not working well for Redmond these days. For real profit, Microsoft is highly dependent on Office which is its most profitable product (and one of the few that are actually profitable). Unless Microsoft can reinforce planned obsolescence and convince people to buy an upgrade they do not need, there’s great trouble ahead. The economic meltdown does not help.

OpenOffice.org makes a remarkably familiar substitute and Google Apps, among other SaaS alternatives, gain momentum despite the slew of disinformation from former Microsoft employees (masquerading as research firms).

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. Links 27/9/2021: OpenSSH 8.8, Martine OS 2.0 and Airyx 0.2.2 Reviewed

    Links for the day



  2. GNU Turns 38 (Midday Today or 12:35:59 EST) and RMS Talks to Polish Medical Professionals This Evening

    Today GNU turns 38. Last week over 5,000 people watched the RMS talk in Ukraine using our WebM version of it; in a few hours RMS will speak in Poland and we’ll try to find a stream if one becomes available (we shall update this page).



  3. IRC Proceedings: Sunday, September 26, 2021

    IRC logs for Sunday, September 26, 2021



  4. Links 27/9/2021: Librem 14 Reviewed, Linux 5.15 RC3 is Out

    Links for the day



  5. Links 26/9/2021: GNU Wget2 2.0.0 and MenuLibre 2.2.3 Released

    Links for the day



  6. How Basic Laws and Fundamental Rights Got Crushed in the European Patent Office

    Our next series will show the sheer hypocrisy of the EPO, hiding behind the veil of (patent) law while so shamelessly violating just about every law in the books without facing any form of accountability



  7. Regrettable Acts of Self-Harm: OpenMandriva and Mozilla Being Outsourced to Microsoft Proprietary Software and Monopoly

    In another blow to software freedom, OpenMandriva and Mozilla decide to abandon their own systems and use proprietary software from Microsoft instead



  8. Links 26/9/2021: Mozilla Spends on PR, OpenMandriva Outsourcing to Microsoft

    Links for the day



  9. IRC Proceedings: Saturday, September 25, 2021

    IRC logs for Saturday, September 25, 2021



  10. Links 25/9/2021: GNU/Linux Recognition in Mainstream Media and Wine-Staging 6.18

    Links for the day



  11. Reminder: GNU Turns 38 This Monday Around Midday (When GNU's Founder Gives Talk in Poland)

    With media and Torvalds speaking again about anniversaries (this has gone on for the past week because Torvalds wrote about it yet again), it is important to recall the announcement that got the ball rolling and basically started it all (the GNU/Linux operating system) because it was in 1983, not 1991. We reproduce in full the announcement.



  12. Links 25/9/2021: Wine 6.18 and Chromium Complier Woes

    Links for the day



  13. [Meme] When the EPO Watches Everything ('Dissidents', Media, Etc.) and Isn't Being Watched by Anybody

    The EPO is taking Europe for a wild ride; Everything is a vehicle for the very same agenda, with nobody left to hold it accountable or ask any tough questions… (even the media is in the EPO’s back pocket or back seat)



  14. Virtual Oversight

    “eMeetings” that simulate an impression of oversight are like ‘ViCo’ to simulate access to justice; will that ever change and will oversight be restored at EPOnia, Europe’s second-largest institution?



  15. The Corporate Coup Against the Soul of the Free Software Community Is Not Over

    The erosion of community role in the development of GNU/Linux is a growing problem; part of the problem is that large corporations target technical and philosophical (perceived) leaders in coordinated smear campaigns, led by media they own



  16. IRC Proceedings: Friday, September 24, 2021

    IRC logs for Friday, September 24, 2021



  17. Links 24/9/2021: GNU Coreutils 9.0, BattlEye GNU/Linux Support

    Links for the day



  18. [Meme] 'Linux' Foundation is Greenwashing Microsoft Again, Misusing the Linux Brand Like Nobody's Business

    Microsoft has weaponised the Linux brand to dub a toxic company like itself (helping notoriously polluting companies and generating lots of waste, both directly and through planned obsolescence, inefficient software, DRM, etc.) as "green"



  19. Richard Stallman to Speak (in Person) in Poland, Dedicate the Talk to Medical Professionals

    Days after his talk in Ukraine Richard Stallman plans to do the same in Poland (just announced)



  20. Links 24/9/2021: 30 Years of Europe’s First Root Name Server, Repairability of Laptops Discussed

    Links for the day



  21. ZDNet Has Failed

    ZDNet is on the decline and its demise appears to have greatly accelerated in recent months; we take a quick look at this month's coverage and explain the conflict of interest (it's PR, not news, and it's far too shallow/blatant to simply overlook)



  22. [Meme] Some People Are Just Above the Law

    A lot of people are still flabbergasted or at least baffled/miffed to discover that some people are in effect above the law; not even Europol and Interpol can apprehend and hold them accountable; that needs to change. Had Benoît Battistelli worked for France Télécom S.A. (not the EPO), would he be arrested? What about António Campinos and his drunk son?



  23. NPR and PBS, Both Funded by Bill Gates, Try to Save Him

    Bill Gates continues to corrupt the media and corrupt social control media (such as Twitter) using his money



  24. The EPO Must Forsake Its Diplomatic Immunity and Quit Pretending It's About Patent Law (or Any Law)

    There's no sign of the EPO actually trying to obey the law and correct the mistakes of the past; to make matters worse, the existing administration adds yet more corruption to an already-massive pile while dismissing any form of oversight



  25. IRC Proceedings: Thursday, September 23, 2021

    IRC logs for Thursday, September 23, 2021



  26. Links 24/9/2021: Ubuntu 21.10 Beta, Istio 1.11.3, and More Milestones for Steam Deck

    Links for the day



  27. [Meme] President Campinos Addresses the Legacy of Battistelli's “Strike Regulations”

    A sequence of four EPO memes about those infamous and unlawful “strike regulations” that Benoît Battistelli and António Campinos have exploited to abuse thousands of workers



  28. [Meme] Bill Gates Keeps Digging Himself Deeper in the Grave Each Time He Speaks

    These sorts of ‘interviews’ with Gates’ own propaganda mills (he also pays Twitter now) aren’t going to improve his image; people aren’t infinitely gullible (Source)



  29. Linux Foundation and Other 'Diploma Mills' Say There's Demand for Their Products in Their New 'Research' (Marketing)

    The so-called ‘Linux’ Foundation (LF), together with edX, are basically marketing their services and products, but this is disguised as 'research' (a false narrative widely parroted by shallow and paid-for media partners of theirs), piggybacking brands like “Linux” and buzzwords like “Open Source” (even when they promote proprietary things, e.g. memorisation of proprietary GUIs)



  30. [Meme] The EPO's Carte Blanche and 'Diplomatic Immunity' Card

    EPO staff is being taken for another ride by António Campinos and his cohorts, whose popularity among staff has likely gone down to sub-zero levels already (even faster than Benoît Battistelli)


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts