Bonum Certa Men Certa

Taking Microsoft OOXML to Task

Any Windows/Office debuggers in the audience?

The following is a reproduction of a new post from Rex Ballard (I started this discussion thread), whose previous post we quoted the other day.




Message-ID: <31a66169-d9e7-4715-9e9e-e3488ebd36a9@25g2000hsx.googlegroups.com> From: Rex Ballard <rex.ballard@gmail.com> Newsgroups: comp.os.linux.advocacy Subject: Re: Leaked ISO Document Reveals Crooked ISO Amid MS OOXML Corruptions Date: Sat, 12 Jul 2008 08:20:23 -0700 (PDT)

[...]

ODF is a comprehensive document that provides detailed specifications from the high level document content down to the smallest elements of scalable vector graphics. There are some "standard" mime object types that are supported, such as PNG and JPEG, but other embedded formats must be installed using plug-ins which have to be authenticated by the user and by the system at installation time, and cannot be installed by the content. Furthermore, the installed content can easily be identified as trustworthy or not, and can be restricted in it's capabilities.

OpenXML on the other hand, is a high-level specification which describes the high level envelopes used to embed binary objects which are included in the content. The content itself contains the binary code which can call any function in any Microsoft library and has all permissions of the person opening the document. If a user account is set up as "Administrator", then the application can mess with the registry, create, download, and hide files, can execute applications in those files, can install any number of new viruses, and generally wreak havoc on the system.

I'll leave it to others to document the exact details (as I said, I'm busy these days), but I'm sure anyone who tries to publish these vulnerabilites will probably find themselves getting the same treatment that Tracy Reed of Ultraviolet.org got when he tried to publish his warnings about ActiveX controls back in 1997. Microsoft got a court injunction against him, and forced him to take down the content, claiming that it was being used to encourage hacking, and was damaging the Microsoft brand.

“I got a couple of docx documents and had trouble getting them to open, even with the plug-in for Office XP. Next thing I know, I get a notice from my registry auditor that I have 1300 new registry errors.”Over the last 10 years, we've seen these very same techniques, documented back in 1997, used widely to spread viruses including Melissa, Nimda, Sky, BugBear, and about 250,000 other viruses, worms, and malware, not including spy-ware and other "Microsoft Authorized" invasions of our privacy.

I got a couple of docx documents and had trouble getting them to open, even with the plug-in for Office XP. Next thing I know, I get a notice from my registry auditor that I have 1300 new registry errors. And suddenly, my PC is churning the disk-drive and the network connection at 3:00 AM (I'm getting old and have to get up), and the network shows that I'm uploading something at full speed, even though my computer is supposedly sleeping.

It isn't a back-up program that I'm running.

I would encourage COLA readers and OSS advocates to explore this in more detail.

get someone with Office 2007 to send you a docx file. unzip it using pkzip or winzip or unzip.

look at the binary files.

replace one binary object with another.

zip up the document,

see if your office-2007 user can read the "enhanced" document.

For those of you with OLE programming skills, create an OLE object that creates a file, and e-mails that file to you using smtp.

Send a document with this new ole object embedded (along with the others) and see if you get an e-mail.

I haven't tried this, and I don't know if it will work. I'm not sure how hard it would be to make it work. I just think it might be an interesting project worth investigating, especially if you are considering the migration of a few thousand users to Vista and Office 2007.

I'd love to see what the results turn out to be. After all, if it's that easy to take control of a recipient's machine just by sending them a "trusted" Word, Excel, or PowerPoint attachment, just think how much chaos a really aggressive malicious hacker, with a goal of obtaining marketable information about your business, could do.




Does ISO really want to approve such a 'virus'? As an international standard even? If someone tests the above, please post the outcome here or elsewhere. It would prove invaluable.

The last time a chain of ISO problems was cited, Ian Easson challenged an argument from Groklaw. He might wish read the following lengthy follow-up. ISO is in a deeper puddle of mud than before.

Brazil is a P member of SC 34, so according to my reading of the clause, it has the right to appeal if any of the three above issues apply, and arguably they all do. According to South Africa, if the issue is ISO's reputation, or if there is a matter of principle involved, Brazil can appeal. Even point three could apply, in that Brazil raises matters such as incorrect tabulation of votes, which, if true, one would hope ISO wasn't aware of.

[...]

Why did they bother to go, one might ask? Why vote, if votes disappear from the record? By my reading, Brazil paints a picture of an orchestrated event, tilted away from criticism or a negative result and a refusal to give substantive consideration to issues delegates wanted to discuss, due to time constraints Brazil calls arbitrary, and worse.


For details about the BRM in question, see [1, 2, 3, 4, 5, 6, 7, 8] and have your jaw sink to the floor. It was a bad plan from the get-go [1, 2, 3, 4, 5], but Emperor Microsoft was in a hurry and it even used its lobbyist Jan Van Den Beld to change the rules 'on the fly'.

OOXML protests in India
From the Campaign for Document Freedom

Recent Techrights' Posts

IBM's BS (Bait, Switch) Regarding Ways to Stay Onboard
PIPs, RTOs, and forced relocations are just an illusion of choice (or ability to recover)
Banned evidence: Ars Technica forums censored email predicting DebConf23 death, Abraham Raji & Debian cover-up
Reprinted with permission from Daniel Pocock
Intimidation, Threats, and Bullying Not Tolerated by Techrights
When it comes to our reporting, safety always comes first
 
Open Source Initiative (OSI) Privacy Fiasco in Detail: An Introduction
Perhaps tomorrow or perhaps next week we'll share more information about what happened and what was reported to the California Privacy Protection Agency
Costa Rica Almost Bankrupt Because of Microsoft
the incidents in Costa Rica are Windows incidents
Gemini Links 29/03/2025: Art of Looking, Wireguard, EMacs
Links for the day
Links 29/03/2025: Attacks on Social Security and War Updates
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, March 28, 2025
IRC logs for Friday, March 28, 2025
A World Without Rules
We're long insisted on better laws and actual enforcement of them (applicable to all, not selectively applied)
statCounter Sees Microsoft Windows Falling to New, Unprecedented Lows in Palau
Taking Android into account, Windows is now down to an all-time low of 14%
Google News Lost the Fight to LLM Slop (While Google Itself Sells Slop, Nowadays Under the Name "Gemini")
Many people say that "Google is getting worse"; that's almost an understatement
Links 28/03/2025: AirAsia Trouble Again, UMich Culls All DEI Programs
Links for the day
Gemini Links 28/03/2025: Alexa is for Gullible People, Rant About Feature Overload
Links for the day
The SLAPPs From the Microsoft Strangler (and Sidekick) No Better Than Patent Trolling
one must never settle with trolls
Something to Celebrate in Gemini Protocol
More capsules and users join in
Links 28/03/2025: Last Reminder "to Delete Your 23andMe Data", "UK's First Permanent Facial Recognition Cameras Installed"
Links for the day
Microsoft Canonical Continues Its FUD (Fear, Uncertainty, Doubt) Campaign, Reveals Google Too Sponsored It
They're paid-for lies from a Chinese company that takes GAFAM money to write puff pieces about them
Android Rises Above 76% in Mozambique, Leaving Windows in the Dust
Windows may soon be measured as smaller than Apple's iOS
IBM, Red Hat and Microsoft Probably Also Manipulate Metrics (It Helps Con the Shareholders)
Wall Street's credibility will depend on enforcement of "checks and balances"
Slopwatch: trendhunter.com and Other Pure Junk From "Google News"
The need to vet sources is hardly new; anyone can spew out anything, anywhere. There's a need for vetting.
Gemini Links 28/03/2025: Rewatching The X-Files, Slop Concerns, and NOSTR Censorship
Links for the day
Links 28/03/2025: Australia at Risk, EPO Grants Illegal Patents With Illegal Effect
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, March 27, 2025
IRC logs for Thursday, March 27, 2025
Links 27/03/2025: Obituary to a Shop, Russia Trying to Buy Time
Links for the day
Links 27/03/2025: Slop, Autosuggestions, and Nostr
Links for the day
Apparently Confirmed: IBM Layoffs in Canada Today, Hundreds Affected
Impacting "177 people", says one person, "in Ottawa"
When Windows Was Dominant (1990s) Browser Monopoly Meant MSIE, But Now Google Android is Dominant and the Web in a 'Webapps' Era Works With (or Is Designed for) Chrome-isms
We've been there before
Slopwatch: BetaNews, LinuxSecurity.com, and the Attack on Web Search Using Fake and Likely Plagiarised Pages
Changing a few words here and there won't change the fact that it's not properly authored
Links 27/03/2025: U.S. Honeybee Deaths Reach Record High, Legal Occupation Next in Line After War on Science
Links for the day
Using Courts for 'Revenge' is Always a Losing Strategy
Trying to cause someone you dislike to spend a lot of money
IBM CFO James Kavanaugh Refers to Firing of Almost 10,000 Americans as "Workforce Rebalancing" (Shifting IBM's Centre of Balance to Low-salary Contracts/Countries)
The scale of IBM layoffs is getting too large to evade WARN Notices
[Video] Dr. Richard Stallman's Keynote Speech in Kerala Finally Uploaded
In non-free format and proprietary YouTube, but perhaps that's better than nothing
Islands Are Leaving Microsoft Behind, According to statCounter
Android has had a very strong year
EPO Management Fails to Deny That the Office is Discriminating Against Women
Europe's second-largest institution isn't just exceedingly corrupt but also immoral
In Some Countries the Market Share of Vista 11 is Going Down, Not Up
despite being released in 2021
Rumour: Mass Layoffs in IBM Canada Today
Maybe later today some people from Canada will say something firmer and maybe some media will even talk about that
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, March 26, 2025
IRC logs for Wednesday, March 26, 2025
Gemini Links 27/03/2025: X-Files' "Kill Switch", Orlando, and ASN (Autonomous System Number) 'Hack'
Links for the day