07.12.08

Gemini version available ♊︎

Taking Microsoft OOXML to Task

Posted in ISO, Microsoft, Open XML, OpenDocument, Security at 2:13 pm by Dr. Roy Schestowitz

Any Windows/Office debuggers in the audience?

The following is a reproduction of a new post from Rex Ballard (I started this discussion thread), whose previous post we quoted the other day.


Message-ID: <31a66169-d9e7-4715-9e9e-e3488ebd36a9@25g2000hsx.googlegroups.com>
From: Rex Ballard <rex.ballard@gmail.com>
Newsgroups: comp.os.linux.advocacy
Subject: Re: Leaked ISO Document Reveals Crooked ISO Amid MS OOXML Corruptions
Date: Sat, 12 Jul 2008 08:20:23 -0700 (PDT)

[...]

ODF is a comprehensive document that provides detailed specifications
from the high level document content down to the smallest elements of
scalable vector graphics. There are some “standard” mime object types
that are supported, such as PNG and JPEG, but other embedded formats
must be installed using plug-ins which have to be authenticated by the
user and by the system at installation time, and cannot be installed
by the content. Furthermore, the installed content can easily be
identified as trustworthy or not, and can be restricted in it’s
capabilities.

OpenXML on the other hand, is a high-level specification which
describes the high level envelopes used to embed binary objects which
are included in the content. The content itself contains the binary
code which can call any function in any Microsoft library and has all
permissions of the person opening the document. If a user account is
set up as “Administrator”, then the application can mess with the
registry, create, download, and hide files, can execute applications
in those files, can install any number of new viruses, and generally
wreak havoc on the system.

I’ll leave it to others to document the exact details (as I said, I’m
busy these days), but I’m sure anyone who tries to publish these
vulnerabilites will probably find themselves getting the same
treatment that Tracy Reed of Ultraviolet.org got when he tried to
publish his warnings about ActiveX controls back in 1997. Microsoft
got a court injunction against him, and forced him to take down the
content, claiming that it was being used to encourage hacking, and was
damaging the Microsoft brand.

“I got a couple of docx documents and had trouble getting them to open, even with the plug-in for Office XP. Next thing I know, I get a notice from my registry auditor that I have 1300 new registry errors.”Over the last 10 years,
we’ve seen these very same
techniques, documented back in 1997,
used widely to spread viruses including
Melissa, Nimda, Sky, BugBear, and about
250,000 other viruses, worms,
and malware, not including spy-ware and
other “Microsoft Authorized”
invasions of our privacy.

I got a couple of docx documents and had trouble getting them to open,
even with the plug-in for Office XP. Next thing I know, I get a
notice from my registry auditor that I have 1300 new registry errors.
And suddenly, my PC is churning the disk-drive and the network
connection at 3:00 AM (I’m getting old and have to get up), and the
network shows that I’m uploading something at full speed, even though
my computer is supposedly sleeping.

It isn’t a back-up program that I’m running.

I would encourage COLA readers and OSS advocates to explore this in
more detail.

get someone with Office 2007 to send you a docx file.
unzip it using pkzip or winzip or unzip.

look at the binary files.

replace one binary object with another.

zip up the document,

see if your office-2007 user can read the “enhanced” document.

For those of you with OLE programming skills, create an OLE object
that creates a file, and e-mails that file to you using smtp.

Send a document with this new ole object embedded (along with the
others) and see if you get an e-mail.

I haven’t tried this, and I don’t know if it will work. I’m not sure
how hard it would be to make it work. I just think it might be an
interesting project worth investigating, especially if you are
considering the migration of a few thousand users to Vista and Office
2007.

I’d love to see what the results turn out to be. After all, if it’s
that easy to take control of a recipient’s machine just by sending
them a “trusted” Word, Excel, or PowerPoint attachment, just think how
much chaos a really aggressive malicious hacker, with a goal of
obtaining marketable information about your business, could do.


Does ISO really want to approve such a ‘virus’? As an international standard even? If someone tests the above, please post the outcome here or elsewhere. It would prove invaluable.

The last time a chain of ISO problems was cited, Ian Easson challenged an argument from Groklaw. He might wish read the following lengthy follow-up. ISO is in a deeper puddle of mud than before.

Brazil is a P member of SC 34, so according to my reading of the clause, it has the right to appeal if any of the three above issues apply, and arguably they all do. According to South Africa, if the issue is ISO’s reputation, or if there is a matter of principle involved, Brazil can appeal. Even point three could apply, in that Brazil raises matters such as incorrect tabulation of votes, which, if true, one would hope ISO wasn’t aware of.

[...]

Why did they bother to go, one might ask? Why vote, if votes disappear from the record? By my reading, Brazil paints a picture of an orchestrated event, tilted away from criticism or a negative result and a refusal to give substantive consideration to issues delegates wanted to discuss, due to time constraints Brazil calls arbitrary, and worse.

For details about the BRM in question, see [1, 2, 3, 4, 5, 6, 7, 8] and have your jaw sink to the floor. It was a bad plan from the get-go [1, 2, 3, 4, 5], but Emperor Microsoft was in a hurry and it even used its lobbyist Jan Van Den Beld to change the rules ‘on the fly’.

OOXML protests in India
From the Campaign for Document Freedom

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. Links 25/03/2023: Gordon Moore (of Moore's Law) is Dead

    Links for the day



  2. Links 25/03/2023: Decade of Docker, Azure Broken Again

    Links for the day



  3. [Meme] Money Deducted in Payslips, But Nothing in Pensions

    Sirius ‘Open Source’ has stolen money from staff (in secret)



  4. IRC Proceedings: Friday, March 24, 2023

    IRC Proceedings: Friday, March 24, 2023



  5. The Corporate Media is Not Reporting Large-Scale Microsoft Layoffs (Too Busy With Chaffbot Puff Pieces), Leaks Required to Prove That More Layoffs Are Happening

    Just as we noted days ago, there are yet more Microsoft layoffs, but the mainstream media gets bribed to go “gaga” over vapourware and chaffbots (making chaff like “Bill Gates Says” pieces) instead of reporting actual news about Microsoft



  6. Sirius 'Open Source' Pensiongate: Time to Issue a Warrant of Arrest and Extradite the Fake 'Founder' of Sirius

    Sirius ‘Open Source’ is collapsing, but that does not mean that it can dodge accountability for crimes (e.g. money that it silently stole from its staff since at least 12 years ago)



  7. Links 24/03/2023: Microsoft's Fall on the Web and Many New Videos

    Links for the day



  8. IRC Proceedings: Thursday, March 23, 2023

    IRC logs for Thursday, March 23, 2023



  9. Links 24/03/2023: Social Control Media Bans Advancing

    Links for the day



  10. Links 24/03/2023: GNU Grep 3.10 and Microsoft Accenture in a Freefall

    Links for the day



  11. Links 23/03/2023: RSS Guard 4.3.3 and OpenBSD Webzine

    Links for the day



  12. Experiencing 15 Years of LibrePlanet Celebration Firsthand as a Volunteer: 2023 - Charting the Course

    Article by Marcia K Wilbur



  13. [Meme] Grabinski the Opportunity

    Reports of European Patents being invalidated (judges do not tolerate fake patents) have become so common that a kangaroo court becomes a matter of urgency for the EPO‘s Benoît Battistelli and António Campinos; will the EU and the EPO’s Administrative Council go along with it, helping to cover up more than a decade of profound corruption?



  14. Union Syndicale Fédérale Cautions the EPO's Administrative Council About Initiating an Illegal Kangaroo Court System for Patents (UPC) While EPO Breaks Laws and Sponsors the Ukraine Invasion

    Union Syndicale Fédérale (USF) is once again speaking out in support of the staff union of Europe's second-largest institution, which lacks oversight and governance because of profound corruption and regulatory capture



  15. Investigation Underway: Sirius 'Open Source' Embezzled/Stole Money, Robbed Its Own Staff

    In light of new developments and some progress in an investigation of Sirius ‘Open Source’ (for fraud!) we take stock of where things stand



  16. [Meme] Sirius 'Open Source' Pensions: Schemes or Scams? Giving a Bad Name to Open Source...

    What Sirius ‘Open Source’ did to its staff is rightly treated as a criminal matter; we know who the perpetrators are



  17. Sirius 'Open Source' Under Investigation for Pension Fraud, Several Pension Providers Examine the Facts

    2 pension providers are looking into Sirius ‘Open Source’, a company that defrauded its own staff; stay tuned as there’s lots more to come. Is this good representation for “Open Source”? From a company that had many high-profile clients in the public sector?



  18. Links 23/03/2023: Sparky 2023.03 Special Editions and SUSE Changes CEO (Dirk-Peter van Leeuwen)

    Links for the day



  19. Links 23/03/2023: Linux 6.2.8 and XWayland 23.1.0

    Links for the day



  20. IRC Proceedings: Wednesday, March 22, 2023

    IRC logs for Wednesday, March 22, 2023



  21. Apple 'Porn' Filter

    Guest post by Ryan Farmer: Apple and US State Governments Developing System to Require People to Report Themselves for Watching Porn.



  22. 3.5 Years Later Gemini Protocol and Geminispace Are Still 100% Community-Controlled

    Community-centric alternatives to the World Wide Web have gained traction; one of them, Gemini Protocol, continues to grow in 2023 and we're pleased to report progress and expansion



  23. Windows Falls to 16% Market Share in India (It was 97% in 2009), Microsoft Layoffs Reach India Too

    This month’s picture from the world’s most populous nation does not look good for Microsoft (it looks good for GNU/Linux); anonymous rumour mills online say that Microsoft isn’t moving to India but is actually firing staff based in India, so it’s a case of shrinking, not offshoring. When even low-paid (much lower salaries) staff is discarded it means things are very gloomy.



  24. Links 22/03/2023: GNOME 44 “Kuala Lumpur”

    Links for the day



  25. Microsoft Has Also Infiltrated the OSI's Board of Directors After Rigged Elections

    Weeks ago we warned that this would happen and for the third or fourth time in 2 years the OSI’s election process broke down; today the Open Source Initiative (OSI) writes: “The polls just closed, the results are in. Congratulations to the returning directors Aeva Black…” (Microsoft employee)



  26. Links 22/03/2023: Official Thunderbird Podcast Starts

    Links for the day



  27. IRC Proceedings: Tuesday, March 21, 2023

    IRC logs for Tuesday, March 21, 2023



  28. Many More Microsoft Layoffs Later Today

    Yesterday we shared rumours about Microsoft layoffs being planned for later today (there were 3 waves of layoffs so far this year). There are several more people here who say the same. How much noise will Microsoft make in the “media” in order to distract? Will the chaffbot "ChatGPT" help create enough chaff?



  29. Links 21/03/2023: JDK 20 and GNOME 43.5

    Links for the day



  30. Germany's Lobbyists-Infested Government Sponsors the War on Ukraine via the European Patent Office (EPO)

    The chief UPC ‘judge’ is basically seeking to break the law (and violate constitutions, conventions etc.) to start a kangaroo court while dodging real courts, just like Vladimir Putin does


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts