07.12.08

Taking Microsoft OOXML to Task

Posted in ISO, Microsoft, Open XML, OpenDocument, Security at 2:13 pm by Dr. Roy Schestowitz

Any Windows/Office debuggers in the audience?

The following is a reproduction of a new post from Rex Ballard (I started this discussion thread), whose previous post we quoted the other day.


Message-ID: <31a66169-d9e7-4715-9e9e-e3488ebd36a9@25g2000hsx.googlegroups.com>
From: Rex Ballard <rex.ballard@gmail.com>
Newsgroups: comp.os.linux.advocacy
Subject: Re: Leaked ISO Document Reveals Crooked ISO Amid MS OOXML Corruptions
Date: Sat, 12 Jul 2008 08:20:23 -0700 (PDT)

[...]

ODF is a comprehensive document that provides detailed specifications
from the high level document content down to the smallest elements of
scalable vector graphics. There are some “standard” mime object types
that are supported, such as PNG and JPEG, but other embedded formats
must be installed using plug-ins which have to be authenticated by the
user and by the system at installation time, and cannot be installed
by the content. Furthermore, the installed content can easily be
identified as trustworthy or not, and can be restricted in it’s
capabilities.

OpenXML on the other hand, is a high-level specification which
describes the high level envelopes used to embed binary objects which
are included in the content. The content itself contains the binary
code which can call any function in any Microsoft library and has all
permissions of the person opening the document. If a user account is
set up as “Administrator”, then the application can mess with the
registry, create, download, and hide files, can execute applications
in those files, can install any number of new viruses, and generally
wreak havoc on the system.

I’ll leave it to others to document the exact details (as I said, I’m
busy these days), but I’m sure anyone who tries to publish these
vulnerabilites will probably find themselves getting the same
treatment that Tracy Reed of Ultraviolet.org got when he tried to
publish his warnings about ActiveX controls back in 1997. Microsoft
got a court injunction against him, and forced him to take down the
content, claiming that it was being used to encourage hacking, and was
damaging the Microsoft brand.

“I got a couple of docx documents and had trouble getting them to open, even with the plug-in for Office XP. Next thing I know, I get a notice from my registry auditor that I have 1300 new registry errors.”Over the last 10 years,
we’ve seen these very same
techniques, documented back in 1997,
used widely to spread viruses including
Melissa, Nimda, Sky, BugBear, and about
250,000 other viruses, worms,
and malware, not including spy-ware and
other “Microsoft Authorized”
invasions of our privacy.

I got a couple of docx documents and had trouble getting them to open,
even with the plug-in for Office XP. Next thing I know, I get a
notice from my registry auditor that I have 1300 new registry errors.
And suddenly, my PC is churning the disk-drive and the network
connection at 3:00 AM (I’m getting old and have to get up), and the
network shows that I’m uploading something at full speed, even though
my computer is supposedly sleeping.

It isn’t a back-up program that I’m running.

I would encourage COLA readers and OSS advocates to explore this in
more detail.

get someone with Office 2007 to send you a docx file.
unzip it using pkzip or winzip or unzip.

look at the binary files.

replace one binary object with another.

zip up the document,

see if your office-2007 user can read the “enhanced” document.

For those of you with OLE programming skills, create an OLE object
that creates a file, and e-mails that file to you using smtp.

Send a document with this new ole object embedded (along with the
others) and see if you get an e-mail.

I haven’t tried this, and I don’t know if it will work. I’m not sure
how hard it would be to make it work. I just think it might be an
interesting project worth investigating, especially if you are
considering the migration of a few thousand users to Vista and Office
2007.

I’d love to see what the results turn out to be. After all, if it’s
that easy to take control of a recipient’s machine just by sending
them a “trusted” Word, Excel, or PowerPoint attachment, just think how
much chaos a really aggressive malicious hacker, with a goal of
obtaining marketable information about your business, could do.


Does ISO really want to approve such a ‘virus’? As an international standard even? If someone tests the above, please post the outcome here or elsewhere. It would prove invaluable.

The last time a chain of ISO problems was cited, Ian Easson challenged an argument from Groklaw. He might wish read the following lengthy follow-up. ISO is in a deeper puddle of mud than before.

Brazil is a P member of SC 34, so according to my reading of the clause, it has the right to appeal if any of the three above issues apply, and arguably they all do. According to South Africa, if the issue is ISO’s reputation, or if there is a matter of principle involved, Brazil can appeal. Even point three could apply, in that Brazil raises matters such as incorrect tabulation of votes, which, if true, one would hope ISO wasn’t aware of.

[...]

Why did they bother to go, one might ask? Why vote, if votes disappear from the record? By my reading, Brazil paints a picture of an orchestrated event, tilted away from criticism or a negative result and a refusal to give substantive consideration to issues delegates wanted to discuss, due to time constraints Brazil calls arbitrary, and worse.

For details about the BRM in question, see [1, 2, 3, 4, 5, 6, 7, 8] and have your jaw sink to the floor. It was a bad plan from the get-go [1, 2, 3, 4, 5], but Emperor Microsoft was in a hurry and it even used its lobbyist Jan Van Den Beld to change the rules ‘on the fly’.

OOXML protests in India
From the Campaign for Document Freedom

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

This post is also available in Gemini over at:

gemini://gemini.techrights.org/2008/07/12/ooxml-security-issues/

If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

Pages that cross-reference this one

What Else is New


  1. Links 24/6/2021: Sparky 2021.06 and KMyMoney 5.1.2

    Links for the day



  2. Politicians Need to Crack Down on Microsoft's Monopoly Abuse Amid Yet More Attacks on Linux (Even From the Inside)

    The most abusive 'tech' company (akin to a cult disguised as "software company" since the 1970s) is distracting lawmakers and attacking Linux from the inside; thankfully, those insipid plans of theirs face major backlash from longtime kernel developers and GNU/Linux users



  3. [Meme] Timely Timing?

    There’s a hearing next week and the timing is a bit interesting (journalists away from their desks, most English-speaking lawyers also on holiday)



  4. IRC Proceedings: Wednesday, June 23, 2021

    IRC logs for Wednesday, June 23, 2021



  5. Virtual Injustice -- Part 15: A Pandora's Box... But for Whom?

    EPO insiders suspect that Campinos is trying to supplement the "absentee governance" of the Administrative Council with a new layer of "remote management" based in Alicante



  6. Links 24/6/2021: End of Akademy 2021 and Good News From SCOTUS (About PTAB)

    Links for the day



  7. Links 23/6/2021: TeXmacs 2.1 and Blender LTS Support

    Links for the day



  8. How to Install and Then Use NetSurf as a Web Browser for the User-Centric Web, Not 'GAFAMNet'

    Today we take a quick look at what it's like to actually install NetSurf (some distros, like some Xfce-based ones, are bundled with it); we then take it for a spin



  9. Shifting Back to Fundamentals and Basics of the World Wide Web (and Gemini)

    Gemini protocol or simplified Web might be the way to go; it's easier to maintain, secure, and it's vastly better in terms of performance



  10. First I Came

    Time after time people will be reminded — or learn the hard way — that self reliance and avoidance of disappointment typically requires self-hosting, proper standards, free software, and simplicity, not outsourcing, large frameworks, and other kinds of unnecessary complexity



  11. IRC Proceedings: Tuesday, June 22, 2021

    IRC logs for Tuesday, June 22, 2021



  12. Time for Linus Torvalds to Enforce and Protect His Brand From Misuse by His Employer, the So-called 'Linux' Foundation

    The gross misuse or misapplication of the brand "Linux" is being highlighted in this video about the latest examples. It has gone too far; whether Linus Torvalds wishes to rock the boat that’s the so-called ‘Linux’ Foundation is totally up to him, but it might help if people contact him directly, especially longtime users and proponents of GNU/Linux.



  13. Links 23/6/2021: WordPress 5.8 Beta 3 and More Openwashing by LF

    Links for the day



  14. Links 22/6/2021: KDE Plasma 5.22.2, FreeBSD 13.0 Compared to DragonFlyBSD 6.0

    Links for the day



  15. “Linux Foundation Partners With Microsoft” Again

    Jim "Open Source Loves Microsoft" Zemlin shows (or rears) his face again, and as usual it’s just more promotion of marketing rubbish and openwashing of Microsoft (several new partnerships with Microsoft announced just hours ago)



  16. Links 21/6/2021: NVIDIA’s DLSS and Most Beautiful GNU/Linux Distributions

    Links for the day



  17. Neil's Misgovernment

    The GNOME Foundation has one member of staff fewer; the attack on the founder/father of Free/libre software activism and GNU (the "G" in GNOME) failed and backfired spectacularly



  18. IRC Proceedings: Monday, June 21, 2021

    IRC logs for Monday, June 21, 2021



  19. Virtual Injustice -- Part 14: How Mandatory ViCo Became the “New Normal”

    How mandatory ViCo hearings gradually became the "New Normal" at the EPO



  20. Links 21/6/2021: Rocky Linux 8.4, IPFire 2.25 - Core Update 157, and SUSE Linux Enterprise 15 SP3

    Links for the day



  21. There Are Bigger Scandals Than Revisionism and Brand Dilution at the Linux Foundation

    There are some misconceptions that need tackling; back in February (more than 4 months ago) the so-called 'Linux' Foundation decided to associate with yet another controversial drive that has nothing to do with Linux; some people think it's a new thing and leap to conclusions



  22. Techrights Video Gallery Without JavaScript

    Some of the improvements made this morning to the gallery of recent videos



  23. IRC Proceedings: Sunday, June 20, 2021

    IRC logs for Sunday, June 20, 2021



  24. Links 21/6/2021: Linux 5.13 RC7, IRC.com by Freenode

    Links for the day



  25. Virtual Injustice -- Part 13: Let the Games Continue…

    "It would be nice to think that the events of 28 May have given the Enlarged Board pause for thought."



  26. Links 20/6/2021: Akademy 2021 Underway and Linux Foundation Blasted

    Links for the day



  27. EPO: Fake Patents, Fake (Paid-for) Patent Coverage, and Fake Awards for Public Relations Purposes

    The media has been thoroughly corrupted, patent legitimacy has been severely damaged (far too many European Patents aren't in compliance with the EPC anymore), and Team UPC is trying to undermine the EPC and turn Europe into another Texas



  28. Changes in IRC and New Features Over Gemini Protocol or the World Wide Web

    We examine more closely some of the latest changes in the site and the capsule (Web and Gemini, respectively); we show that it’s possible to keep abreast of IRC using nothing but a text editor, a Gemini client… or even the command line alone



  29. IRC Proceedings: Saturday, June 19, 2021

    IRC logs for Saturday, June 19, 2021



  30. We Need and Deserve a Saner Patent System in Europe

    The laughing stock that the patent system, the patent law firms, and patent media became (over the past few years) must be replaced; at the moment we have a cabal connected to a bunch of criminals running the entire show and the public understandably grows impatient (at least people who are sufficiently informed; the criminals have already intimidated and bribed a lot of the media and they're still bribing more of it, as we shall demonstrate later today)


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts