Confirmed: Microsoft OOXML a Security Hazard

Dr. Roy Schestowitz

2009-02-25 18:58:16 UTC
Modified: 2009-02-25 19:04:04 UTC

SEVERAL MONTHS ago we warned that OOXML is not secure. Its dependence on a particular platform and office suite rendered it insecure by design just like those 'origin' formats, namely binaries, which it merely shuffled around (reassembled).

It is now official and also confirmed that OOXML files are not just insecure but there are also persistent attacks against new flaws (without any security patches being available, i.e. zero-day). To quote one of the more recent reports:

Some Open XML based products as Microsoft Excel are affected by a security flaw and the Trojan.Mdropper.AC.

There is fairly wide coverage of this problem, e.g. in:

Microsoft's Excel spreadsheet program has a 0-day vulnerability that attackers are exploiting on the Internet, according to security vendor Symantec.

A 0-day vulnerability is one that does not have a patch and is actively being used to attack computers when it is publicly revealed.

Heise Online calls this vulnerability "critical" (highest level of severity by another one Microsoft's 'standards').

According to unconfirmed reports, the anti-virus manufacturer Symantec has found a trojan that seems to use a security hole in Microsoft Excel to remotely execute code on a user's system. The attack is triggered by opening a maliciously crafted Excel file, causing an unspecified remote code-execution vulnerability.

One reader points out that "Microsoft is continuing its war against a universal office format.

"Notice in particular: 'will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System'

"What kind of hell is this causing in agencies, big businesses and schools? It's not like they don't have or could live with out the terabytes of electronic records now locked out by the kludge outlined above."

Such problems could first be seen a year ago when Microsoft's OOXML crimes were still prevalent. To make matters worse, Microsoft will continue to drift further away from ECMA OOXML, probably to gravitate in its own proprietary direction. Office 14, for example, is not committed to any real standards and according to yesterday's report from Mary Jo Foley, it's already delayed anyway.

Ballmer: Office 14 not this year

[...]

However, last year, more than a few times execs slipped up and indicated Office 14 would ship in 2009.

Things are not working well for Redmond these days. For real profit, Microsoft is highly dependent on Office which is its most profitable product (and one of the few that are actually profitable). Unless Microsoft can reinforce planned obsolescence and convince people to buy an upgrade they do not need, there's great trouble ahead. The economic meltdown does not help.

OpenOffice.org makes a remarkably familiar substitute and Google Apps, among other SaaS alternatives, gain momentum despite the slew of disinformation from former Microsoft employees (masquerading as research firms). ⬆

A radical proposal to keep your personal data safe, by Richard Stallman: "The surveillance imposed on us today is worse than in the Soviet Union. We need laws to stop this data being collected in the first place"
12 Months Ago the 'Hulk Hogan of UEFI' Officially Went 'Tag-Team': We're actually sort of flattered or proud that such despicable people are so desperate to censor us
"Cloud Computing" Was Always a Joke, But This Week Was the Punchline: Maybe stop following tech trends and fashions
"Cloud Computing" Does Not Mean Safety: Fault tolerance is related to the notion of software freedom
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Tuesday, October 21, 2025: IRC logs for Tuesday, October 21, 2025
The Fall of Windows: From Something to Nothing: Of course Microsoft will pretend everything is fine and "just trust the hey hi" (AI)
Sounds Like Fedora is Ready to Become Less of a Slave of Microsoft (GitHub): This seems like a belated move in a positive direction
XBox is a Dead Microsoft Product in a Dying Industry: It's probable that another wave of XBox layoffs is just over the horizon (maybe even before month's end)
Progress on Techrights Site Search: Fun times
IBM's Bluewashing of Red Hat Means the Layoffs Are Silent, Barely Reported: Don't wait to hear about "Red Hat layoffs"
Gemini Links 21/10/2025: Happy Disconnection, AWS Falling Apart, Closing of Gemlog Blue: Links for the day
Full Audio of Today's Richard Stallman Talk in the Technical University of Munich: Free/Libre software and freedom in the digital society
Microsoft XBox is Just Vapourware (Promises of Hardware That Doesn't Exist), Real Products Perish: just as developers lose interest in developing for XBox Microsoft is increasing the costs imposed upon them
Slopwatch: Fake Articles (Slop) in "Linux" Clothing in Google News (Noise): all about what Google does
Links 21/10/2025: Even "Inventor of Vibe Coding" Rejects Vibe Coding, USPTO Experiments With Slop in Examination: Links for the day
Richard Stallman Talk Now Available for Viewing (Archived Copy, Not Live-streamed): This recording is over 2 hours old
Links 21/10/2025: AWS-Induced Chaos and Social Control Media Curbs: Links for the day
Gemini Links 21/10/2025: Programming, StarGrid, Brand-New Palm OS Strategy Game in 2025, and Chatbot as Addiction Mechanisms: Links for the day
The African Lion and the American Cowards: Safaris exist for people to watch and enjoy animals
Amazon Web Shenanigans Perfectly Timed for Today's Talk by Richard Stallman: Maybe listen to him instead of looking for excuses to ridicule the messenger
Mission:Libre Has Taken Off (Project by Carmen Maris): there will be a lot more to report on next month (after the event)
Techrights to Publish More EPO Leaks Next Week: We're meanwhile also doing lots of work on search, whose interface now looks better
Links 21/10/2025: 'The Lost Art' of Neon Signs and Twitter (X) to Enable Identity Theft (or Handle Theft) as a Service: Links for the day
Plagiarism With LLM Slop: Hindustan Times (HT Digital Streams Limited) Has Become a Slop Factory/Hub: What a disgrace
Next Week We Launch Search at Techrights: We're planning to launch it some time next week. Maybe Tuesday, maybe Thursday.
Talk by Richard Stallman Will be Live-streamed in Less Than 10 Hours: Happy hacking
"No Kings" in the Software World (GAFAM Should Not Exist, Either): "No Kings" is a good slogan. Let's start by ridding ourselves of masters, not only those who reside in DC or visit DC
Every Morning: Bugs/edge cases combined with automation can spell disaster
Insane, Deliberately Dishonest, or Just Another Bigot?: very intellectually-dishonest human being
A Lot of Techrights is Built on Perl: Perl also runs the sister site
The Register MS Selling Slop for Microsoft (Vapourware, Ponzi Scheme, False Claims): What will be left of The Register MS if it keeps repeating falsehoods and looking to profit from Ponzi schemes?
analytics.usa.gov Says Less Than 14% of Web Requests (to Government Sites) Come From Vista 11: Vista 11 was released more than 4 years ago!
People Who Attempt to Take Down Correct Information Need a Doctor a Day: “Journalism is printing something that someone does not want printed. Everything else is public relations.” ― George Orwell
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Monday, October 20, 2025: IRC logs for Monday, October 20, 2025
Vista 11 is Sinking While Microsoft is PIPing (Mass Layoffs But Silent Layoffs): We're witnessing a shift in platform dominance
Richard Stallman is Having a Good Week Already (Stallman Was Right About 'Clown Computing'): That alone is worth bringing up in his talk
An Update About Soylent News, With Jan Rinok "Back in the Saddle": Burnout or "near burnout" a possibility when having to curate abuse
When Prominent GNU/Linux Distros Are Run by Spies: What has Microsoft Canonical become?
More Publishers and Companies Nowadays Say "GNU/Linux", Not "Linux": It's not to see InstallAware saying GNU/Linux this week
Google News is Now Promoting a Parasitic Slopfarm Called "findarticles.com", Where Plagiarism of "Linux" Articles is Rampant: Does Google even care about the slop epidemic? Google itself is a vendor of slop now (and it calls it "Gemini")
Gemini Links 20/10/2025: Pumpkin Carving, "Hey Hi", and Other Buzzwords: Links for the day
Slopwatch: Google News Promoting Fear, Uncertainty, Doubt (FUD): What is the value of Google News if so many results in it are fake 'articles?
Rejecting 'Snoop-Phones' and Turning "Old" Phones (or Tablets) Into Freedom-Respecting Appliances: Paul Fernhout (pdfernhout.net) wrote back to Akira Urushibatathis this past weekend
Our Uptime This Year Was Better Than AWS (Also a Lot Cheaper): We never used "the cloud"
Amazon Web Shenanigans: An ongoing, experimental endeavour
Death of Elias Diem: FSFE mailing list archives hidden: Reprinted with permission from Daniel Pocock
Links 20/10/2025: Louvre Museum Reveals Weakness, About 7 Million Protest US Turning Into Oligarchy/Monarchy: Links for the day
They Should Have Listened to Techrights Over a Month Earlier (Xubuntu Site Compromised): we reported this issue about 40 days earlier and nobody did anything about it
Richard Stallman to Give Another Talk Today in Bavaria (Bavarian Academy of Science): Tomorrow at 6 PM he speaks in Munich
Apple is the Company of Dictators and Worse: Apple is just another greedy corporation in search of sweatshops and even pedophiles (especially the high-profile ones)
Counting Unhatched Eggs Is Not Counting Chickens: Everything here will persist as normal
Barry Kauler Explains That Puppy Linux and EasyOS Exclude Systemd to Keep Things Simple: Barry Kauler's Puppy Linux is in the community's hands. He now focuses on EasyOS and more.
The "Infinite Bread": The biblical story of Jesus feeding the 5,000 has software parallels
Half a Year After Brian Fagioli Got Kicked Out of BetaNews for Slop He's Still Doing LLM Slop and Slop Images Targeting 'Linux' (Plagiarising Original Works): If the Web gets polluted or flooded by slopfarms such as these, and Slashdot then sends traffic so these slopfarms (Slashdot probably doesn't do this intentionally), then real writers with real knowledge of GNU/Linux will lose the spark for publishing
In Many Cases and in Many Different Ways, Technology Became Less Durable and Less Reliable Over Time: The "modern" things are more complex. And complexity is a foe or reliability and repair-ability.
Microsoft's LinkedIn is Losing Money, Traffic, and Hope; Now It Wants to Sell Its Users' Lifeblood (and Data): Let this be a reminder of what social control media really is about
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Sunday, October 19, 2025: IRC logs for Sunday, October 19, 2025
Campaign of FUD Against Framework Laptops and GNU/Linux (Using Microsoft's Attack on Linux, 'Secure Boot'): Ritual Defamation Cult has turned its attention over to Framework
Microsoft Lunduke: Freedom of Speech Means Spreading What I Have to Say and Banning People I Disagree With: 4Chan is one he aims for and he is siccing 4Chan trolls at people he doesn't like
Liberation From 'The Feed': They rank things based on the editor's choice/ideology (he or she knows the sponsors, hence the masters)
Microsoft's Killing of Vista 10 Seems to Have Resulted in More Articles About GNU/Linux (But Also FUD): We not only saw a rise in traffic, we also saw a remarkable rise in the number of articles

Confirmed: Microsoft OOXML a Security Hazard

Ballmer: Office 14 not this year

Recent Techrights' Posts