https://www.theregister.com/2023/06/13/office_open_xml_signatures/
"Updated Office Open XML (OOXML) Signatures, an Ecma/ISO standard used in
Microsoft Office applications and open source OnlyOffice, have several security
flaws and can be easily spoofed.
As a result, Office files signed this manner can be altered undetectably or
completely fabricated with a forged signature. And that's fundamentally
contrary to the purpose of digital signatures.
Five computer researchers from Ruhr University Bochum in Germany – Simon
Rohlmann, Vladislav Mladenov, Christian Mainka, Daniel Hirschberger, and Jörg
Schwenk – describe this sorry state of affairs in a paper titled: "Every
Signature is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures."
The paper is scheduled to be presented at the USENIX Security Symposium in
August.
OOXML first appeared in Office in 2006. It consists of a zipped package of XML
files. Microsoft refers to the format simply as Open XML.
The boffins say they found discrepancies in the structure of office documents
and the way signatures get verified. As a result they were able to identify
five ways to attack vulnerable documents to alter their contents and forge
signatures.
The researchers tested the attacks on versions of Microsoft Office on Windows
and macOS, as well as on OnlyOffice Desktop for Windows, macOS, and Linux. And
every single one was vulnerable."
Via Danie and Diane A.
Cheers,
*** Xanni ***
--
mailto:xanni@xanadu.net Andrew Pam
http://xanadu.com.au/ Chief Scientist, Xanadu
https://glasswings.com.au/ Partner, Glass Wings
https://sericyb.com.au/ Manager, Serious Cybernetics
