Microsoft Office (In)security, OpenXML and unsafe content

Today I was reading the WinInfo UPDATE by Paul Thurrot, and he came up with the following comments:

The first tool, the Microsoft Office Isolated Conversion Environment (MOICE), uses the file type converters that first debuted in Office 2007 to convert Office 2007 and Office 2003 binary documents to the new Open XML file formats in an isolated environment, Microsoft says. In this way, potentially unsafe Office documents can be converted into safe XML-based documents that can’t succumb to the various electronic attacks currently targeting binary documents.

I think I am missing something here when Paul says electronic attacks currently targeting binary documents. What attacks are targeting binary documents? I thought there were malicious (binary) documents targetting Office, and not the other way around. Also, although not so common nowadays, I can’t stop thinking of those VBScript viruses that plagued Office documents some years ago. I don’t see how taking malicious VBScript code embedded into a binary document (like a Microsoft Word document) and converting that document into an XML-document can make that document magically safe. I’m sorry, but I think I’m missing something here.

Being a conspiracy-oriented and paranoid guy, this sounds to me like a try to trick people into moving to OpenXML to put some pressure over the already-standardized and open OpenDocument format from OASIS.

The second tool, the File Block Functionality for Microsoft Office, allows administrators to restrict which file types that Microsoft Excel, PowerPoint and Word 2007 and 2003 can open using registry settings or Group Policy. This gives corporate environments a quick way to shut down access to potentially dangerous Office binary file types in the event of an emerging electronic attack.

In theory, and to be safe, the administrator should block any kind of files (Microsoft Word, Microsoft PowerPoint, and so on), so basically the outcome doesn’t sound extremely useful to me. But that’s a beginning. Ideally, Microsoft will one day get things right and favor security over features. I’m still looking for that day, but who knows!

Although these tools are certainly welcome, I’m curious whether Microsoft will use the recent spate of Office document attacks as a new rationale for moving its customers over to the new Open XML document formats it introduced with Office 2007. Because these XML-based formats are immune to the vulnerabilities that afflict the older Office formats, customers suddenly have another reason to migrate to Microsoft’s latest Office version.

I’m still pretty sure that even if OpenXML documents are not vulnerable to old, plain attacks, new attacks are coming our way. The fact that Microsoft Office is used so much means that malware developers and crackers will keep targeting Office and exploiting it. Microsoft Office has proven to have nice, but insecure features, and it doesn’t seem to me like Microsoft is removing them (I’m sure they can’t) or even fixing them. Moving to a different document storage format doesn’t sound like an effective solution to me, but to me it looks like a placebo to fool people into thinking that OpenXML is the solution to all of their pain.

I think the solution is far more easy. Move away from insecure, closed-source software to open standards, open source than can be audited by anyone.

One thought on “Microsoft Office (In)security, OpenXML and unsafe content

  1. Pingback: Beats Programming Timbaland Style Javascript Tutorial J2ee

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s