OOXML Fataly Flawed?
Thanks to Roy’s tenacity and constant vigilance, I have learned how it now appears the MS Office binary format that is wrapped in XML and is now known as IS 29500 (OOXML), an ISO Standard Office Document Specification (ROTFL), is giving hackers everywhere a field day.
It is now official and also confirmed that OOXML files are not just insecure but there are also persistent attacks against new flaws (without any security patches being available, i.e. zero-day).
There are some good links and sources to this article so recommended reading for anyone who is considering using Office 2007 or receives an OOXML document (the ones ending in x, e.g docx, pptx and xlsx). IMHO your automatic response should be to return it directly to the sender, do not attempt to open it, and ask for them to send it to you in an open format such as ODF or PDF or even plain text. I would also suggest that you provide a link to OpenOffice.org in the reply.
In the last few scant months, there have been several major and very serious security flaws and attack opportunities with Microsoft’s software. Surely, it must be becoming clear to everyone by now:
If the foundations are weak, the walls crumbling, the windows broken and the roof collapsing; it’s time to move.
OOXML: Back Orifice 2007?
“I really don’t think OOXML is worth wasting much time over any more …”
And I only wrote that a few hours ago too! But I simply couldn’t resist this gem of a story from Roy Schestowitz over at Boycott Novell:
… I got a couple of docx documents and had trouble getting them to open, even with the plug-in for Office XP. Next thing I know, I get a notice from my registry auditor that I have 1300 new registry errors. And suddenly, my PC is churning the disk-drive and the network connection at 3:00 AM (I’m getting old and have to get up), and the network shows that I’m uploading something at full speed, even though my computer is supposedly sleeping. …
Reading this was so coincidental – last night I was in my local pub talking with a mate who’s an IT Security professional. And we were chatting (reminiscing?) about Back Orifice….