Security News > 2023 > June > These Microsoft Office security signatures are 'practically worthless'

Office Open XML Signatures, an Ecma/ISO standard used in Microsoft Office applications and open source OnlyOffice, have several security flaws and can be easily spoofed.

Microsoft refers to the format simply as Open XML. The boffins say they found discrepancies in the structure of office documents and the way signatures get verified.

As a result they were able to identify five ways to attack vulnerable documents to alter their contents and forge signatures.

With Microsoft Office for macOS, document signatures simply weren't validated at all.

Xml to an OOXML package - which consists of multiple zipped files - and the Office for Mac would show a security banner proclaiming that the document was protected by a signature.

"This has been fixed in the final ODF version 1.2. In our research, we also found problems with signed ODF versions, but these were more likely caused by basic problems with XML signatures or implementation flaws on the part of the vendors. In general, we should always avoid partial signatures in documents. Since this leads to insecure implementations, related to the signature." .

News URL

https://go.theregister.com/feed/www.theregister.com/2023/06/13/office_open_xml_signatures/