Security News > 2023 > June > These Microsoft Office security signatures are 'practically worthless'
Office Open XML Signatures, an Ecma/ISO standard used in Microsoft Office applications and open source OnlyOffice, have several security flaws and can be easily spoofed.
Microsoft refers to the format simply as Open XML. The boffins say they found discrepancies in the structure of office documents and the way signatures get verified.
As a result they were able to identify five ways to attack vulnerable documents to alter their contents and forge signatures.
With Microsoft Office for macOS, document signatures simply weren't validated at all.
Xml to an OOXML package - which consists of multiple zipped files - and the Office for Mac would show a security banner proclaiming that the document was protected by a signature.
"This has been fixed in the final ODF version 1.2. In our research, we also found problems with signed ODF versions, but these were more likely caused by basic problems with XML signatures or implementation flaws on the part of the vendors. In general, we should always avoid partial signatures in documents. Since this leads to insecure implementations, related to the signature." .
News URL
https://go.theregister.com/feed/www.theregister.com/2023/06/13/office_open_xml_signatures/
Related news
- Microsoft Is Disabling Default ActiveX Controls in Office 2024 to Improve Security (source)
- Microsoft Office 2024 now available for Windows and macOS users (source)
- Microsoft fixes 4 exploited zero-days and a code defect that nixed earlier security fixes (source)
- Microsoft rolls out Office LTSC 2024 for Windows and Mac (source)
- Microsoft overhauls security for publishing Edge extensions (source)
- Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild (source)
- Week in review: Microsoft fixes two exploited zero-days, SOC teams are losing trust in security tools (source)
- Microsoft warns it lost some customer's security logs for a month (source)
- Microsoft lost some customers’ cloud security logs (source)
- Microsoft Entra "security defaults" to make MFA setup mandatory (source)