These Microsoft Office security signatures are 'practically worthless'
There are three issues primarily. First, OOXML uses partial signatures, so not every file gets checked. Second, the rendering flow allows unsigned content to be added to files, and third, handling cryptographic verification for digital signatures is overly complicated.
"We see the main problem with partial signatures," explained Simon Rohlmann, Tandem-Professor for IT Security/Information at Mainz University of Applied Sciences and lead author of the paper while at Ruhr University Bochum, in an email to."A digital signature is supposed to protect the integrity of a document, but at the same time not all parts of the document are signed. This is a contradiction in terms." The team say it reported the findings to Microsoft, OnlyOffice, and to the relevant standards committee,Microsoft, they claim, acknowledged the findings and awarded a bug bounty, but"has decided that the vulnerabilities do not require immediate attention." And the researchers say they've not heard from OnlyOffice since October, 2022.One of the paper's co-authors, Daniel Hirschberger, has postedRohlmann said he just retested the attacks on the latest LTSC version of Microsoft Office 2021 ."All attacks still work, which means the vulnerabilities have not been fixed," he said. When asked about Microsoft's assessment that these issues do not require immediate attention, Rohlmann said he disagrees. "Digital signatures should at least achieve the information security goals of integrity and authenticity," he said. "By opting in the OOXML standard for partial signatures, these goals cannot be achieved. We have found several ways to modify the content of signed OOXML documents. This makes the digital signature for these documents practically worthless. For example, an attacker could use signed documents to make attacks based on social engineering appear particularly trustworthy because the document contains a valid signature of a superior." Rohlmann said he could not say how common signed OOXML documents may be."Signed documents are mainly used by companies and governments, and are mostly used internally, so we do not have any clear information on this," he said."However, I estimate that the distribution of signed PDF documents is probably significantly higher than signed OOXML documents." Partial signatures, said Rohlmann, are the main problem and other file formats have addressed this, notably the OpenDocument Format . "In earlier draft versions, the relationship files were not part of the signature calculation, just like in OOXML today," he said.. In our research, we also found problems with signed ODF versions, but these were more likely caused by basic problems with XML signatures or implementation flaws on the part of the vendors. In general, we should always avoid partial signatures in documents. Since this leads to insecure implementations, related to the signature." ®
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Ferdinand jokingly threatens Aguero before Fabregas turns translator in chaotic interviewRio Ferdinand jokingly threatened to strangle Sergio Aguero in a chaotic interview following Manchester City’s Champions League Triumph. The Argentine was called pitchside to offer a few words to B…
Read more »
Argentina turns to IMF in last-ditch bid to stave off devaluation\n\t\t\tExpert insights, analysis and smart data help you cut through the noise to spot trends,\n\t\t\trisks and opportunities.\n\t\t\n\t\tJoin over 300,000 Finance professionals who already subscribe to the FT.
Read more »
Rishi Sunak turns on Boris Johnson over honours list\n\t\t\tGet local insights from Lisbon to Moscow with an unrivalled network of journalists across Europe,\n\t\t\texpert analysis, our dedicated ‘Brussels Briefing’ newsletter. Customise your myFT page to track\n\t\t\tthe countries of your choice.\n\t\t
Read more »
Oops! Stacey Solomon confusion with Hull while filming in Lincolnshire🌍 StaceySolomon loved Lincolnshire - she just wasn't sure where she was
Read more »