OpenDocument and Open XML security (OpenOffice.org and MS Office 2007)
Tóm tắt
OpenDocument and Open XML are both new open file formats for office documents. OpenDocument is an ISO standard, promoted by OpenOffice.org and Sun StarOffice. Open XML is the new format for Microsoft Office 2007 documents, an ECMA standard. These two formats share the same basic principles: XML files within a ZIP archive, with an open schema, in contrast to good-old proprietary formats (MS Word, Excel, PowerPoint, ...). However, both of them suffer from many security issues, similar to previous Office formats: malicious people can still embed and hide malware (Trojan horses and viruses) thanks to macros, scripts, OLE objects and similar features. This paper shows the security issues with technical details, including XML and ZIP obfuscation techniques that may be used to bypass antiviruses, and describes how to design a filter to get rid of unwanted parts in a safe way.
Tài liệu tham khảo
In-depth Analysis of the Viral Threats with OpenOffice.org Documents, De Drézigué, Fizaine, Hansma (ESAT), Journal in Computer Virology, 2006. http://dx.doi.org/10.1007/s11416-006-0020-2
Le risque viral sous OpenOffice 2.0.x, Filiol, Fizaine (ESAT), MISC magazine n7, 09/2006.
OpenOffice/OpenDocument and MS Open XML security, Lagadec, P. PacSec 2006 conference. http://pacsec.jp/psj06archive.html
Sécurité des formats OpenDocument et Open XML, Lagadec, P. http://actes.sstic.org/SSTIC07/Securite_OpenDocument_OpenXML/
Ecma International, National Body Comments from 30-Day Review of the Fast Track Ballot for ISO/IEC DIS 29500 (ECMA-376) “Office Open XML File Formats”, Ecma/TC45/2007/006. http://www.ecma-international.org/news/TC45_current_work/Ecma%20responses.pdf
Formats de fichiers et code malveillant, Lagadec, P. SSTIC03. http://actes.sstic.org/SSTIC03/Formats_de_fichiers/
Common Vulnerabilities and Exposures, keywords “Microsoft Office”. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=microsoft+office
Common Vulnerabilities and Exposures, keyword “OpenOffice”. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openoffice
Analyse du risque viral sous OpenOffice.org 2.0.x, Filiol, E. (ESAT), rump sessions SSTIC06. http://actes.sstic.org/SSTIC06/Rump_sessions/SSTIC06-rump-Filiol-Risque_viral_sous_OpenOffice.pdf
OpenOffice.org URL Handling Security Vulnerability (Linux/Solaris). http://www.openoffice.org/security/CVE-2007-0239.html
Cross-site request forgery, Wikipedia. http://en.wikipedia.org/wiki/XSRF
La fuite d’informations dans les documents propriétaires, Chambet, P. (EdelWeb), Eric Filiol (ESAT), E. Detoisien, OSSIR 6/10/2003. http://www.ossir.org/windows/supports/2003/2003-10-06/OSSIR-Fuite%20infos.pdf
Open Document Format for Office Applications (OpenDocument) v1.0, OASIS Standard, 1 May 2005. http://docs.oasis-open.org/office/v1.0/OpenDocument-v1.0-os.pdf
Open Document Format for Office Applications (OpenDocument) v1.1, OASIS Standard, 1 Feb 2007. http://docs.oasis-open.org/office/v1.1/OpenDocument-v1.1.pdf
Office Open XML File Formats—Standard ECMA-376. http://www.ecma-international.org/publications/standards/Ecma-376.htm
OOo scripting framework and Python. http://udk.openoffice.org/python/scriptingframework/index.html
Secunia advisory for MS06-065. http://secunia.com/advisories/20717
Microsoft XML Paper Specification—XPS. http://www.microsoft.com/whdc/xps/default.mspx
http://www.securityfocus.com/archive/1/437948