Security hole. OOXML allows the inclusion of arbitrary binary blobs of data in ways that could be abused my malicious document authors. For example: Part 1, Section 15.2.14 recommends that print settings be stored in the binary DEVMODE format used by Windows printer drivers. However, if someone were to change this DEVMODE binary data it would be loaded into the printer driver the next time a user tried to print. Since a printer driver operates at a higher level of privilege than a user, this may allow a hacker to take control of a user’s machine by crafting a specific document.

The current procedure could be a good approach to keep interoperability with past legacy tools, but an ISO standard must provide a clear specification for future implementations which does not perpetuate a security hole. The DEVMODE structure, which is recommended here by example, stores such print settings as page orientation, paper size, paper length, paper width, number of copies, print quality, duplex and collation settings, etc. This should be stored in XML, not in some undefined application-dependent format.

Further, the security of the system is directly impacted by the number of undefined binary blobs that a document contains. Look at the historical problems with WMF files, with Word macro viruses etc.

15/02/14

te

Proposed Disposition of DIS 29500 Comment IN-0079 (Modified: 2008-01-04) Agreed; One of the primary design goals for the Office Open XML formats was to provide open and XML-conformant independence from proprietary formats and features. DEVMODE structures are found in the large corpus of existing binary documents, and DIS 29500 defines a format for high-fidelity representation of those documents. As such, it allows for storage of the DEVMODE structure within the package, to preserve the content of those structures in existing binary documents. The members of Ecma TC45 felt that failure to preserve this existing content would be perceived as a loss of fidelity and interoperability by persons who have found the presence of this structure useful in existing documents. We note that there are many types of non-XML content allowed in common office document formats, including image and media formats. In the case of printer settings, there does not currently exist an ISO/IEC standard for storing this information in an XML-based format. If and when such a format becomes available, DIS 29500 will be able to use that format for storage of printer settings, and implementers may then choose to convert existing DEVMODE structures to an XML-based alternative if so desired. In order to encourage more interoperable documents, the following changes will be made to Part 1 §15.2.14: 15.2.14 Printer Settings Part Content Type: application/vnd.openxmlformats-officedocument.spreadsheetml.printerSettings (in SpreadsheetML documents) application/vnd.openxmlformats-officedocument.wordprocessingml.printerSettings (in WordprocessingML documents) Root Namespace: not applicable Source Relationship: http://schemas.openxmlformats.org/officeDocument/2006/relationships/printerSettings An instance of this part type contains information about the initialization and environment of a printer or a display device. The layout of this information data structure is application-defined. [Note: It is recommended that a Printer Settings Part contain well documented XML content for improved interoperability; however, there is no requirement on the format of the content contained in a Printer Settings Part. end note] [Example: An Office Open XML producer on Windows might store the DEVMODE structure defined here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/prntspol_8nle.asp , while an application on the Mac OS might choose to store the print record defined here: http://developer.apple.com/documentation/Carbon/Reference/CarbonPrintingManager_Ref/Reference/reference.html . end example] A SpreadsheetML package is permitted to contain at most one Printer Settings part per Chartsheet, Dialogsheet, or Worksheet part, and that part shall be the target of an implicit relationship from a Chartsheet (§12.3.2), Dialogsheet (§12.3.7), or Worksheet (§12.3.24) part. A WordprocessingML package is permitted to contain zero or more Printer Settings parts, one per sectPr element, each a target of an explicit relationship from a Main Document (§11.3.10) or Glossary Document (§11.3.8) part. [Example: The following SpreadsheetML Worksheet part-relationship item contains a relationship to a Printer Settings part, which is stored in the ZIP item ../printerSettings/printerSettings1. bin xml : <Relationships xmlns="..."> <Relationship Id="rId4" Type="http://.../printerSettings" Target="../printerSettings/printerSettings1.bin"/> </Relationships> where the contents of PrinterSettings.xml could contain the following XML: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <PrinterSettings xmlns="..."> <PrinterSetting name="PropertyName" value="PropertyValue" /> </PrinterSettings> end example] Similar Comments: CL-0044 , CL-0049 , CO-0005 , CO-0147 , CO-0148 , DE-0010 , DE-0153 , DK-0106 , DK-0152 , DK-0160 , FR- 0019 , GB-0047 , IN-0053 , IR-0006 , KR-0003 , NZ-0014 , US-0037

Tag and Go

No Comments

Sorry, the comment form is closed at this time.

  • Argentina (1)
  • Australia (30)
  • Austria (1)
  • Belgium (1)
  • Brazil (64)
  • Bulgaria (3)
  • Canada (79)
  • Chile (217)
  • China (1)
  • Colombia (237)
  • Czech Republic (75)
  • Denmark (168)
  • Ecma (76)
  • Ecuador (1)
  • Finland (15)
  • France (592)
  • Germany (162)
  • Ghana (12)
  • Greece (113)
  • India (82)
  • Iran (58)
  • Ireland (12)
  • Israel (33)
  • Italy (2)
  • Japan (82)
  • Jordan (1)
  • Kenya (81)
  • Malaysia (23)
  • Malta (5)
  • Mexico (7)
  • New Zealand (54)
  • Norway (12)
  • Peru (10)
  • Philippines (7)
  • Poland (4)
  • Portugal (118)
  • Singapore (2)
  • South Africa (17)
  • South Korea (25)
  • Spain (1)
  • Switzerland (19)
  • Thailand (1)
  • Tunisia (3)
  • Turkey (1)
  • UK (635)
  • Uruguay (18)
  • USA (288)
  • Venezuela (73)