These Microsoft Office security signatures are ‘practically worthless’: Turns out it’s easy to forge documents relying on OOXML

Microsoft Office

Five computer researchers from Ruhr University Bochum in Germany – Simon Rohlmann, Vladislav Mladenov, Christian Mainka, Daniel Hirschberger, and Jörg Schwenk – describe this sorry state of affairs in a paper titled: “Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures.” They were able to identify five ways to attack vulnerable documents to alter their contents and forge signatures.

The paper is scheduled to be presented at the USENIX Security Symposium in August.

And with Microsoft Office for macOS, document signatures simply weren’t validated at all. The researchers found they could add an empty file named sig1.xml to an OOXML package – which consists of multiple zipped files – and the Office for Mac would show a security banner proclaiming that the document was protected by a signature.

“The attacks’ impact is alarming: attackers can arbitrarily manipulate the displayed content of a signed document, and victims are unable to detect the tampering,” the authors explain in their paper.

Microsoft, they claim, acknowledged the findings and awarded a bug bounty, but “has decided that the vulnerabilities do not require immediate attention.” And the researchers say they’ve not heard from OnlyOffice since October 2022.

See https://www.theregister.com/2023/06/13/office_open_xml_signatures/