OpenOffice / OpenDocument and MS Office 2007 / Open XML security

Interesting paper from the PacSec 2006 security conference: OpenOffice / OpenDocument and MS Office 2007 / Open XML security (PDF)

Not too surprising when you come to think of it, there are tons of possibilities to embed various kinds of malware in the new office document formats. Also, you always have the risk of leaving sensitive metadata in there... If you publish stuff, you better convert to PDF before. But even that might leave sensitive data in the PDF, mind you!

Oh, and one nice detail you might enjoy:

  • OpenDocument specification: 700 pages
  • Microsoft's Open XML specification (final draft): 6036 pages!

And that doesn't even describe all of the format (e.g. VBA macros are missing)! No further comment required...

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

usual .doc disasters

Yeah and it's really hard to get rid of MS Office. The institution where I am doing my civilian service right now has a webserver hosting a simple html table with all their internal documentation and manuals linked to .doc files probably because most of the people are just used to it.

I suggested a more userfriendly, anti-vendor-lockin wiki solution - see http://dokuwiki.org - some days ago. There is a slight chance as my boss likes collaboration, people thinking for themselves and Linux :)