Office Open XML (OOXML) Signatures, an Ecma/ISO standard used in Microsoft Office applications and open source OnlyOffice, have several security flaws and can be easily spoofed.
As a result, Office files signed this manner can be altered undetectably or completely fabricated with a forged signature. And that’s fundamentally contrary to the purpose of digital signatures.
Five computer researchers from Ruhr University Bochum in Germany – Simon Rohlmann, Vladislav Mladenov, Christian Mainka, Daniel Hirschberger, and Jörg Schwenk – describe this sorry state of affairs in a paper titled: “Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures.”
The paper is scheduled to be presented at the USENIX Security Symposium in August.
OOXML first appeared in Office in 2006. It consists of a zipped package of XML files. Microsoft refers to the format simply as Open XML.
The boffins say they found discrepancies in the structure of office documents and the way signatures get verified. As a result they were able to identify five ways to attack vulnerable documents to alter their contents and forge signatures.
The researchers tested the attacks on versions of Microsoft Office on Windows and macOS, as well as on OnlyOffice Desktop for Windows, macOS, and Linux. And every single one was vulnerable.
And with Microsoft Office for macOS, document signatures simply weren’t validated at all. The researchers found they could add an empty file named sig1.xml to an OOXML package – which consists of multiple zipped files – and the Office for Mac would show a security banner proclaiming that the document was protected by a signature.
“The attacks’ impact is alarming: attackers can arbitrarily manipulate the displayed content of a signed document, and victims are unable to detect the tampering,” the authors explain in their paper.
“Even worse, we present a universal signature forgery attack that allows the attacker to create an arbitrary document and apply a signature extracted from a different source, such as an ODF document or a SAML token. For the victim, the document is displayed as validly signed by a trusted entity.”
There are three issues primarily. First, OOXML uses partial signatures, so not every file gets checked. Second, the rendering flow allows unsigned content to be added to files, and third, handling cryptographic verification for digital signatures is overly complicated.
“We see the main problem with partial signatures,” explained Simon Rohlmann, Tandem-Professor for IT Security/Information at Mainz University of Applied Sciences and lead author of the paper while at Ruhr University Bochum, in an email to The Register. “A digital signature is supposed to protect the integrity of a document, but at the same time not all parts of the document are signed. This is a contradiction in terms.”
The team say it reported the findings to Microsoft, OnlyOffice, and to the relevant standards committee, ISO/IEC JTC 1/SC 34.
Microsoft, they claim, acknowledged the findings and awarded a bug bounty, but “has decided that the vulnerabilities do not require immediate attention.” And the researchers say they’ve not heard from OnlyOffice since October, 2022.
Microsoft and OnlyOffice did not immediately respond to requests for comment.
One of the paper’s co-authors, Daniel Hirschberger, has posted proof-of-concept code for spoofing OOXML signatures.
Rohlmann said he just retested the attacks on the latest LTSC version of Microsoft Office 2021 (version 2108, build 14332.20503). “All attacks still work, which means the vulnerabilities have not been fixed,” he said.
When asked about Microsoft’s assessment that these issues do not require immediate attention, Rohlmann said he disagrees.
“Digital signatures should at least achieve the information security goals of integrity and authenticity,” he said.
“By opting in the OOXML standard for partial signatures, these goals cannot be achieved. We have found several ways to modify the content of signed OOXML documents. This makes the digital signature for these documents practically worthless. For example, an attacker could use signed documents to make attacks based on social engineering appear particularly trustworthy because the document contains a valid signature of a superior.”
Rohlmann said he could not say how common signed OOXML documents may be. “Signed documents are mainly used by companies and governments, and are mostly used internally, so we do not have any clear information on this,” he said. “However, I estimate that the distribution of signed PDF documents is probably significantly higher than signed OOXML documents.”
Partial signatures, said Rohlmann, are the main problem and other file formats have addressed this, notably the OpenDocument Format (ODF).
“In earlier draft versions, the relationship files were not part of the signature calculation, just like in OOXML today,” he said.
“This has been fixed in the final ODF version 1.2. In our research, we also found problems with signed ODF versions, but these were more likely caused by basic problems with XML signatures or implementation flaws on the part of the vendors. In general, we should always avoid partial signatures in documents. Since this leads to insecure implementations, related to the signature.” ®