Office 2007 documents security question

[Howard]

In previous versions of MS Office the office documents are stored in a
proprietary format. In Office 2007 they have switched to this new open xml
format. which is good for user manipulation and other cool stuff you can do
with XML. But it also opens the door to potential vandalism. What has been
done to protect the integrity and security of the documents? Can a malicious
hacker possibly write a script that parses through all documents and add his
mark? and Office wouldn't detect it because it's no different than regular
user input.

your thoughts please

Howard

 

[Adahn]

the same could be said for any known format (a script that goes through all
your JPEG images and pastes obscene stuff into em, or repoints every .Lnk
shortcut on your system to a Format command, and so on) - if you're exposed
enough to let such a script get in, you're likely vulnerable to a whole lot
other kinds of vandalism and whatnot

 

[Soumik Sarkar]

For years now, all the MS Office apps have exposed almost all their
functionality via scriptable APIs? If I were a hacker, I would use those
APIs to manipulate your documents instead of trying to manipulate the XML
itself.

You should protect from your XML threat the same way you would protected
yourself so far.
Soumik.

 

[Zack Whittaker \(R2 Mentor\)]

Becuase of the NDA I can't go into it, however they've made it very clear
that it'll be very secure )

--
Zack Whittaker
» ZackNET Enterprises: www.zacknet.co.uk
» MSBlog on ResDev: www.msblog.org
» Vista Knowledge Base: www.vistabase.co.uk
» This mailing is provided "as is" with no warranties, and confers no
rights. All opinions expressed are those of myself unless stated so, and not
of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared
that up!


--- Original message follows ---

 

[Peter Foldes]

For Office12(2007) it would be better to post to theOffice Beta group that was supplied to you with your Off12 Beta.

This newsgroup is for the Vista Beta

 

[Kevin John Panzke]

Microsoft Office 2007 Reminder: You Are Under an NDA (Non Disclosure
Agreement)!

 

[Alun Jones]

Microsoft Office 2007 Reminder: You Are Under an NDA (Non Disclosure
Agreement)!

I don't think Howard said anything that we didn't already know.

On a simple response, it's worth noting that the same is true of previous
Office documents - a hacker with appropriate privileges can modify a document
and pass it on as if it's the original.

The answer, in both cases, is to digitally sign the document - that is, to
generate a cryptographic hash of the document's contents, and then encrypt
that hash with your private key, so that everyone can verify that the document
is unchanged from the version you claimed as being approved by you as
'genuine'.

XML already has a standard for digital signatures, even before Microsoft gets
to play with the formats for Office, so I would expect that there would be a
means to sign the documents so as to detect tampering.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]