June 14, 2023

Researchers at Germany’s Ruhr University Bochum uncovered security flaws in Office Open XML (OOXML) signatures used in Microsoft Office and OnlyOffice. These weaknesses make it simple to spoof and fabricate Office files with false signatures.

The findings were presented in a paper titled “Every Signature is Broken” scheduled to be presented at the USENIX Security Symposium. These flaws were discovered in various versions of Microsoft Office for Windows and macOS, as well as in OnlyOffice Desktop for Windows, macOS, and Linux. Microsoft Office for macOS does not check document signatures, allowing an empty file to be added to an OOXML package and a fake security flag to be shown.

Simon Rohlmann, the lead author, criticized the use of partial signatures in OOXML, compromising information integrity and authenticity. He noted that other formats like ODF have resolved this issue effectively. He added that OOXML documents are vulnerable to manipulation. This is because they use partial signatures, which allow attackers to create forged signatures that appear to be from a trusted source. The vulnerabilities stem from three main issues: partial signatures, flaws in the rendering flow, and a complex cryptographic verification process.

Microsoft acknowledged the vulnerabilities, offered a bug bounty, but didn’t see an immediate need for action. OnlyOffice hasn’t responded since October 2022.

The sources for this piece include an article in TheRegister.