Document security and macros

By Rick Jelliffe
February 25, 2009 | Comments: 3

One of the big selling points of descriptive markup is that it is safe.

The excitement that many people had about dynamic HTML (and even AJAX to some extent) is that you can use a general purpose scripting language (like JavaScript/ECMAScript ...Crockford's new book looks interesting) is of course offset by the realization that the more general purpose the scripting language is, the more that it can be used for mischief. Indeed, this is where Java's sandboxes started.

One area where this has been a great concern, of course, has been for office documents. Macros can be an enormous security hole. Microsoft in recent years has been back pedalling hard on the use of VisualBasic macros: indeed they are no longer available on the Mac Office 2008. One of the big innovations in Office 2008 was that files with the standard extensions (.docx, .pptx, .xlsx) are opened in a macro-disabled mode (rather than .docm, .pptm, .xlsm which are macro-enabled.)

In order to cope with the reduction in customizability from not having macros, markup has to step up to the plate and provide the kinds of general functions that otherwise would be done by macros. We can see examples of this in ODF's provision of XForms and OOXML similar provision of XML mapping.

And more has to be done by embedded controls, which can be signed, downloaded and verified, though at the cost of some cumbersomeness.

However, it has to be admitted that it is impossible for even vastly improved descriptive markup (e.g. for menus, completions, etc) to give what a customized script can do. The answer, at least in the near term: we have just live with it and give up macros if we want security.

Thankfully there is another upside: improved descriptive markup does allow extra things that we may not have realized we needed but become indispensable: I think Office's SmartArt (data entry by structured list editor, transformed into various diagrams dynamically) is a good example.

More deeply, we need to move away from the idea of "smart documents" where those smarts include procedural information, unless they use domain-specific notations that have known acceptable security properties (URIs, formulas)

For security we cannot have the "document contains the application" approach that general purpose macro languages support.

The "smart documents" need to be documents with only descriptive information: XML, JSON, whatever. Custom applications need to be distributed out-of-band.

Cherished Nutters

What brings on this? My favourite lurid nutter site, NOOOXML.COM, this week has a surprising post .XLSX files as a security risk.

In a sense, Microsoft has brought this on themselves: their security alert starts with Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. And the rest of the alert is rather impenetrable, allowing the kind of hysterical mischief and FUD we have learned to cherish from NOOOXML.COM.

So what is the real story? This is just the old problem: if you use a binary format (or a macro-enabled file) you can have a security problems. The solution: use the MOICE tool to convert the binary to a macro-disabled OOXML file, and/or alter the Registry setting to disallow binary files from opening.

(I contacted MicroSoft to check up whether my understanding was correct, and they confirmed it.)

But I think it shows the technical value of NOOOXML.COM that a security alert that says "Overcome the security problem of the Excel binary formats by converting to .XLSX" gets interpreted as exactly the opposite ".XLSX files as a security risk". Hhrmmmmph

Will we see a retraction from NOOOXML.COM? Not on your life.

These are the people who tried to imply some connection between national standards bodies at ISO from countries low on the so-called corruption index who voted for DIS29500 (OOXML), but who didn't feel it would be consistent to look at the nations on the CONSEGI Declaration through the same lense (Brazil=80, South Africa=54, Venezuela=158, Ecuador=151, Cuba=65 and Paraguay=138, out of 180 by the way.) My point is not to accuse the CONSEGI participants of corruption at all, it is that implying causal connection without evidence is just disguised prejudice, in this case one that plays on racism. (If you are a person who thought the implied connection was reasonable, I think you need to consider whether your prejudice is overriding your rationality, by the way--and fully admitting that I am not immune to this either.) [UPDATE: Please note the comment by Bob Jolliffe below, and my clarification.]

Sensible people: ODF

The issue of macros and security is one that obviously applies to ODF as well as OOXML. Looking at the new committe draft for ODF 1.2, what features does ODF have for macro security?

Err, absolutely none that I could see.

I searched on "macro", "script" and a little of "event" and there was nothing. Indeed, in the draft non-normative Appendix D Core Feature Sets, scripts are listed as a feature that are or would be usually supported by applications.

The ODF TC is currenctly discussing top-level conformance issues. I have written why I think a minimal profile for writers of ODF is good to have, why it is a bad idea for readers of ODF to reject documents with extensions, and why a minimum profile will not actually meet the goal of preventing extensions by unscrupulous hijacking implementers given the other places that extensible information can go.

So add scripting/macros to that list!

I think ODF needs to take a leaf out of OOXML's book here, and at least adopt the convention where the normal extensions must be opened by conforming applications with macro- and script- and event- disabled.

This is not only a security issue: the imagined toxic hijacking developers can already add arbitrary binary files to the ODF, link to them from scripts, embed them in drawings with Bin64, give them as alternative section with text:section-source and so on. Hence my point that a minimal ODF without element extensions is useful to have, but does not in anyway provide anything effective for reducing opportunities to embrace, extend and extinguish. It is not sufficient and (given that many extensions are harmles) not even necessary: OOXML's MCE provides a better basis.

Is it really so unbearable to the ODF people to countenance that some parts of OOXML could be much more advanced in some areas than ODF? If it is, then what hope can we have for convergence, which surely must be based on reducing gratuitous feature gaps of leading applications?

Security is so important, that it should be part of ODF 1.2 rather than a next-generation ODF issue. Governments and users need to take a lead here and get something —anything— pushed through for ODF 1.2 during these top-level conformance discussions. It seems to me to dwarf issues such as vendor-proofing ODF against hijacking vendors, against extension-panic.


You might also be interested in:

3 Comments

Rick

I have a habit of generally listening to what you have to say and frequently agreeing (usually up to a point), but I have to take issue with you bringing up this whole corruption index nonsense again.

I think the original EFFI report (http://www.effi.org/blog/kai-2007-09-05.en.html) and the debate it engendered was shocking, not because of the various arguments about causality and statistical significance, but because neither they, nor you in your responses on NOOOXML.org, ever saw fit to question the so-called corruption index itself. Corruption is far too complex a thing to lend itself to an ordering of nations on a scale determined by (of all people) a crowd of "business leaders" and bankers. I have publicly condemned any inferences which were drawn from it.

But you, like those you criticize, succeed in similarly caricaturing the participants at the CONSEGI 2008 meeting as being in the lower end of the corruption heap. You say your "point" is not to accuse the CONSEGI group of corruption at all, yet you do it anyway in order to make your real point in your long-running battle with NOOOXML. That's a shame. And I find it deeply insulting. It was a cheap shot from NOOOXML. Its a cheap shot from you.

Bob

Bob: I take your point. I apologize if I appeared to endorse that so-called Corruption Index, or for using it for making any inferences, which would indeed be insulting and offensive. I will adjust the post accordingly to clarify this was not my intention. I am happy to make a full post if you think it would be useful.

I think you are right that my argument only went as far as saying that applying this index was unsound for any predictive or inferential use, while your point is, I think, that the index itself is unsound even as a historical use.

I think the total-lack-of-evidence argument I used is more direct and therefore easier (not 'cheaper') than the "this index is bogus" argument; and the larger argument of the post concerns the lurid interpretation of any information, whether bogus or not, after all. But you may be right that the "this index is bogus" is the stronger argument (being about false premises rather than about limits of logical inference.)

I will change the entry to add your phrase "so-called" and to refer to your comment.

However, I completely reject that I in any way accused the CONSEGI group of corruption, nor that the so-called Corruption Index was in any way applicable to this issue, nor would I have believed that my readers would have picked up this as some kind of subtle inference. Using someone's premises to show that their argument doesn't stack up is not an endorsement of those premises. (However, I do take the point that repeating racist premises, even to mock conclusions based on them, may seem to endorse them, and so careful wording is appropriate.)

You would be right in finding it offensive and insulting to imply any corruption in the CONSEGI declaration participants: indeed that is the very basis of my comment.

I am very glad you also have condemned inferences drawn from it: I would love to have any links on this, because I don't recall having seen a single other writer condemn it the way I have. (Though Andy Updegrove earned my admiration for not linking to NOOOXML because, I gather, this kind of issue, and Rob Wier made a comment about corruption being 'not necessary' IIRC but took down a link, which was good.)

Background for readers: EFFI and NOOXML are fronts (among others) for a handful of lobbyists, who wrote a report under one hat then quote it in a post under another and then link to the post in a third. This allowed them to write something pseudo-statistical then write a lurid commentary, then point to the lurid commentary, as if each was more evidence of something underhand.

Hi Rick

Despite my best intentions I do not maintain a blog (yet) so haven't got a great link to refer you to. The issue re-emerged at a session on standards organisation reform at the Internet Governance Forum in Hyderabad last year. I was one of the panelists. Whereas I was broadly supportive of the speaker's position I condemned the use of this index.

Having said that, don't take me too far. I happen to believe the NOOOXML campaign did some really good work in opening up the space - though I was never part of it or any other campaign. The South African national body reached its own positions on the stormy issues. Some of what was done - including this ridiculous corruption index thing - I think was wrong.

Was the process corrupted? It would depend very much on how we use the terminology, but it seems clear enough to me that the system was gamed vigorously and effectively by significant corporate interest. Some have argued that this is just the way the game is played. Others might call it corrupted. The truth is that the mechanisms of ISO and JTC1 seemed woefully inadequate in the face of such driven interest. The eventual result of which formed the basis of South Africa's complaint. Much of which is now water under the bridge, but one thing I am sure of: if one were to refer to some of what went on as corrupt then it had very little to do with the corruption index.

Did you know there's also an http://www.heritage.org/Index/ >Economic Freedom Index? Makes me want to weep.

Bob

News Topics

Recommended for You

Got a Question?