Type of Publication: | Contribution to a conference collection |
Publication status: | Published |
Author: | Müller, Jens; Ising, Fabian; Mainka, Christian; Mladenov, Vladislav; Schinzel, Sebastian; Schwenk, Jörg |
Year of publication: | 2020 |
Conference: | WOOT'20 : 14th USENIX Workshop on Offensive Technologies, Aug 11, 2020 |
Published in: | WOOT'20 : 14th USENIX Workshop on Offensive Technologies / Yarom, Yuval (ed.). - Berkeley, CA : USENIX Association, 2020 |
URL of original publication: | https://www.usenix.org/conference/woot20/presentation/muller, Last access on Sep 10, 2020 |
Summary: |
OOXML and ODF are the de facto standard data formats for word processing, spreadsheets, and presentations. Both are XML-based, feature-rich container formats dating back to the early 2000s. In this work, we present a systematic analysis of the capabilities of malicious office documents. Instead of focusing on implementation bugs, we abuse legitimate features of the OOXML and ODF specifications. We categorize our attacks into five classes: (1) Denial-of-Service attacks affecting the host on which the document is processed. (2) Invasion of privacy attacks that track the usage of the document. (3) Information disclosure attacks exfiltrating personal data out of the victim's computer. (4) Data manipulation on the victim's system. (5) Code execution on the victim's machine. We evaluated the reference implementations – Microsoft Office and LibreOffice – and found both of them to be vulnerable to each tested class of attacks. Finally, we propose mitigation strategies to counter these attacks.
|
Subject (DDC): | 004 Computer Science |
Files | Size | Format | View |
---|---|---|---|
There are no files associated with this item. |
MÜLLER, Jens, Fabian ISING, Christian MAINKA, Vladislav MLADENOV, Sebastian SCHINZEL, Jörg SCHWENK, 2020. Office Document Security and Privacy. WOOT'20 : 14th USENIX Workshop on Offensive Technologies, Aug 11, 2020. In: YAROM, Yuval, ed.. WOOT'20 : 14th USENIX Workshop on Offensive Technologies. Berkeley, CA:USENIX Association
@inproceedings{Muller2020Offic-50777, title={Office Document Security and Privacy}, url={https://www.usenix.org/conference/woot20/presentation/muller}, year={2020}, address={Berkeley, CA}, publisher={USENIX Association}, booktitle={WOOT'20 : 14th USENIX Workshop on Offensive Technologies}, editor={Yarom, Yuval}, author={Müller, Jens and Ising, Fabian and Mainka, Christian and Mladenov, Vladislav and Schinzel, Sebastian and Schwenk, Jörg} }
<rdf:RDF xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:bibo="http://purl.org/ontology/bibo/" xmlns:dspace="http://digital-repositories.org/ontologies/dspace/0.1.0#" xmlns:foaf="http://xmlns.com/foaf/0.1/" xmlns:void="http://rdfs.org/ns/void#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#" > <rdf:Description rdf:about="https://kops.uni-konstanz.de/rdf/resource/123456789/50777"> <dcterms:abstract xml:lang="eng">OOXML and ODF are the de facto standard data formats for word processing, spreadsheets, and presentations. Both are XML-based, feature-rich container formats dating back to the early 2000s. In this work, we present a systematic analysis of the capabilities of malicious office documents. Instead of focusing on implementation bugs, we abuse legitimate features of the OOXML and ODF specifications. We categorize our attacks into five classes: (1) Denial-of-Service attacks affecting the host on which the document is processed. (2) Invasion of privacy attacks that track the usage of the document. (3) Information disclosure attacks exfiltrating personal data out of the victim's computer. (4) Data manipulation on the victim's system. (5) Code execution on the victim's machine. We evaluated the reference implementations – Microsoft Office and LibreOffice – and found both of them to be vulnerable to each tested class of attacks. Finally, we propose mitigation strategies to counter these attacks.</dcterms:abstract> <dc:creator>Schwenk, Jörg</dc:creator> <bibo:uri rdf:resource="https://kops.uni-konstanz.de/handle/123456789/50777"/> <dc:contributor>Schinzel, Sebastian</dc:contributor> <dc:contributor>Ising, Fabian</dc:contributor> <dc:creator>Müller, Jens</dc:creator> <dc:creator>Ising, Fabian</dc:creator> <dc:contributor>Mladenov, Vladislav</dc:contributor> <dcterms:issued>2020</dcterms:issued> <dc:contributor>Müller, Jens</dc:contributor> <dcterms:title>Office Document Security and Privacy</dcterms:title> <dspace:isPartOfCollection rdf:resource="https://kops.uni-konstanz.de/rdf/resource/123456789/36"/> <dc:creator>Mainka, Christian</dc:creator> <dc:date rdf:datatype="http://www.w3.org/2001/XMLSchema#dateTime">2020-09-10T12:30:07Z</dc:date> <dc:contributor>Schwenk, Jörg</dc:contributor> <foaf:homepage rdf:resource="http://localhost:8080/jspui"/> <dcterms:isPartOf rdf:resource="https://kops.uni-konstanz.de/rdf/resource/123456789/36"/> <void:sparqlEndpoint rdf:resource="http://localhost/fuseki/dspace/sparql"/> <dc:contributor>Mainka, Christian</dc:contributor> <dc:language>eng</dc:language> <dcterms:rights rdf:resource="https://rightsstatements.org/page/InC/1.0/"/> <dc:creator>Mladenov, Vladislav</dc:creator> <dc:rights>terms-of-use</dc:rights> <dc:creator>Schinzel, Sebastian</dc:creator> <dcterms:available rdf:datatype="http://www.w3.org/2001/XMLSchema#dateTime">2020-09-10T12:30:07Z</dcterms:available> </rdf:Description> </rdf:RDF>