lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 7 Dec 2006 16:21:23 -0800
From: "Robert Kim Wireless Internet Advisor" <>
To: "Jan P. Monsch" <>
Subject: Re: Some Thoughts about Office Open XML and
	Malware Detection


Does full-disclosure need a style social news and voting
site? lemme know.. i'd be happy to build one for your community.

see: and

On 12/7/06, Jan P. Monsch <> wrote:
> Hi
> Last week I have been googling around for comments and reactions from my
> report "Malware Detection Rate in Alternative Word Formats"
> ( which was posted in the ISC diary on
> August 23rd, 2006 ( To sum it up
> there has not been a lot of reactions in magazines or the like but it got at
> least the attention of the malware research community.
> There is this very interesting follow-up article from Christoph Alme in the
> October 2006 edition of the Virus Bulletin. The two page article "Scanning
> Embedded Objects in Word XML Files"
> ( which elaborates how
> AV products can identify embedded objects in Word XML files. He shows that
> XML documents can be manipulated slightly, within the flexibility offered in
> the XML standard, and still are considered valid Word documents. Using the
> same VirusTotal-based testing method as I did, he demonstrates that all
> existing AV products can be bypassed. As you might remember my initial paper
> there were only three AV products capable of finding embedded malware in my
> run-of-the-mill XML documents.
> So what does this tell us: The most likely reason is that these three virus
> scanners do not really understand XML document format. They most likely have
> no XML parser integrated or the parser only implements the XML standard
> partially. This once again melts down to the conclusion that the decoding
> capability is the name of the game.
> Now let us speculate that AV products will integrate a complete
> off-the-shelf XML parser. Will this help? Well it will help to properly
> decode XML documents but it will most likely introduce new vulnerabilities
> in AV products so far unheard of. (Actually the motivation I am writing this
> article is to prevent AV vendors to release such broken products). Let us
> take XML external DTD references as an example. If the XML parsers are used
> in default configuration or are not configured properly, scanning an XML
> with an external reference will result in requests to external sites. That
> is nice. This would allow an attacker to track malware distribution or
> download additional exploit files to the scanning system.
> With the release of Office 2007 a couple of days ago, which will have the
> Office Open XML format as standard storage format, the urge for XML enabled
> AV products will grow. My retesting today shows that the detection rate of
> Netsky as an embedded object in a Office 2003 Word XML is still at the same
> level as 3 months ago. I fear that the AV industry is not quite yet ready to
> protect their customers against XML delivered attacks.
> Kind regards
> Jan P. Monsch
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -

Robert Q Kim, Wireless Internet Provider
2611 S. Pacific Coast Highway 101
Suite 203
Cardiff by the Sea, CA 92007
206 984 0880

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists