
MS Office in Wonderland [pdf] - hsnewman
https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Hegt-MS-Office-in-Wonderland.pdf
======
vxNsr
I guess the moral here is to always open your docx/xlsx files using 7zip and
checking the raw xml first.

~~~
mappu
CVE-2018-10115, CVE-2018-5996, CVE-2017-17969, and CVE-2016-2334 in 7-Zip all
gave code execution when opening a malformed archive.

~~~
vxNsr
ah... but unless it's a spear-phishing attack they're not gonna guess that I'd
first open the archive with 7-zip and thus most likely won't build it with
that in mind.

------
dqybh
Kinda validates my belief that the only way of dealing with Office documents
is uploading them to Google Drive and opening them there.

~~~
qrbLPHiKpiux
Journalists are taught this by those that really know security and opsec,
infosec.

~~~
sho_hn
OP is getting downvoted, but I have seen high-grade security people recommend
the Google apps suite to journalists and scrappy human rights NGOs etc. (some
of whom do dangerous work, and have high security needs) with the argument of
"you can't afford better security, so you're better off outsourcing it". This
is a practice that exists, for better or worse.

~~~
acct1771
People can't afford Qubes and/or layered Virtual Machines?

Hopefully we're talking time-value.

~~~
sho_hn
They really can't. It's very rare for a scrappy human rights NGO to even have
an IT person. Access to IT skills are largely via auditors/consultants who
rove around, doing it close to pro bono. Those consultants in turn try to
maximize the good they do and spread it around, and that's how advice like
this happens. It's basically IT field medicine. What you're suggesting is the
equivalent of a top-grade operating room with attendant staff.

Disclaimer: I do volunteer work in a human rights NGO. We interview North
Korean refugees about execution and burial sites and record the data in a GIS
and incident database. I'm also a Linux desktop developer, and help them run
their IT. But I've rarely seen this anywhere else.

