Hacker News new | past | comments | ask | show | jobs | submit login
MS Office in Wonderland [pdf] (blackhat.com)
78 points by hsnewman 11 days ago | hide | past | web | favorite | 10 comments

I guess the moral here is to always open your docx/xlsx files using 7zip and checking the raw xml first.

CVE-2018-10115, CVE-2018-5996, CVE-2017-17969, and CVE-2016-2334 in 7-Zip all gave code execution when opening a malformed archive.

ah... but unless it's a spear-phishing attack they're not gonna guess that I'd first open the archive with 7-zip and thus most likely won't build it with that in mind.

Kinda validates my belief that the only way of dealing with Office documents is uploading them to Google Drive and opening them there.

Journalists are taught this by those that really know security and opsec, infosec.

OP is getting downvoted, but I have seen high-grade security people recommend the Google apps suite to journalists and scrappy human rights NGOs etc. (some of whom do dangerous work, and have high security needs) with the argument of "you can't afford better security, so you're better off outsourcing it". This is a practice that exists, for better or worse.

People can't afford Qubes and/or layered Virtual Machines?

Hopefully we're talking time-value.

They really can't. It's very rare for a scrappy human rights NGO to even have an IT person. Access to IT skills are largely via auditors/consultants who rove around, doing it close to pro bono. Those consultants in turn try to maximize the good they do and spread it around, and that's how advice like this happens. It's basically IT field medicine. What you're suggesting is the equivalent of a top-grade operating room with attendant staff.

Disclaimer: I do volunteer work in a human rights NGO. We interview North Korean refugees about execution and burial sites and record the data in a GIS and incident database. I'm also a Linux desktop developer, and help them run their IT. But I've rarely seen this anywhere else.

how to opsec: upload your sensitive documents to a cloud service that totally won't get hacked

If the data isn't sensitive there's nothing to lose

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact