MS Office 2007: Digital Signature does not protect Meta-Data Dec 12 2007 10:35AM
poehls informatik uni-hamburg de

Affects: Microsoft Office 2007 (12.0.6015.5000)

MSO (12.0.6017.5000)

possibly older versions

I. Background

Microsoft Office is a suite containing several programs to

handle Office documents like text documents or spreadsheets.

The latest version uses an XML based document format.

Microsoft Office allows documents to be digitally signed by

authors using certified keys, allowing viewers to verify the

integrity and the origin based on the author's public key.

The author's public key certificate, which can come from a

trusted third party, is embedded in the signed document.

It is XML DSig based.

II. Problem Description

Microsoft Office documents carry meta data information

according to the DublinCore metadata in the file

docProps/core.xml . Among these meta data information

are the fields "LastModifiedBy", "creator" together with

several others that can be displayed/changed through the

following menu "Office Button -> Prepare -> Properties".

These entries can be changed without invalidating the signature.

At least under Windows Operating Systems these information are

also shown in the Window's file systems properties.

III. Impact

The meta data of signed Microsoft Office documents can be

changed. An attacker can change the values to spoof the origin

of signed documents, hoping to induce trust or otherwise

deceive the user.

III.1. Proof of Concept

Open the OOXML ZIP container of a signed document.

Change the values in the docProps/core.xml file.

For example set the value between "<dc:creator>*</dc:creator>"

to "<dc:creator>FooBar</dc:creator>".

The changes will be displayed in the document's properties

dialog as described above. The signature will still be valid.

IV. Workaround

The meta data information of a signed OOXML document

can be changed without invalidating the signature, thus

information about the real author of a signed document can

only be retrieved from the certificate.

The signed file's meta data can not be trusted as the

meta data is not covered by the signature.

V. Solution

No possible solution.

VI. Correction details

A closer look into the references section of the XML signature

used by Microsoft Office (stored in the File

_xmlsignatures\sig1.xml) reveals that the file core.xml is

not in the list of references. Thus it is not covered by the


As a solution the scope of the signature needs to be extended

to cover all the relevant information contained in the whole

document, thus also the meta data in core.xml.

Include core.xml, and probably other files in the signature's

list of references.

VII. Time line

2007-10-24: Vendor contacted

2007-10-25: Vendor acknowledged receipt

2007-11-14: 1st Deadline reached

2007-11-27: Reminder sent

2007-12-12: No response received until today


Henrich C. Poehls, Dong Tran, Finn Petersen, Frederic Pscheid

SVS - Dept. of Informatics - University of Hamburg

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus