office 2007 documents security question

In previous versions of MS Office the office documents are stored in a proprietary format. In Office 2007 they have switched to this new open xml format. which is good for user manipulation and other cool stuff you can do with XML. But it also opens the door to potential vandalism. What has been done to protect the integrity and security of the documents? Can a malicious hacker possibly write a script that parses through all documents and add his mark? and Office wouldn't detect it because it's no different than regular user input.
your thoughts please
Howard

the same could be said for any known format (a script that goes through all your JPEG images and pastes obscene stuff into em, or repoints every .Lnk shortcut on your system to a Format command, and so on) - if you're exposed enough to let such a script get in, you're likely vulnerable to a whole lot other kinds of vandalism and whatnot

For years now, all the MS Office apps have exposed almost all their functionality via scriptable APIs? If I were a hacker, I would use those APIs to manipulate your documents instead of trying to manipulate the XML itself.
You should protect from your XML threat the same way you would protected yourself so far. Soumik.
On Tue, 21 Mar 2006 00:03:46 -0800, Howard wrote:

In previous versions of MS Office the office documents are stored in a proprietary format. In Office 2007 they have switched to this new open xml format. which is good for user manipulation and other cool stuff you can do with XML. But it also opens the door to potential vandalism. What has been done to protect the integrity and security of the documents? Can a malicious hacker possibly write a script that parses through all documents and add his mark? and Office wouldn't detect it because it's no different than regular user input.
your thoughts please
Howard

-- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

Becuase of the NDA I can't go into it, however they've made it very clear that it'll be very secure :o)
-- Zack Whittaker » ZackNET Enterprises: www.zacknet.co.uk » MSBlog on ResDev: www.msblog.org » Vista Knowledge Base: www.vistabase.co.uk » This mailing is provided "as is" with no warranties, and confers no rights. All opinions expressed are those of myself unless stated so, and not of my employer, best friend, Ghandi, my mother or my cat. Glad we cleared that up!
--- Original message follows --- "Soumik Sarkar" <soumikUNDERSCOREsarkarATyahooDOTcom> wrote in message

For years now, all the MS Office apps have exposed almost all their functionality via scriptable APIs? If I were a hacker, I would use those APIs to manipulate your documents instead of trying to manipulate the XML itself.
You should protect from your XML threat the same way you would protected yourself so far. Soumik.
On Tue, 21 Mar 2006 00:03:46 -0800, Howard wrote:
In previous versions of MS Office the office documents are stored in a proprietary format. In Office 2007 they have switched to this new open xml format. which is good for user manipulation and other cool stuff you can do with XML. But it also opens the door to potential vandalism. What has been done to protect the integrity and security of the documents? Can a malicious hacker possibly write a script that parses through all documents and add his mark? and Office wouldn't detect it because it's no different than regular user input.
your thoughts please
Howard


-- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

For Office12(2007) it would be better to post to theOffice Beta group that was supplied to you with your Off12 Beta.
This newsgroup is for the Vista Beta
-- Peter
Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged.
"Howard" wrote in message

In previous versions of MS Office the office documents are stored in a proprietary format. In Office 2007 they have switched to this new open xml format. which is good for user manipulation and other cool stuff you can do with XML. But it also opens the door to potential vandalism. What has been done to protect the integrity and security of the documents? Can a malicious hacker possibly write a script that parses through all documents and add his mark? and Office wouldn't detect it because it's no different than regular user input.
your thoughts please
Howard

In article , "Kevin John Panzke" wrote:

Microsoft Office 2007 Reminder: You Are Under an NDA (Non Disclosure Agreement)!
"Howard" wrote in message In previous versions of MS Office the office documents are stored in a proprietary format. In Office 2007 they have switched to this new open xml format. which is good for user manipulation and other cool stuff you can do with XML. But it also opens the door to potential vandalism. What has been done to protect the integrity and security of the documents? Can a malicious hacker possibly write a script that parses through all documents and add his mark? and Office wouldn't detect it because it's no different than regular user input.

I don't think Howard said anything that we didn't already know.
On a simple response, it's worth noting that the same is true of previous Office documents - a hacker with appropriate privileges can modify a document and pass it on as if it's the original.
The answer, in both cases, is to digitally sign the document - that is, to generate a cryptographic hash of the document's contents, and then encrypt that hash with your private key, so that everyone can verify that the document is unchanged from the version you claimed as being approved by you as 'genuine'.
XML already has a standard for digital signatures, even before Microsoft gets to play with the formats for Office, so I would expect that there would be a means to sign the documents so as to detect tampering.
Alun. ~~~~
[Please don't email posters, if a Usenet response is appropriate.] -- Texas Imperial Software | Find us at http://www.wftpd.com or email 23921 57th Ave SE | alun@wftpd.com. Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.