Affects: Microsoft Office 2007 (12.0.6015.5000) 
         MSO (12.0.6017.5000) 
         possibly older versions


I. Background

Microsoft Office is a suite containing several programs to
handle Office documents like text documents or spreadsheets. 
The latest version uses an XML based document format. 
Microsoft Office allows documents to be digitally signed by
authors using certified keys, allowing viewers to verify the 
integrity and the origin based on the author's public key. 
The author's public key certificate, which can come from a 
trusted third party, is embedded in the signed document. 
It is XML DSig based.


II. Problem Description

Microsoft Office documents can carry URLs as clickable 
references. The target of URLs given in the document
are stored in word/_rels/document.xml.rels inside
the OOXML ZIP container. Inside you will see the
hyperlink, referenced by an internal ID and the target.
The target can be changed without invalidating the signature. 
At least in the GUI a hyperlink's target is shown to the user.
Neverthe less the signature does not revel that it has been
changed without the signer's knowledge.


III. Impact

An attacker can change the target of hyperlinks contained in
signed documents, hoping to induce trust to the linked sites,
or otherwise deceive the user.

III.1. Proof of Concept

Open the OOXML ZIP container of a signed document that contains
a hyperlink. Lokk for the original target values in the 
word/_rels/document.xml.rels file. 
For example set the target value between the colons to
to http://example.org. 
The changes will result in the new target being displayed 
when the document is opened in Office. Pressing Ctrl and clicking
the link will instruct the browser to open the changed URL set 
as target. The signature remains valid.


IV. Workaround

The target of hyperlinks inside signed OOXML document 
can be changed without invalidating the signature, thus 
can not be trusted. Do not use the URL provided through the 
hyperlink to open the webpage the signed document wants you 
to open, instead try to deduce the URL from the signed document 
content.
 

V. Solution

No possible solution.


VI. Correction details

A closer look into the references section of the XML signature 
used by Microsoft Office (stored in the File 
_xmlsignatures\sig1.xml) reveals that the file 
word/_rels/document.xml.rels is in the list of references. 
Nevertheless, changes are not covered by the signature. 
If no implementation error is the case for this
behaviour, this can only be due to the applied transformation.

As a solution the scope of the signature needs to be extended 
to cover all the relevant information contained in the whole 
document, thus also the references in 
word/_rels/document.xml.rels.

Include word/_rels/document.xml.rels, and probably other files 
in the signature's list of references. And use transformations
that do not limit the signature's protection.

VII. Time line

2007-10-24: Vendor contacted
2007-10-25: Vendor acknowledged reception
2007-11-14: 1st Deadline due
2007-11-27: Reminder sent
2007-12-12: No response received until today



Yours,
Henrich C. Poehls, Dong Tran, Finn Petersen, Frederic Pscheid
SVS - Dept. of Informatics - University of Hamburg