Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SVG images in MS Office 2016


  • Please log in to reply
8 replies to this topic

#1 Smsec

Smsec

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 10 March 2017 - 08:00 PM

Microsoft just added support for SVG images to Office 365 / 2016.  SVG images can contain JavaScript and it looks like this will be adopted as a  new infection route by malware authors.

 

Do we know if Microsoft has put any safeguards in place to prevent JS from running automatically inside office docs?

 

I did some searching but didn't find any details. Is this going to be another security headache with Office docs?

 



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 11 March 2017 - 04:24 AM

According to this article interactive features are not supported:

https://office-watch.com/2016/svg-graphics-coming-to-office-at-long-last/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 zainmax

zainmax

  • Banned
  • 344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 AM

Posted 11 March 2017 - 07:35 AM

Do you really do not know what the thing is Scalable Vector Graphics, abbreviated as SVG?
Has been in use for about 18 years and is used by Microsoft, for example, in all browsers, also is massively used in web pages, better known as "Font Awesome icons" or simply CSS icons.
And this is in no way related to JS.

There is absolutely no reason to make a panic.



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 11 March 2017 - 08:58 AM

The OP is right: SVG supports scripting.

 

Example:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" 
  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="6cm" height="5cm" viewBox="0 0 600 500"
     xmlns="http://www.w3.org/2000/svg" version="1.1">
  <desc>Example script01 - invoke an ECMAScript function from an onclick event
  </desc>
  <!-- ECMAScript to change the radius with each click -->
  <script type="application/ecmascript"> <![CDATA[
    function circle_click(evt) {
      var circle = evt.target;
      var currentRadius = circle.getAttribute("r");
      if (currentRadius == 100)
        circle.setAttribute("r", currentRadius*2);
      else
        circle.setAttribute("r", currentRadius*0.5);
    }
  ]]> </script>

  <!-- Outline the drawing area with a blue line -->
  <rect x="1" y="1" width="598" height="498" fill="none" stroke="blue"/>

  <!-- Act on each click event -->
  <circle onclick="circle_click(evt)" cx="300" cy="225" r="100"
          fill="red"/>

  <text x="300" y="480" 
        font-family="Verdana" font-size="35" text-anchor="middle">
    Click on circle to change its size
  </text>
</svg>

ECMAScript is closely related to JavaScript.

 

More details: https://www.w3.org/TR/SVG/script.html


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 zainmax

zainmax

  • Banned
  • 344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 AM

Posted 11 March 2017 - 12:54 PM

SVG supports scripting like any other image or if You like - simple .jpg picture.
It is not anything else, but only location on the page, image size, color etc.
And it all has been so very long time. Any image is some kind of script and to place it to somewhere needs again script, for example xml, html, etc.
Above given script is xml, which is used exactly as I said before. Websites uses usually html (including many others like java, jQuery, css, php, xml, json and hundreds more) etc.
Well known .jpg image is also scrit, but usually You do not see it.
Not exist dangerous scripts, but all of them can become dangerous, if is used by bad people.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 11 March 2017 - 01:53 PM

Image types like PNG and JPEG do not support embedded scripts.

 

The above is not an XML script. It is ECMAScript. The XML you see is the SVG file.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 fellowtraveler

fellowtraveler

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 11 March 2017 - 08:24 PM

According to this article interactive features are not supported:

https://office-watch.com/2016/svg-graphics-coming-to-office-at-long-last/

 

I inserted an animated SVG into a Word document and it rendered the image but as the article noted the animations were disabled. 

 

The article mentioned that the svg is stored in the .docx file. I opened that in 7zip and extracted the SVG. The ECMA script was removed from the SVG. So, it appears that Office won't use any script in the SVG file and since its ignored it gets removed from the version stored in the .docx file.

 

Good to know!

 

Thanks.


Edited by fellowtraveler, 11 March 2017 - 08:43 PM.


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:57 PM

Posted 12 March 2017 - 04:18 AM

Thanks for testing and sharing fellowtraveler!

 

I tried myself but Windows 2016 on my VM does not yet support SVG Do you know which exact version you used for your test?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 fellowtraveler

fellowtraveler

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 12 March 2017 - 10:35 AM

It was Office 365 Business edition Version 1701 (Build 7766.2060) current channel. The MS article I linked to in my initial post mentioned "Some of these features are only available to Office 365 subscribers." Perhaps support will come later for the non-subscription version of Office 2016.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users