[18:18] <jrwren> open office file format is now being used like ms office documents to attack windows desktops: https://blog.talosintelligence.com/2019/09/odt-malware-twist.html
[18:18] <jrwren> i guess that is the drawback of MS optionally adopting libreoffice formats
[18:21] <cmaloney> I think that's also a drawback of using extensions to determine file type
[18:23] <jrwren> huh?
[18:24] <jrwren> extension is not mentioned at all AFAICT. ODT file format is mentioned.
[18:24] <cmaloney> It looks liek the anti-virus stuff isn't catching this because it's a .odt file
[18:24] <cmaloney> which it treats as a pkzip file
[18:24] <jrwren> I did not read it that way at all.
[18:25] <jrwren> I read it as it doesn't know the ODT format.
[18:25] <cmaloney> There have recently been multiple malware campaigns using this file type that are able to avoid antivirus detection, due to the fact that these engines view ODT files as standard archives and don't apply the same rules it normally would for an Office document. We also identified several sandboxes that fail to analyze ODT documents, as it is considered an archive, and the sandbox won't open the document
[18:25] <cmaloney> as a Microsoft Office file. Because of this, an attacker can use ODT files to deliver malware that would normally get blocked by traditional antivirus software
[18:25] <cmaloney> We only found a few samples where this file format was used. The majority of these campaigns using malicious documents still rely on the Microsoft Office file format, but these cases show that the ODT file format could be used in the future at a more successful rate. In this blog post, we'll walk through three cases of OpenDocument usage. The two first cases targets Microsoft Office, while the third one
[18:25] <cmaloney> targets only OpenOffice and LibreOffice users. We do not know at this time if these samples were used simply for testing or a more malicious context.
[18:26] <jrwren> maybe we are saying the same thing but from different ends.
[18:28] <cmaloney> possibly
[18:28] <cmaloney> my contention is that treating files differently based on file extension is really not healthy
[19:02] <jrwren> yup... magic is better ;)
[19:13] <cmaloney> Well, with Systemd I'm sure "files" will no longer be an issue. ;)
[19:13] <cmaloney> We'll reinvent resource forks
[19:17] <jrwren> EAs can hold a lot of data
[19:17] <jrwren> xtrs all the datas