Thanks, that’s what I figured. Did you find this by accident? I’m curious what techniques work well to reveal this kind of stuff; I expect it to be pretty common.
I found it based on a hunch, then confirmed it with experimentation. I gained additional conviction when backtesting the experimentation on various historical versions of excel.exe, and noting that the phenomenon only appeared in excel.exe versions shortly after (measured in months) government requested a “read-only” copy of the source code for Excel held in escrow. This has occurred historically in the past (e.g., https://www.chinadaily.com.cn/english/doc/2004-09/20/content_376107.htm and https://www.itprotoday.com/microsoft-windows/microsoft-gives-windows-source-code-to-governments) but subsequent instances of this were allegedly/supposedly classified. Nevertheless, following those instances, the phenomenon appeared, indicating possible compromise of Excel.exe.
Really interesting research. I would like to subscribe to your newsletter.
I have seen similar steganographic telemetry before (Dassaults Solidworks CAD software, and other enterprise licensed applications, go to incredible eztents to enforce licensing) but didn’t expect data-level probing like this. I’d imagine similar scripts for e.g EURion detections in Photoshop.
I always dismissed “lessons on trusting trust” style attacks as mere hypotheticals, but backdoors operating on the level of Excel cells is now making me reconsider that notion.
Thanks, that’s what I figured. Did you find this by accident? I’m curious what techniques work well to reveal this kind of stuff; I expect it to be pretty common.
I found it based on a hunch, then confirmed it with experimentation. I gained additional conviction when backtesting the experimentation on various historical versions of excel.exe, and noting that the phenomenon only appeared in excel.exe versions shortly after (measured in months) government requested a “read-only” copy of the source code for Excel held in escrow. This has occurred historically in the past (e.g., https://www.chinadaily.com.cn/english/doc/2004-09/20/content_376107.htm and https://www.itprotoday.com/microsoft-windows/microsoft-gives-windows-source-code-to-governments) but subsequent instances of this were allegedly/supposedly classified. Nevertheless, following those instances, the phenomenon appeared, indicating possible compromise of Excel.exe.
Really interesting research. I would like to subscribe to your newsletter.
I have seen similar steganographic telemetry before (Dassaults Solidworks CAD software, and other enterprise licensed applications, go to incredible eztents to enforce licensing) but didn’t expect data-level probing like this. I’d imagine similar scripts for e.g EURion detections in Photoshop.
I always dismissed “lessons on trusting trust” style attacks as mere hypotheticals, but backdoors operating on the level of Excel cells is now making me reconsider that notion.