Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Few of OOXML's Flaws Have Been Addressed

Posted by Zonk on Wed Mar 19, 2008 12:39 PM
from the digging-under-the-hood dept.
Microsoft Software
I Don't Believe in Imaginary Property writes "IBM's Rob Weir has done a study on how many flaws were addressed by the OOXML Ballot Resolution Meeting. So far, using a random sampling technique, he has yet to find a flaw that was addressed, making the upper bound a paltry 1.5%. Even so, he's found a number of new flaws, including a security vulnerability: OOXML stores passwords in database connection strings in plain text. At least there were no mistakes on five of the first twenty five random pages he reviewed."
+ -
story

Related Stories

Submission: BRM Addressed No More Than 1.5% of OOXML's Flaws by Anonymous Coward
[+] New Rules Created For OOXML Vote 66 comments
I Don't Believe in Imaginary Property writes "There are new rules to follow for any NB that wishes to change their vote on OOXML after the lack of resolution at the recent Ballot Resolution Meeting. After comparing it to previous instructions, it seems that they only have until March 29th, they need to email several specific people, that email must be sent by certain people, and they need to confirm it in writing as well, most likely via registered mail. Even Groklaw's PJ, who made sense of many of SCO's filings, finds all the requirements a little confusing. But anyone who wants to disapprove of OOXML had better dot every 'i' and cross every 't' if they want their vote to count, if past behavior is any indication."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Few of OOXML's Flaws Have Been Addressed 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Corruption. (Score:5, Insightful)

    by twitter (104583) * on Wednesday March 19 2008, @12:42PM (#22797654) Homepage Journal
    Why fix flaws when you can buy voters?

  • Office 2007 (Score:5, Interesting)

    by number6x (626555) on Wednesday March 19 2008, @12:48PM (#22797738)

    Do any of these flaws exist in Office 2007?

    If not, why are they in the OOXML proposed standard. If the standard does not describe the OOXML format used by Microsoft, then what does it describe?

    Why can't they just document the format that they use and get this over with? Or are they doing all this for show, and there is no real substance in OOXML?

    • Re:Office 2007 (Score:5, Insightful)

      by corsec67 (627446) on Wednesday March 19 2008, @12:52PM (#22797800) Homepage Journal
      Or are they doing all this for show, and there is no real substance in OOXML?

      The reason MS is bothering with ISO is because a few places have started to require that documents be stored in an ISO defined format.

      The problem is that having a true ISO defined format means that you open yourself up to competition, so MS wants to get their format defined as ISO certified without allowing any competition.

      • Re:Office 2007 (Score:5, Interesting)

        by TropicalCoder (898500) on Wednesday March 19 2008, @01:48PM (#22798418) Homepage Journal

        You'll remember Stéphane Rodriguez who gave us Microsoft Office XML formats? Defective by design [blogspot.com] back in August, 2007?

        Since then, in February, 2008 he produced The truth about Microsoft Office compatibility [blogspot.com] and Typical B.S. in technical articles about OOXML [blogspot.com] and now Bad surprise in Microsoft Office binary documents : interoperability remains impossible [blogspot.com] Thursday, March 13, 2008.

        These blogs are at the same level of depth as Rob Weir's latest blog, and demonstrate that Microsoft's policies as detailed below continue to this day.

        From OOXML is defective by design...

        "Mr Bill Gates in person sent in 1998 a memo to the Office product group (led by Steven Sinofsky at the time), memo undisclosed to the public thanks to the IOWA consumer case :"

        From: Bill Gates

        Sent: Saturday, December 5 1998

        To: Bob Muglia, Jon DeVann, Steven Sinofsky

        Subject : Office rendering

        One thing we have got to change in our strategy - allowing Office documents to be rendered very well by other peoples browsers is one of the most destructive things we could do to the company.

        We have to stop putting any effort into this and make sure that Office documents very well depends on PROPRIETARY IE capabilities.

        Anything else is suicide for our platform. This is a case where Office has to avoid doing something to destroy Windows.

        I would be glad to explain at a greater length.

        Likewise this love of DAV in Office/Exchange is a huge problem. I would also like to make sure people understand this as well.

        -----------


        Clearly the word is getting out about the problems in OOXML. Stéphane Rodriguez notes at the bottom of OOXML - Defective by design:

        Update : this article was Slashdotted on Sunday 26 of August.

        Update2 : this article is taking 300,000 hits a day, and is making it all around the world in all kinds of sites. My web host provider was so angry at the peak in traffic that he threatened to cut me off, so I had to redirect to a blog site such as Google's blogger to host the article.

        Update3 : wednesday august 29, added a new section on Document security

        Update4 : friday august 31, added more content to sections US English and Windows dates

        Update5 : sunday september 2, added a quick comparison between ODF and ECMA 376

    • Let's not look a gift horse in the mouth. If MSFT had corrected the flaws, they'd probably be able to crowbar their 'standard' through the relevant hoops.

      As it is, a true, open, unencumbered standard will instead prevail.

      • Re:Office 2007 (Score:5, Insightful)

        by peragrin (659227) on Wednesday March 19 2008, @01:26PM (#22798172)
        If MSFT fixed the flaws with OOXML then there wouldn't be a problem.

        it's not that OOXML is bad, it is that OOXML is broken and MSFT is trying to ram it through anyways. there is nothing there that can't be fixed. MSFT however doesn't want it fixed because OOXML 2010 is just around the corner and it won't be the same as OOXML 2007. Also OOXML 2010 becomes a defaco standard even though it isn't ISO certified since it is marketed as OOXML.

        this is how MSFT works if you don't know this then go back and look at the past 30 years of how MSFT treats it's customers, vendors, and slaves.

    • Re:Office 2007 (Score:5, Insightful)

      by Basilius (184226) on Wednesday March 19 2008, @12:56PM (#22797848)
      There are no existing implementations of the proposed OOXML standard, so whether Office 2007 has the same defects or not is sort of irrelevant. MSFT has stated that they will not be implementing the standard as proposed, but will be going a different direction. And, given the nature of parts of the standard, nobody BUT Microsoft can fully implement it.

      The mere fact that there ARE no implementations of OOXML, however, should be a giant, florescent, waving red flag. No standards body should adopt a standard that cannot and will not be implemented by the proposers.

    • Some of these are flaws in the specification. Like not explaining ranges or the description of a field being a URL, but the type any string. It comes down to the spec was written post hoc, and Office 2007 probably isn't run through a spec compliance test suite.

      The database connection flaw may not be in Office either, because Office may force System DSNs rather than real connection strings.
    • As far as I know even Office 2007 can't do OOXML well.

  • huh? (Score:5, Interesting)

    by trybywrench (584843) on Wednesday March 19 2008, @12:50PM (#22797764)
    This may be off topic but why exactly are there database connection strings in a document format?

    • Re:huh? (Score:5, Informative)

      by Shados (741919) on Wednesday March 19 2008, @12:57PM (#22797858)
      Because people actually do work with Office Suites, and they are an integral part of the workflow and ecosystem of significant companies IT.

      For example, a spreadsheet is often the favored client for an OLAP system, and complex spreadsheets will get reused a lot, so connection strings may be part of the overall "application" that the document has become.

      People like me and (probably) you tend to use documents as just that: documents. But in the big boy's world, they're far more important than that.

      • Re: (Score:3, Informative)

        by RobBebop (947356)

        But in the big boy's world, they're far more important than that.

        I acknowledge that hooking documents into databases to subvert them into workflow process template beasties is a common practice, but I think the simple question "Why are there database passwords in the document?" kind of highlights that this is a bad practice.

        If security is a concern, "Document Applications" are a mistake.

        This also violates the (good) Model/View/Controller [wikipedia.org] software architectural model by kludging the view and controller together in the same product. And - despite claims that it cuts

          • Re: (Score:3, Interesting)

            by RobBebop (947356)

            This also violates the (good) Model/View/Controller software architectural model by kludging the view and controller together in the same product.

            No, not really. Think a simple mailmerge with data from the database. There is no Controller, only a model (the DB) and the View (the document). You fetch the data from the database and mailmerge it.

            Yes, I have read that a compelling reason to stick to Microsoft Office is the ability to Mailmerge, which is fine. I have never gone through the hoops to perform a Mailmerge, so bare with me. My belief is that the whole purpose to send the date (in the database) through the document (which is the controller) to a printer (where it can be viewed). This simple/trivial application actually does separate Data/View/Controller.

            Saying there is no controller is like saying there is no spoon. Just because it

      • For example, a spreadsheet is often the favored client for an OLAP system, and complex spreadsheets will get reused a lot, so connection strings may be part of the overall "application" that the document has become.

        I guess so but i figured the document itself would name the data resources it needs and it would be up to the application to actually connect and retrieve the data. I wonder if the document itself can initiate a connection and execute a command. It basically does a "select" to pull data in, c

    • Re: (Score:3, Informative)

      by jfclavette (961511)
      They're there for data bindings to databases, which can be used for anything from mass mailing clients to generate a list of items with pricing.

      I'd be interested in what is the alternative to storing them in plaintext in the document format. See, the database is going to be wanting that password, and it must be stored somewhere in the document in a stand-alone way or remembered by the user. If you encrypt it, you need to provide the keys in the same document or use a constant well-known key across all ins
      • +1

        It is not a security flaw to store passwords in plain text - or at least, 'encrypting' them with some fixed algorithm gives no security benefit. At best it's security through obscurity.

        In fact, it's surprisingly sensible of Microsoft to recognize this, given the 'compressible encryption' and other non-security security nonsense they provide in other products.
      • I think you're missing something important. The document format should not store this information at all -- it's the job of the keyring password manager. The document may define an alias for the database connection string, but it shouldn't provide the actual connection details since that would be a security hole.

        Look at it from another angle. Imagine that I need to connect to the database using the connection string, a@mycompany.com:mypass. I send you the document, but you're on another network. You don't s
    • Just in case you need to pull data from database to calculate some data in your document (for example presentation which shows a list of current clients, not list of clients available at the moment of making this presentation).

  • enough is enough (Score:5, Interesting)

    by BroadbandBradley (237267) on Wednesday March 19 2008, @01:01PM (#22797900) Homepage
    how long will it take people to shrug off this death grip of MS and realize that it's costing billions in productivity? I received an XLS file of contacts yesterday and I figured I'd try using Outlook to import it into an address book so I could then sync to other things like Gmail. Outlook choked and recommended assigning values to the columns using another MS product - MS Excel. SO, I saved the file as CSV, and imported using Thunderbird which gave me an easy dialog to match up name,email, phone, website..and so on. Worked great! then I used thunderbird to open the second file and it remembered the previous adjustments and everything was already lined up! Awesome stuff and I wasn't prompted to buy any other products!

    I'm seriously considering wiping all the PC's in my office and advising the staff to just learn Ubuntu to avoid this whole MS deathgrip. None of the staff are advanced users except my web guy who codes in a text editor anyhow. FMS.

  • What's the point? Who is going to follow this? (Score:4, Insightful)

    by pembo13 (770295) on Wednesday March 19 2008, @01:05PM (#22797960) Homepage
    As I understand it, Microsoft isn't going to follow this standard. If Microsoft isn't going to follow this standard, then it is useless for OpenOffice, NeoOffice, KOffice, etc. to follow this standard. Or is this going to be for Office 2k10 or something?

    • Re:What's the point? Who is going to follow this? (Score:5, Insightful)

      by MLCT (1148749) on Wednesday March 19 2008, @02:04PM (#22798590)
      MS doesn't care about anyone following it (since even they themselves aren't going to). All they are doing it for is so they can claim that MS Office uses an open ISO standard, OOXML (even though it won't use the ISO passed standard) so that governments, businesses and buyers are not scared away from their products.

      As with everything MS does it is all about control and money. They have observed the fights that took/are taking place at various governmental and state levels over the mandatory use of an open standard - and they see that it is a threat to their monopoly, hence they have strategised to nullify the problem without giving up any of their control. The whole thing is a rate 10 sham. And if anyone ever wants to know why a lot of people don't trust MS then this is a perfect example of it - the process and the mockery they are making of it is frankly satirical.

      • Re:What's the point? Who is going to follow this? (Score:4, Interesting)

        by johannesg (664142) on Wednesday March 19 2008, @04:25PM (#22800270)
        You are absolutely spot on, and what's worse, we can also confidently predict the next step: governments and organisations will be falling over themselves to proclaim their support for OOXML, since it is "an ISO standard". Then they will happily sign their soul over to Microsoft because they have a product that implements this standard, while at the same time disallowing OpenOffice and other office packets because they are not fully compatible with MS Office.

        Then we will tell them that Microsoft is actually not implementing their own damn standard correctly, and we will be laughed away - after all, Microsoft *IS* the standard, so how could it be incorrect?

        And it will all be business as usual...

        The whole thing makes me intensely sad. By the way, we had some articles about the Dutch government requiring open formats a while ago. I professed severe scepticism at the time. Let me give you a little update on that one, then: as it is, the new desktops are required to support a very wide range of technologies that can ONLY be fullfilled by having MS Office on MS Windows. So although the government requires open standards, it also requires Active Directory, for example. And guess what they are buying? Yes, that's right: MS Office on MS Windows. But, we are told, in the next round (in 2011 or so), there will definitely be an opportunity for Linux "because in this round we are already ensuring compatibility".

        As I said, business as usual.

  • So he wants security through obscurity... (Score:3, Insightful)

    by Rakishi (759894) on Wednesday March 19 2008, @01:11PM (#22798018)

    Even so, he's found a number of new flaws, including a security vulnerability: OOXML stores passwords in database connection strings in plain text.
    And how will the format magically produce the plain text password again when the database asks for it... oh wait it can't unless it's easily recoverable in plain text form. It's also not like the "encryption" mechanism would be documented and it's not like someone would have to read that very documentation to know even where the password is stored... oh wait.

    Anyone who claims that it's more secure to obscure the password in a well known and trivially reversible way instead of simply storing it in plain text is not someone I trust to analyze security.
    • It adds complexity, which is generally bad for security, and makes the format harder to understand, which is also bad.

      The word that comes to mind is "dumbass".

      I do hope there is an option to have an "ask the user" password. (not stored in file)

  • Implement first, standardize later. (Score:3, Insightful)

    by colmore (56499) on Wednesday March 19 2008, @01:28PM (#22798196) Journal
    Did we learn nothing from the 80s and early 90s? If you write the standard first, you're going to get the kitchen sink. Engineer a good system, then standardize it. Nothing sands the sharp edges like the real world.

  • MSOOXML is not standard quality (Score:2, Insightful)

    by Anonymous Coward
    During the BRM is has been shown that MSOOXML is not up to the quality for an international standard.

    The only reason that this thing is considered in ISO is because Microsoft is being so bullish, trying to defend the monopoly.

  • Standards are not religons (Score:3, Insightful)

    by surfingmarmot (858550) on Wednesday March 19 2008, @01:42PM (#22798342)
    Yet a lot of people treat them that way like this Slash Dot commenter: "He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw." Just why is that rated a 5? It is NOT about belief, but more about science--either the facts and peer review support Mr. Weir or they don't. Apparently they do and in Spades. The majority of "yes" votes on this "standard" are by Microsoft partners who have a vested interest in a dingle vendor, single application (the only full implementation read and write) solution they sell products and services for and can lock in business. Sure IBM is a commercial organization with a checkered past, but they don't own completely open ODF so they aren't doing this for gain. they jsut want a level playing field for formats. And it is a great idea.
  • OOXML's Flaws Have Been Addressed

    "IBM's Rob Weir has done a study on how many flaws were addressed by the OOXML Ballot Resolution Meeting. So far, using a random sampling technique, he has yet to find a flaw [...] there were no mistakes on [...] the [...] pages he reviewed."

    There. Doesn't that sound better? :-)

  • OOXML approved by NIST (Score:3, Informative)

    by seandiggity (992657) on Wednesday March 19 2008, @03:00PM (#22799188) Homepage
    Even though none of the substantial problems have been addressed, NIST has approved OOXML [nist.gov].

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      A 100% ad hominem attack on Slashdot gets modded up unquestioned. Who would have thought?

      • Re: (Score:3, Informative)

        by misleb (129952)
        Man, I'm really getting sick and tired of people abusing the "ad hominem" charge. Ad hom refers specifically to an attack on ones character which is used to discredit an argument. Simply questioning a persons motives and biases is not necessarily an ad hominem attack. It is important to make any potential biases clear. Though in this particular case, I'm not seeing it.

        Also, attacks on ones character may not be considered "ad hominem" unless it is being use to refute an argument. This is probably the most co
        • Did the poster say something like, e.g.:

          "Rob Weir made the following mistakes in his methodology:
          a) ...
          b) ...
          c) ... ...
          "

          Nope. He based his 'argument' on his perception of Rob Weir.

            • Re:Um, this is a perfect example of "ad hominem".. (Score:4, Informative)

              by vtscott (1089271) on Wednesday March 19 2008, @02:07PM (#22798612)
              No, this is a perfect example of an ad hominem attack... This particular type of ad hominem is an ad hominem circumstantial [wikipedia.org]:

              Ad hominem circumstantial involves pointing out that someone is in circumstances such that he is disposed to take a particular position. Essentially, ad hominem circumstantial constitutes an attack on the bias of a person. The reason that this is fallacious in syllogistic logic is that pointing out that one's opponent is disposed to make a certain argument does not make the argument, from a logical point of view, any less credible; this overlaps with the genetic fallacy (an argument that a claim is incorrect due to its source).

              One example given by wikipedia is:

              Tobacco company representatives should not be believed when they say smoking doesn't seriously affect your health, because they're just defending their own multi-million-dollar financial interests.

              Just replace the relevant references with words like IBM, OOXML, etc. and it's basically the same.

        • You mean like the slur [nzoss.org.nz] made by a Microsoft employee against a Standards New Zealand representative?

          • Re: (Score:3, Informative)

            by holloway (46404)
            Hi ozbird, I'm not a Standards NZ representative. I am part of the NZ Open Source Society (NZOSS) and a techy on Docvert. I am part of the advisory group formed by Standards NZ for this process but like all others in the group I'm not paid and I'm basically an independent who gets invited to meetings every so often to debate OOXML, and stuff like that.
    • Sucks that you can't read the article and assess the level of the bias he displays for yourself.

    • Re:Small bias? (Score:5, Insightful)

      by cyxs (242710) on Wednesday March 19 2008, @01:05PM (#22797954)
      Everyone has a bias but if he gives you the information that he used to form his opinion about something then you can read what he says and what he did and form your own opinions. He is giving detailed examples of what he found. He isn't just say "Everything is fine" or "They have WMD", he is giving how he comes to his opinion and showing you the facts.

      Yes his company maybe bias in not wanting the format approved, but does that make what he says less true? The facts speak the truth.

        • Who else? (Score:5, Insightful)

          by Tony (765) on Wednesday March 19 2008, @05:32PM (#22801014) Homepage Journal
          Riiight. We should have one of the few people willing and able to examine the standard for flaws just not do it. That's an excellent idea.

          At what point has IBM been dishonest? Rob Weir is an employee of IBM. They have a distinct interest in making sure that whatever format is approved, they are able to implement it. Therefore, it is in their best interest to make sure it is a good standard. As they have determined that it isn't a good standard, what should they do? Not talk about it?

          The fact that his bias is out in the open is perfectly fine, as is the example you give from Peter Torr. That allows people to judge their statements, and account for possible bias.

          The problem with Weir recusing himself is this: nobody else seems to be doing this. Nobody else is standing up to a corrupted process, where the intended and stated results are sidelined for political expediency. If it takes one corrupt company to stand up to another corrupt company, then so be it. At least they are standing up to a corrupt company. (Yes, I'd prefer if neither were corrupt.)
    • Just because there's no love between MS and IBM as corporations doesn't mean that an IBM employee can't do an unbiased assessment. Also, it isn't like IBM is trying to compete directly with OOXML or something. So what's the basis for this suggestion of bias?

    • Re:Small bias? (Score:4, Insightful)

      by oGMo (379) on Wednesday March 19 2008, @01:19PM (#22798100)

      He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw.

      So you won't verify anything, or even check, but rather you feel that the exact same thing from someone else would be more true. Essentially, despite the facts, you don't feel the truthiness is sufficient.

      By your logic, you may well be right, but you may also just be a shill for Microsoft. I'd be more inclined to believe someone else who didn't have a corporate interesting in picking data points to disparage the argument you'd like to make. Or maybe if you had an argument to make not based on a well-known informal fallacy.

    • Re: (Score:3, Insightful)

      by rhizome (115711)
      He might well be right, but I'd be more inclined to believe it from someone who doesn't have a corporate interest in picking data points to fit the line he would like to draw.

      Nobody is asking you to "believe" anything. Bias does not change facts, and it is a fallacy to suggest that he should be a perfectly impartial critic if he is to be taken seriously. If he makes observations of deficiencies in the format they are just as valid as if they were made by Bill Gates himself.
      • I find it unfortunate that so much of public debate today has degenerated into a knee-jerk contest. "Oh, that guy works for X company, so he cannot possibly have a good point." When did people decide that thoughtful analysis of articulate, well-composed arguments is unnecessary to reaching a good understanding? Who can better speak out for a product/idea/standard/whatever than those who are most passionate about its qualities (i.e. its developers, backers, etc)? Who can better point out its flaws than t

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.