Forgot your password?
typodupeerror
Microsoft Security

Microsoft Apologizes To Rival 151

Posted by kdawson
from the it's-the-software-stupid dept.
Geoffrey.landis writes "Microsoft apologized to rival software vendor Corel Corp. for saying that Corel's file format posed a security risk, and issued a set of tools to unblock file types that had been blocked by default in the December Office 2003 service pack. In his blog on the Microsoft site, David Leblanc says 'We did a poor job of describing the default format changes.' He goes on to explain, 'We stated that it was the file formats that were insecure, but this is actually not correct. A file format isn't insecure — it's the code that reads the format that's more or less secure.' As noted by News.com, 'it is the parsing code that Office 2003 uses to open and save the file types that is less secure.' Larry Seltzer at pcmag.com also blogs the story."
This discussion has been archived. No new comments can be posted.

Microsoft Apologizes To Rival

Comments Filter:
  • Wait.... (Score:5, Funny)

    by nizo (81281) * on Monday January 07, 2008 @09:14PM (#21948942) Homepage Journal
    When I took a nap at lunch today, did I wake up in a parallel universe?
  • So boiled down, microsoft is saying that their software is the problem? That Office has "less secure" ways of opening formats than they could have?
    • Re:Boiled down (Score:5, Insightful)

      by davester666 (731373) on Monday January 07, 2008 @09:27PM (#21949044) Journal
      Yes. Rather than fixing their implementation, they just made it more difficult for users to use their implementation.

      It just happens to be that some of their faulty implementations are for reading formats for competing products... You are not permitted to draw any inference from this fact.
      • Re: (Score:1, Insightful)

        by Anonymous Coward
        Microsoft has a certain amount of resources available to make parsers secure. Let's say they can make one file parser secure in one month. If they have 12 parsers to secure, how should they spend their resources?

        * Should they secure the most common ones (i.e. post-Word 6.0) first and issue an update with the common ones secure and leave the rest vulnerable for the rest of the year?

        * Should they secure all of them and issue an update all at once, leaving all users vulnerable all year?

        * Or should they secure
        • by bytesex (112972)
          "Remember, these parsers were written back when the worst a bad .DOC file would do is crash Word and /.'s complaints about Word mainly centered around bloat. If MS had spent time on hardening the parser, /. would have bitched about how Office was late, slow, and bloated. Nobody would know (or care) about the security."

          What is the worst that Word can do these days ? What's the worst it _should_ be able to do ?
    • Re:Boiled down (Score:5, Interesting)

      by joe_bruin (266648) on Monday January 07, 2008 @09:29PM (#21949056) Homepage Journal
      It boiled down to Microsoft, instead of fixing their bad file parsing code, disabled it so customers couldn't access their older files AND blamed Corel's file format. Notice that they are still not admitting that their code is bad or fixing it, they're just re-enabling their buggy code because customers complained that they couldn't open files.
      • if you know you aren't gonna fix it you may as well disable it by default.
        • Re: (Score:3, Funny)

          by Trolan (42526)
          If they keep this up, I can see their next OS: Microsoft Windows BoW (Block of Wood) Ultimate Edition!

          But a block of wood isn't complete safe. Someone could get hurt by it. So they'd have to release SP1 which adds padding.
          • by Fred_A (10934)

            If they keep this up, I can see their next OS: Microsoft Windows BoW (Block of Wood) Ultimate Edition!
            I'm already working on t3rm1t3Z, a virus designed to attack BoW, based on an early beta. It's going to make a killing. Lolz !

      • by BeanThere (28381)
        They've just sent a message to all their customers etc. that they can and will disable support for all those other programs people are using anytime (and even suggesting that "special tools" [sic] should be required to use those formats gives one a definite feeling that the other products you're using are on shaky ground), so customers will basically give in and realise they are better off just accepting that they should get onto the latest Microsoft products. They're basically saying "we're the *standard*"
    • Re:Boiled down (Score:4, Insightful)

      by Smidge204 (605297) on Monday January 07, 2008 @10:19PM (#21949300) Journal
      Read it carefully for the doublethink!

      "A file format isn't insecure -- it's the code that reads the format that's more or less secure."

      Read it again if you didn't catch it.
      =Smidge=
  • This is like a newspaper reporting someone is guilty of a crime on the front page, then a year later a retraction is printed on page 57 when he's found innocent of any wrongdoing.

    It took MS 4 years to apologize?
    • Re:Business as usual (Score:5, Informative)

      by mr_mischief (456295) on Monday January 07, 2008 @09:29PM (#21949060) Journal
      Nah. Just 4 months.

      The blocking of the file formats was from September's Office 2003 Service Pack 3 update. The KB article was probably issued the same time, but it was edited yesterday (and the MSKB doesn't show the original date, just the last review date and the number of times edited).

      The apology was yesterday.

  • by krray (605395)
    File formats that ARE insecure ... the ones that come to mind are .EXE, .COM, .SCR, .PIF, .CHM, .DLL, .VB* ... the list is long.
    Oh, wait ... with Microsoft's logic these aren't insecure. It's the program (Windows) that uses them. I would agree.
    Fortunately my various flavors of un*x boxes don't understand what to do with these...

    I would love to read the letter Microsoft's legal department got over the December update.

    Too bad that won't be made public.
    • Re: (Score:3, Informative)

      by _merlin (160982)
      Well it's true of the formats - .EXE is no more or less secure than an ELF binary, .COM is no more or less secure than a.out format, .CHM is no more or less secure than a tarball, .DLL is no more or less secure than ELF .so, .VBS is no more or less secure than a Perl script. The issue is whether the environment they run in is secure or not. You could argue that the execution environment that an ELF binary runs in under Solaris is more secure than the environment that a .EXE runs in under Windows, but a ma
    • You missed my personal favorite: Windows Metafile [wikipedia.org]

      Terrible engineering, that.

    • by rant64 (1148751)
      Of course, it's not just the parser. It's the content as well, or, more specifically, parsing malicious content without properly sanitizing. In that respect, if you make any file executable, does your un*x box sanitize malicious code it executes?

      Do you read and interpret the source code of everything you download?

      The only difference here is that Windows operating systems have a number of file formats that will execute by default, which, to be honest, make them a little easier to use. Meanwhile, keep on w
  • by defile (1059) on Monday January 07, 2008 @09:22PM (#21949006) Homepage Journal

    Why would Microsoft enable a competitor, and, more ludicrously, apologize if there was no reason to? What's in this for Microsoft? Did Corel pay them a fee? Agree to cede a market? Threaten them with some kind of slam-dunk legal action that Microsoft was on the losing side of? We will probably never know.

    • by flyingfsck (986395) on Monday January 07, 2008 @09:43PM (#21949118)
      Corel and Novel both have long histories of suing Microsoft successfully to the tune of hundreds of millions of dollars (about 2 billion between the two of them). Clearly, MS was afraid of getting sued yet again.
    • If you tell lies that hurt someone's business you can appear in court which would cause all kinds of mess (particularly if intertwined with the anti-trust rulings).

      Likely the apology was a condition of some out of court agreement.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Why would Microsoft enable a competitor, and, more ludicrously, apologize if there was no reason to? What's in this for Microsoft? Did Corel pay them a fee? Agree to cede a market? Threaten them with some kind of slam-dunk legal action that Microsoft was on the losing side of? We will probably never know.

      I strongly suspect it has to do with the attempt by Microsoft to get OOXML accepted as a standard.

      The strogest feature of ODF is that it is completely open, fully specified, no trade secrets, able to be imp

    • You can start with this:

      http://www.forbes.com/2000/10/03/1003corel.html [forbes.com]

      Oh, here's a quote:
      "For starters, what becomes of Corel's Linux plans? Corel has poured considerable resources into its Corel Linux operating system and porting its business and graphics applications to Linux. The company has positioned its Linux efforts as the linchpin of its comeback strategy, but there was no mention of Linux on the conference call Monday."

      Perhaps a type of non-disparagement agreement, that if MS betrays, Corel Linux
    • No reason to? Are you nuts? They deliberately slandered Corel in a childish, disrespectful manner. Taken with their monopoly status, that also constitutes (to my eyes at least) an abuse of power --- big surprise there.

      Anyway, I'm waiting for the real apology, which should go more like: "Dear computer world. We suck. Sorry, we'll go now, and you'll all be better off for it." (And no, that's not childish or disrespectful; it's humor, justified by the companie's past).
  • oh gee, so sorry

    we just didn't realize

    we hope we didn't damage your business, we hate it when we do that to our competitors

    we're soooooo sorry

    hehehehehehhehehehe
  • ...barring the legal profession, does anyone use WordPerfect anymore?
    • Not many people use WP, but I use both and WP is still better than MS Word.
      • Agreed. I use WP9 (I hate what they did to WP12; it's too MS Word-like) and it does things I still haven't seen Word 2003 do (and that I doubt Word 2007 has added, either). That, and their file format, their professional tools (such as Table of Contents), and their editing tools (the best being Reveal Codes) are far superior to anything I've ever seen out of Office.
    • Re: (Score:3, Informative)

      by RuBLed (995686)
      It seems that the extension in question was the .cdr extension used by Corel Draw.

      But it was Corel that publicly squawked when it realized Microsoft had blocked its .cdr file format -- still used by its CorelDraw graphics application -- in last September's Office 2003 Service Pack 3 update.

      If you ask me, Corel Draw is one good drawing tool, a good partner for Adobe Photoshop. (I'm not a pro at these tools, I just stumble upon them when I rarely need it...)

  • we're sorry... (Score:5, Insightful)

    by nguy (1207026) on Monday January 07, 2008 @09:27PM (#21949042)
    That's like saying to a corpse, "Oh, I'm so sorry I killed you; I hope you won't feel too bad about it."
    • Darwin Tremor [imdb.com]: [manipulating Dupree's mouth so Jack seems to be speaking to him] Oh hell yeah, we was just at the wrong place at the wrong time, so don't feel so bad, chief.
    • You remember the time you were going down into the fire, and I said 'Goodbye' and you were like 'No way', and I was like 'We were only pretending to murder you'?

      That was great.
  • by SolusSD (680489) on Monday January 07, 2008 @09:33PM (#21949078) Homepage
    Microsoft said something that didn't make me upset. hmm. in fact, it was the right thing to do! (i'm scared)
  • Microsoft apologized?!

    Wait... uhmm...

    So ... confused ...

    *** BAM! ***


    But seriously, does anyone really think this was an accident or expect this to be any better than it was before?

    • by corsec67 (627446) on Monday January 07, 2008 @10:01PM (#21949214) Homepage Journal
      At this point it doesn't matter if they apologized, the damage is done: opening older Corel documents in Office 2003 is a PITA. Apologizing just gains points with the CTO type people, so there really isn't a downside. Too bad it doesn't dawn on them that before MS was letting them use a "less-secure" method of opening files....
    • by mqduck (232646)
      I suspect it's simply that Corel's lawyers sent MS a friendly letter threatening a lawsuit for the claim, and MS realized that 1) it's not worth fighting over, and 2) they would look like idiots if they tried to defend their statement, and they don't need that right now. Further, I doubt they framed it as an "apology". That's Slashdot's doing. More likely they just quietly issued a little statement saying they erred in a previous claim.
  • by NullProg (70833) on Monday January 07, 2008 @09:54PM (#21949174) Homepage Journal
    'We stated that it was the file formats that were insecure, but this is actually not correct. A file format isn't insecure -- it's the code that reads the format that's more or less secure.'

    Admitting FUD is uncharacteristic of Microsoft. Speaking the plain truth means Hell just froze over.

    I'm at a loss for words....

    Enjoy,
    • We stated that it was the file formats that were insecure, but this is actually not correct. A file format isn't insecure -- it's the code that reads the format that's more or less secure.

      That quote just makes me want to ask, "And whose 'code' is that....? Whose code is insecure...?" Come on, just say it! It's not 'the code' that's insecure, it's 'your code'.

  • by Anonymous Coward
    Apologize to Google for calling their Checkout system insecure.
  • by coaxial (28297)
    Corel still exists? Wow. Who knew?
  • Whoa! I'm going to put all my passwords and bank account numbers online in the clear in a single plain ASCII text file from now on. Who needs encryption? Take that crackers! You thought you could steal my stuff, eh? Just you download that file from my blog and weep, bitches!
    • by WK2 (1072560)
      The ASCII file format is not insecure. However, the behavior you suggest is dangerous.
      • The ASCII file format is not insecure. However, the behavior you suggest is dangerous.

        The crucial question you're not asking is what is the intended use of the file format. Every file format is intended to be used for something, and once it is stated what that use is, one can ask if the format is secure for its intended purpose.

        In my example, the intended purpose makes the format insecure. If I had used plain ASCII to list a bunch of recipes I found online, the format wouldn't be insecure if my purp

        • ...that's funny, becuase Microsoft's argument was more along the lines that Office would be more secure if only those files couldn't be opened.

          And yet for some odd reason NeoOffice on my Mac can open them just fine with no adverse reaction.

          /P

        • If we go ahead and assume that "ASCII file format" means a file containing only the printable ASCII characters, then that's pretty open ended. You can store encrypted data in it just fine by encoding that data as "plain text" (e.g. gpg --armor). The same as how binary files can be sent over SMTP, which traditionally only supports 7-bit ASCII. Or you could come up with your own "cypher", known only to you, so an attacker reading the file would see "mybank.com password: foozball" but you'd know that it's a li

          • If we go ahead and assume that "ASCII file format" means a file containing only the printable ASCII characters, then that's pretty open ended.

            Exactly, that's why I think that _format_ is insecure. It allows entirely unsecured content for any purpose if one so chooses (eg my example).

            I use "format" in the sense that there exists a specification which imposes constraints on both the form and the content (ie BNF for the form, and semantic rules for what goes where). I assume you would agree? If I

          • So, your use of unencrypted, easily-readable passwords is what is insecure, and has nothing to do with the use of an "ASCII format file".

            True, but this completely ignores the point of his post: file formats can be insecure, depending upon the metric used to evaluate said security. In MS's case, the format parser is broken. In his example, using a file format sans encryption (or with vulnerable encryption [slashdot.org]) is also insecure:

            Imagine a file format that specifies encrypting with a Caesar cipher, or checksummin

    • Re: (Score:3, Insightful)

      by MrNaz (730548)
      Yes, the file format wouldn't be insecure. Your handling of it would be.
      • If the file format is *intended* to keep my information safe from others, then I think if it easily fails that task, it must be called insecure by definition.

        If I specified the format to be freeform text, encrypted with a suitably hidden, suitably complex one time pad, then the resulting file format would have to be called secure, no?

        • by fmobus (831767)

          no. Not by itself, at least. You would still need a whole process to securely transport/exchange the keys/one time pad to make it both secure AND useful.

          I also believe that's not the point of the "insecure" attribution either: they are likely talking about nasty stuff like buffer overflow, arbitrary execution, privilege escalation, as opposed to the security/privacy of data itself.

          • I also believe that's not the point of the "insecure" attribution either: they are likely talking about nasty stuff like buffer overflow, arbitrary execution, privilege escalation, as opposed to the security/privacy of data itself.

            Actually, you might well be right about that. For example, the binary Word format is well known(*) to be pretty close to a serialized memory dump of the Word program's internal object tree.

            (*) in case you're trying to reverse engineer the format based on public

          • You would still need a whole process to securely transport/exchange the keys/one time pad to make it both secure AND useful.

            You're changing the argument. The OP never included useful as a metric for evaluation. ;)

  • They must have meant Mike Rosoff.
  • n/t
  • by Locklin (1074657) on Monday January 07, 2008 @10:59PM (#21949540) Homepage
    See! we apologized! Now leave us alone!
  • Kill, then apologize.

    I wander if Corel can sue Microsoft for this?
  • Amazing. (Score:5, Insightful)

    by Scottoest (1081663) <scott@@@bampage...com> on Monday January 07, 2008 @11:29PM (#21949678) Homepage
    I remember the /. posting about this topic last week, where everyone rightfully corrected them about file formats not inherently being insecure. There was the usually geejawing about "M$" being brutal thugs, and idiots, etc. etc. etc. Y'know, par for the course on this website.

    However, the most entertaining posts on this website, are in cases where Microsoft admits error, or does something "good". We then get to see these same people do logical contortionist routines about how they must have been threatened legally, or baseless conjecturing about what must have been in it for them.

    A lot of people here talk a lot about how Microsoft should listen more to the "geek" community. Places like this remind me of precisely why they don't bother.

    Slashdot is generally pretty great for my daily fill of tech news. But man oh man, when it comes to Microsoft, any front of being unbiased is quickly cast off.

    "kdawson" is probably the worst of the bunch, too.

    - Scott
    • I remember the /. posting about this topic last week, where everyone rightfully corrected them about file formats not inherently being insecure.

      Some of us are still arguing that file formats can be insecure [slashdot.org].

      It may also surprise you that Slashdot is a community composed of individual people. At any given time, a subset of these people have a particular opinion, a further subset feel the need to post, and a separate subset (mutually exclusive with the former subset) feel the need to moderate what other peop

    • by Phroggy (441)

      Slashdot is generally pretty great for my daily fill of tech news. But man oh man, when it comes to Microsoft, any front of being unbiased is quickly cast off.
      You must be new here. There's never been any such front.
  • Mea Culpa (Score:1, Troll)

    by MrCopilot (871878)
    I would like to take this opportunity to apologize to Microsoft, I was under the assumption that they were staffed by uninformed and relentless monopolists. I therefore vowed not to use, recommend, install, or otherwise service their products.

    Now I can see, my assumption was wrong.

    By default, these file types are blocked because the parsing code that Office 2003 uses to open and save the file types is less secure. Therefore, opening and saving these file types may pose a risk to you.

    It's actually st

  • After a decade of trying to fix the insecure code used to read these file formats, Microsoft has finally hit on a workable solution: "Let's just disable it. Nobody needs it, right?" Right. I plugged those holes myself years ago - by turning to GNU/Linux and OO.org.
  • So they were wrong about one thing in 3 decades. Big deal.
  • All seven members of the human race who use Office to open Corel fucking Draw files are partying hard tonight.
  • It's about time.... (Score:2, Interesting)

    by Rival (14861)
    [After reading just the story title] It's about time! They laid me off back in '99 five minutes after we RTM'd Win2k, and they're only just now getting around to apologizing? Well, better late than never, I suppose.

    [After reading TFA] It is refreshing to see such a direct and honest explanation and rationale [msdn.com]. Even if it isn't exactly front page news, it's much better than the typical PR-filtered triple-speak that tends to get the press. A good reminder that the developers != the company.

    Thanks, David.
  • We're apologizing... (Score:5, Informative)

    by Chris Mattern (191822) on Tuesday January 08, 2008 @02:07AM (#21950432)
    ...but we're going to continue to block your file formats by default on our systems. Those who want to use your file formats will need to go through the MicroSoft KB and find our designated fix for it, but we'll try to make that easier to use. Have a nice day!

    Chris Mattern
  • Microsoft also announced a new head of sales and marketing for Office. Little is know if this new hire... however, people believe his name to be Davrus or Debross, something like that. We'll let you know after the press conference. The new president wants to make sure the everyone attends. Supposedly the name of the Corel plugin engine will be Lorec... a natural evolution of the original plugin.
  • Heh (Score:5, Funny)

    by hyfe (641811) on Tuesday January 08, 2008 @03:11AM (#21950742)

    A file format isn't insecure it's the code that reads the format that's more or less secure.'
    Secret Passwords.txt

    My father has that in his My Documents-folder. It contains secret passwords.

    • Assuming that's plain text file: note that this is not an argument showing plain-text is an insecure format: it just means that it is being misused. You can misuse anything.
  • Next up (Score:5, Funny)

    by Plutonite (999141) on Tuesday January 08, 2008 @03:35AM (#21950836)
    Chuck Norris gets beaten up by the leave-britney-alone kid, and Bruce Schnier gets r00ted.... by Martha Stewart! Social engineering.

    Because in Soviet Redmond, the chairs fear YOU!

    Seriously, MS has apologized. To a competitor. On a technical subject. Holy friggin WOW. Since god now obviously exists, here's what I'm going to be praying for over the course of the next few years:

    -Physics grant gets awarded to grad student who does not have lips wrapped tightly around String Theory schlong

    -Dell admits that their computer cases are uglier than your face.

    -Apple fanbois shut up. For good. (and I'm typing this on a macbook pro)

    -America elects a Good president.

    -Myspace creators realize the magnitude of their crime against human civilization and turn themselves in to local authorities.

    -I stop wasting my time on slashdot.
  • Notice the wording (Score:5, Insightful)

    by Svenne (117693) on Tuesday January 08, 2008 @03:38AM (#21950846) Homepage
    When he's talking about Corel's file format it's ok to say "insecure," but when it comes to MS Office it's suddenly called "less secure." Wouldn't want to give the wrong impression now, would we?

Mystics always hope that science will some day overtake them. -- Booth Tarkington

Working...