Microsoft Apologizes To Rival

Geoffrey.landis writes "Microsoft apologized to rival software vendor Corel Corp. for saying that Corel's file format posed a security risk, and issued a set of tools to unblock file types that had been blocked by default in the December Office 2003 service pack. In his blog on the Microsoft site, David Leblanc says 'We did a poor job of describing the default format changes.' He goes on to explain, 'We stated that it was the file formats that were insecure, but this is actually not correct. A file format isn't insecure — it's the code that reads the format that's more or less secure.' As noted by News.com, 'it is the parsing code that Office 2003 uses to open and save the file types that is less secure.' Larry Seltzer at pcmag.com also blogs the story."

File Formats that ARE

[krray]

File formats that ARE insecure ... the ones that come to mind are .EXE, .COM, .SCR, .PIF, .CHM, .DLL, .VB* ... the list is long.
Oh, wait ... with Microsoft's logic these aren't insecure. It's the program (Windows) that uses them. I would agree.
Fortunately my various flavors of un*x boxes don't understand what to do with these...

I would love to read the letter Microsoft's legal department got over the December update.

Too bad that won't be made public.

we're sorry...

[nguy]

That's like saying to a corpse, "Oh, I'm so sorry I killed you; I hope you won't feel too bad about it."

Re:Boiled down

[davester666]

Yes. Rather than fixing their implementation, they just made it more difficult for users to use their implementation.

It just happens to be that some of their faulty implementations are for reading formats for competing products... You are not permitted to draw any inference from this fact.

Re:So, what changed hands between Microsoft/Corel?

[flyingfsck]

Corel and Novel both have long histories of suing Microsoft successfully to the tune of hundreds of millions of dollars (about 2 billion between the two of them). Clearly, MS was afraid of getting sued yet again.

Re:Microsoft apologized?!

[corsec67]

At this point it doesn't matter if they apologized, the damage is done: opening older Corel documents in Office 2003 is a PITA. Apologizing just gains points with the CTO type people, so there really isn't a downside. Too bad it doesn't dawn on them that before MS was letting them use a "less-secure" method of opening files....

Re:Boiled down

[Smidge204]

Read it carefully for the doublethink!

"A file format isn't insecure -- it's the code that reads the format that's more or less secure."

Read it again if you didn't catch it.
=Smidge=

Nothing Worth Selling

[WED Fan]

Hope you didn't lose any sales.

Uh, sparky, the assumption that Corel has anything of value to market and sell is a bit of a stretch. They have so mismanaged the brand that it is almost criminal what they did to their office products.

I was a big time WordPerfect user. I tried to stick around through their sale to Novell and lack of effort from them. Later, sold to Corel, the company sat on it and did nothing allowing Microsoft Word to over take it and take over Office Suite dominance. This is what turned MS into the big monster it is now.

Corel should be apologizing to the world.

They took a great product and took a dump on it. This would be like DC turning the Superman franchise over to Alexander Salkind...oh, wait, they did.

Re:File formats can't be insecure?

[MrNaz]

Yes, the file format wouldn't be insecure. Your handling of it would be.

Amazing.

[Scottoest]

I remember the /. posting about this topic last week, where everyone rightfully corrected them about file formats not inherently being insecure. There was the usually geejawing about "M$" being brutal thugs, and idiots, etc. etc. etc. Y'know, par for the course on this website.

However, the most entertaining posts on this website, are in cases where Microsoft admits error, or does something "good". We then get to see these same people do logical contortionist routines about how they must have been threatened legally, or baseless conjecturing about what must have been in it for them.

A lot of people here talk a lot about how Microsoft should listen more to the "geek" community. Places like this remind me of precisely why they don't bother.

Slashdot is generally pretty great for my daily fill of tech news. But man oh man, when it comes to Microsoft, any front of being unbiased is quickly cast off.

"kdawson" is probably the worst of the bunch, too.

- Scott

Re:So, what changed hands between Microsoft/Corel?

[Anonymous Coward]

Why would Microsoft enable a competitor, and, more ludicrously, apologize if there was no reason to? What's in this for Microsoft? Did Corel pay them a fee? Agree to cede a market? Threaten them with some kind of slam-dunk legal action that Microsoft was on the losing side of? We will probably never know.

I strongly suspect it has to do with the attempt by Microsoft to get OOXML accepted as a standard.

The strogest feature of ODF is that it is completely open, fully specified, no trade secrets, able to be implemented by any party. It is therefore arguably "future proof" ... it should always be possible in the future to open ODF format documents that are being created today.

OOXML has come under HEAVY criticism for not providing the same capability ... in fact most Microsoft formats historically are the antithesis of this capability ... you have to update your software periodically and later versions have trouble opening files written by earlier versions.

http://en.wikipedia.org/wiki/Office_Open_XML#Technical_criticisms [wikipedia.org]

Microsoft just provided yet another excellent example of lack of "future proofing" in their formats. Now you cannot open files that you used to be able to open.

This incident is not at all a "good look" for Microsoft to have just as their OOXML format is coming up again for consideration as an ISO standard.

Re:Boiled down

[Anonymous Coward]

Microsoft has a certain amount of resources available to make parsers secure. Let's say they can make one file parser secure in one month. If they have 12 parsers to secure, how should they spend their resources?

* Should they secure the most common ones (i.e. post-Word 6.0) first and issue an update with the common ones secure and leave the rest vulnerable for the rest of the year?

* Should they secure all of them and issue an update all at once, leaving all users vulnerable all year?

* Or should they secure the most common ones first, issue an update that secures the common ones and disables the uncommon ones, then at the end of the year issue an update that secures and re-enables the uncommon ones?

I'm pretty sure that Theo de Raadt would immediately audit the code everybody depends on, then disable the rest until an audit is complete. Of course everybody on /. drools over themselves talking about how secure OpenBSD is when he does something like that. When Microsoft does it, they're just incompetent.

Remember, these parsers were written back when the worst a bad .DOC file would do is crash Word and /.'s complaints about Word mainly centered around bloat. If MS had spent time on hardening the parser, /. would have bitched about how Office was late, slow, and bloated. Nobody would know (or care) about the security.

And don't think every other program out there doesn't have similar bugs. I have no doubt you could effectively attack Lotus 1-2-3 too, but nobody does because it's easier to write an exploit than it is to find a Lotus user. Unix programs are notoriously [64.233.169.104] bad [64.233.169.104] in this regard also.

dom

Re:Wait....

[Chris Mattern]

Nothing parallel about this. Microsoft isn't going to stop blocking the competition's file formats by default, so you'll still need to edit your registry to be able to use them. They'll see about doing something to make it easier...Real Soon Now. Meanwhile, have this absolutely worthless apology! Nothing unusual about this...Microsoft has always been willing to talk sweet when it needs to calm things down a bit. Actually fixing the problem, particularly when the problem has been carefully orchestrated to kick the competition in the crotch? Not so much.

Chris Mattern

Notice the wording

[Svenne]

When he's talking about Corel's file format it's ok to say "insecure," but when it comes to MS Office it's suddenly called "less secure." Wouldn't want to give the wrong impression now, would we?