Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Apologizes To Rival

kdawson posted more than 6 years ago | from the it's-the-software-stupid dept.

Microsoft 151

Geoffrey.landis writes "Microsoft apologized to rival software vendor Corel Corp. for saying that Corel's file format posed a security risk, and issued a set of tools to unblock file types that had been blocked by default in the December Office 2003 service pack. In his blog on the Microsoft site, David Leblanc says 'We did a poor job of describing the default format changes.' He goes on to explain, 'We stated that it was the file formats that were insecure, but this is actually not correct. A file format isn't insecure — it's the code that reads the format that's more or less secure.' As noted by News.com, 'it is the parsing code that Office 2003 uses to open and save the file types that is less secure.' Larry Seltzer at pcmag.com also blogs the story."

cancel ×

151 comments

Sorry! There are no comments related to the filter you selected.

Wait.... (4, Funny)

nizo (81281) | more than 6 years ago | (#21948942)

When I took a nap at lunch today, did I wake up in a parallel universe?

Re:Wait.... (4, Funny)

Atario (673917) | more than 6 years ago | (#21948978)

Yes! Here, rain falls up, and hambugers eat people!

It's a little like your Soviet Union or Bizzarro Universe.

Re:Wait.... (2, Funny)

youthoftoday (975074) | more than 6 years ago | (#21949012)

Hamburgers eat people?

You must have woken up in Soviet Russia!

Re:Wait.... (0)

Anonymous Coward | more than 6 years ago | (#21949328)

Isn't that what he said? Reading comprehension 4tw.

Re:Wait.... (3, Funny)

Kyokushi (1164377) | more than 6 years ago | (#21950466)

Conclusion: In Soviet Russia, Microsoft apologizes to YOU!

Re:Wait.... (1)

badran (973386) | more than 6 years ago | (#21950490)

In Soviet Russia, YOU eat the Hamburgers..

Re:Wait.... (1)

Nahooda (906991) | more than 6 years ago | (#21950930)

No, he probably woke up in Hamburg... ;-P

Re:Wait.... (2, Funny)

$0.02 (618911) | more than 6 years ago | (#21949486)

And where Kucinich wins elections.

Re:Wait.... (4, Funny)

GroeFaZ (850443) | more than 6 years ago | (#21949150)

Depends. Is everyone around you wearing goatees?

Re:Wait.... (4, Funny)

arotenbe (1203922) | more than 6 years ago | (#21949308)

Is everyone around you wearing goatees?
No. Goatses.

Re:Wait.... (1, Funny)

Midnight Thunder (17205) | more than 6 years ago | (#21950086)

Depends. Is everyone around you wearing goatees?

Why did I read that as:

    "Depends. Is everyone around you wearing goatsies"?

Heck, that site has scarred me life.

Breaking news (4, Funny)

EmbeddedJanitor (597831) | more than 6 years ago | (#21949294)

David Leblanc admitted to hospital with chair-induced head injuries.

Re:Wait.... (3, Funny)

Power_Pentode (1123285) | more than 6 years ago | (#21949352)

When I took a nap at lunch today, did I wake up in a parallel universe?
No kidding! This is, like, the first sign of the apocalypse. What's next, a trailer featuring real in-game action from Duke Nukem Forever?

Re:Wait.... (1)

Tolkien (664315) | more than 6 years ago | (#21950772)

You know, when you listen closely enough on a clear moonlit night, you can still hear Duke say "I wanna kick ass and chew bubble gum, and I'm all outta gum." Followed by hordes of aliens firing missiles over the horizon, gurgling "Suck it down."
Unfortunately, there have yet to be sightings of suicidal tentacled strippers. :(

Re:Wait....for the red pill. (1)

neo (4625) | more than 6 years ago | (#21949358)

Yes... everything you know is a lie. There is a world behind this one. One in which Microsoft is not evil.

Re:Wait.... (-1, Troll)

davidsyes (765062) | more than 6 years ago | (#21949430)

nO, yOU wOKE uP iN aN aMOEBA iN aN aMOEBIUS sTRIP-sHAPED, uNPARALLEL uNIwERSE.

Re:Wait.... (1)

rat10177sd (963462) | more than 6 years ago | (#21950198)

This just in, the largest order ever for pairs of ice skates (~350,000,000,000) was received by Acme(TM) Industries from Hell.
Here's our Financial Reporter with details
>
>
>
You moved your mouse. Please restart Windows for changes to take effect.

Re:Wait.... (4, Insightful)

Chris Mattern (191822) | more than 6 years ago | (#21950460)

Nothing parallel about this. Microsoft isn't going to stop blocking the competition's file formats by default, so you'll still need to edit your registry to be able to use them. They'll see about doing something to make it easier...Real Soon Now. Meanwhile, have this absolutely worthless apology! Nothing unusual about this...Microsoft has always been willing to talk sweet when it needs to calm things down a bit. Actually fixing the problem, particularly when the problem has been carefully orchestrated to kick the competition in the crotch? Not so much.

Chris Mattern

Re:Wait.... (2, Interesting)

random0xff (1062770) | more than 6 years ago | (#21951082)

No:

A file format (with some exceptions, like .hlp files) isn't insecure - it's the code that reads the format that's more or less secure.
See how he switched from using the word 'insecure' in association with file formats, how uses the terms 'more or less secure' for describing the code they wrote.

Oops, sorry (0)

Anonymous Coward | more than 6 years ago | (#21948974)

Hope you didn't lose any sales.

Heheh.

Re:Oops, sorry (1)

Jeremiah Cornelius (137) | more than 6 years ago | (#21949080)

Umm?

Boo-hoo.

Nothing Worth Selling (5, Insightful)

WED Fan (911325) | more than 6 years ago | (#21949322)

Hope you didn't lose any sales.

Uh, sparky, the assumption that Corel has anything of value to market and sell is a bit of a stretch. They have so mismanaged the brand that it is almost criminal what they did to their office products.

I was a big time WordPerfect user. I tried to stick around through their sale to Novell and lack of effort from them. Later, sold to Corel, the company sat on it and did nothing allowing Microsoft Word to over take it and take over Office Suite dominance. This is what turned MS into the big monster it is now.

Corel should be apologizing to the world.

They took a great product and took a dump on it. This would be like DC turning the Superman franchise over to Alexander Salkind...oh, wait, they did.

Re:Nothing Worth Selling (2, Interesting)

pimpimpim (811140) | more than 6 years ago | (#21949888)

I guess they realized it would be a lost cause fighting against Microsoft Office, throwing away developer time. Then again, if they would have endured and realized back then that the eternal reign of MS Office could be overthrown, they might be growing by now, at a time where switching from office** to office 2007 is just as hard as switching to another suite, and with a current public and political outcry for open document formats.

The first thing I used after wordperfect 5.1 was Lotus WordPro, since it came with my Aptiva pentium 100 "multimedia" pc. This was actually a pretty good program, it had a latex-like equation editor, and came with a nicer selection of fonts than the default MSoffice. I just checked and it appears that IBM changed the whole SmartSuite to something called "symphony" now, made it free of charge and able to work with ODF.

IBM may be on to something here, the lack of backward compatibility in MSOffice plus the high costs of obligatory contract renewals will make more and more people (better: the companies that employ these people) realize the problems MS gets them in, and look for alternatives. All these dirty tricks might end up to be MS nailing its own coffin: as soon as companies switch to another browser, to another office suite, why should they be dependent on MS at all?

Re:Nothing Worth Selling (2, Interesting)

gaspyy (514539) | more than 6 years ago | (#21950706)

Unfortunately it's not just their office.

Corel's flagship is CorelDraw, which is a actually a very capable illustration software.
Corel Draw and Corel Photo-Paint used to be on par and sometimes above competitors' products (Adobe Illustrator, Macromedia Freehand; Photo-Paint was at least as capable as Photoshop in 2000).

They stopped innovating. The last Corel Draw suite was released in 2005 (they issued 2 service packs). Photo-Paint remained untouched for years, now lagging behind Photoshop in many areas.

Such a shame. The products used to be really good in terms of features and UI. Now they've buried everything.

Re:Nothing Worth Selling (0)

Anonymous Coward | more than 6 years ago | (#21951348)

I was a big time WordPerfect user. I tried to stick around through their sale to Novell and lack of effort from them. Later, sold to Corel, the company sat on it and did nothing allowing Microsoft Word to over take it and take over Office Suite dominance. This is what turned MS into the big monster it is now.


A little research could help your understanding of what happened to Wordperfect and many other companies.

Microsoft intentionally gave Novell bad code (when they were given code) for Windows 95, so when Win95 was released, Wordperfect would not work correctly and Microsoft Office would, giving users the appearance that MS Office was a superior product, and Wordperfect was inferior.

Granted, Novell and Corel could use some help in the marketing and management fronts, but when you rely on the dominant OS provider to give you timely and correct code to work with their OS, and they do not because they want to make you look bad, it kind of hurts your image.

http://www.groklaw.net/article.php?story=20041112184610953 [groklaw.net]

Boiled down (1)

Romancer (19668) | more than 6 years ago | (#21948980)

So boiled down, microsoft is saying that their software is the problem? That Office has "less secure" ways of opening formats than they could have?

Re:Boiled down (5, Insightful)

davester666 (731373) | more than 6 years ago | (#21949044)

Yes. Rather than fixing their implementation, they just made it more difficult for users to use their implementation.

It just happens to be that some of their faulty implementations are for reading formats for competing products... You are not permitted to draw any inference from this fact.

Re:Boiled down (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21950416)

Microsoft has a certain amount of resources available to make parsers secure. Let's say they can make one file parser secure in one month. If they have 12 parsers to secure, how should they spend their resources?

* Should they secure the most common ones (i.e. post-Word 6.0) first and issue an update with the common ones secure and leave the rest vulnerable for the rest of the year?

* Should they secure all of them and issue an update all at once, leaving all users vulnerable all year?

* Or should they secure the most common ones first, issue an update that secures the common ones and disables the uncommon ones, then at the end of the year issue an update that secures and re-enables the uncommon ones?

I'm pretty sure that Theo de Raadt would immediately audit the code everybody depends on, then disable the rest until an audit is complete. Of course everybody on /. drools over themselves talking about how secure OpenBSD is when he does something like that. When Microsoft does it, they're just incompetent.

Remember, these parsers were written back when the worst a bad .DOC file would do is crash Word and /.'s complaints about Word mainly centered around bloat. If MS had spent time on hardening the parser, /. would have bitched about how Office was late, slow, and bloated. Nobody would know (or care) about the security.

And don't think every other program out there doesn't have similar bugs. I have no doubt you could effectively attack Lotus 1-2-3 too, but nobody does because it's easier to write an exploit than it is to find a Lotus user. Unix programs are notoriously [64.233.169.104] bad [64.233.169.104] in this regard also.

dom

Re:Boiled down (1)

bytesex (112972) | more than 6 years ago | (#21951276)

"Remember, these parsers were written back when the worst a bad .DOC file would do is crash Word and /.'s complaints about Word mainly centered around bloat. If MS had spent time on hardening the parser, /. would have bitched about how Office was late, slow, and bloated. Nobody would know (or care) about the security."

What is the worst that Word can do these days ? What's the worst it _should_ be able to do ?

Re:Boiled down (5, Interesting)

joe_bruin (266648) | more than 6 years ago | (#21949056)

It boiled down to Microsoft, instead of fixing their bad file parsing code, disabled it so customers couldn't access their older files AND blamed Corel's file format. Notice that they are still not admitting that their code is bad or fixing it, they're just re-enabling their buggy code because customers complained that they couldn't open files.

The strategy isn't bad... (1)

filthpickle (1199927) | more than 6 years ago | (#21950012)

if you know you aren't gonna fix it you may as well disable it by default.

Re:The strategy isn't bad... (3, Funny)

Trolan (42526) | more than 6 years ago | (#21950174)

If they keep this up, I can see their next OS: Microsoft Windows BoW (Block of Wood) Ultimate Edition!

But a block of wood isn't complete safe. Someone could get hurt by it. So they'd have to release SP1 which adds padding.

Re:Boiled down (1)

BeanThere (28381) | more than 6 years ago | (#21950970)

They've just sent a message to all their customers etc. that they can and will disable support for all those other programs people are using anytime (and even suggesting that "special tools" [sic] should be required to use those formats gives one a definite feeling that the other products you're using are on shaky ground), so customers will basically give in and realise they are better off just accepting that they should get onto the latest Microsoft products. They're basically saying "we're the *standard*", get onto our products; this apology-after-the-fact for this "mistake" (puh-lease, does anyone really think Microsoft broke a whole bunch of formats by mistake?) doesn't really reverse the damage that's already been done, so it doesn't matter - their message has been sent, and it will have the desired effect. Basically mafia-like tactics, in effect.

Re:Boiled down (3, Insightful)

Smidge204 (605297) | more than 6 years ago | (#21949300)

Read it carefully for the doublethink!

"A file format isn't insecure -- it's the code that reads the format that's more or less secure."

Read it again if you didn't catch it.
=Smidge=

Re:Boiled down (0)

Anonymous Coward | more than 6 years ago | (#21949988)

Well, if a file format specifies:

This block of data should be executed as code with root permissions.
Then ANY compatible program reading that format is insecure, it would be better to say that the format itself is insecure.

Put another way (0)

Anonymous Coward | more than 6 years ago | (#21950918)

A sieve is more or less a bowl.

Business as usual (1)

jpaz (512242) | more than 6 years ago | (#21948990)

This is like a newspaper reporting someone is guilty of a crime on the front page, then a year later a retraction is printed on page 57 when he's found innocent of any wrongdoing.

It took MS 4 years to apologize?

Re:Business as usual (5, Informative)

mr_mischief (456295) | more than 6 years ago | (#21949060)

Nah. Just 4 months.

The blocking of the file formats was from September's Office 2003 Service Pack 3 update. The KB article was probably issued the same time, but it was edited yesterday (and the MSKB doesn't show the original date, just the last review date and the number of times edited).

The apology was yesterday.

File Formats that ARE (2, Insightful)

krray (605395) | more than 6 years ago | (#21948994)

File formats that ARE insecure ... the ones that come to mind are .EXE, .COM, .SCR, .PIF, .CHM, .DLL, .VB* ... the list is long.
Oh, wait ... with Microsoft's logic these aren't insecure. It's the program (Windows) that uses them. I would agree.
Fortunately my various flavors of un*x boxes don't understand what to do with these...

I would love to read the letter Microsoft's legal department got over the December update.

Too bad that won't be made public.

Re:File Formats that ARE (2, Informative)

_merlin (160982) | more than 6 years ago | (#21949658)

Well it's true of the formats - .EXE is no more or less secure than an ELF binary, .COM is no more or less secure than a.out format, .CHM is no more or less secure than a tarball, .DLL is no more or less secure than ELF .so, .VBS is no more or less secure than a Perl script. The issue is whether the environment they run in is secure or not. You could argue that the execution environment that an ELF binary runs in under Solaris is more secure than the environment that a .EXE runs in under Windows, but a malicious program could still scavenge personal data send it to the "bad guys" over HTTP (which is open in most people's firewalls). Perl is definitely a lot more secure than the VBScript runtime, but that won't stop a malicious script from deleting or overwriting a user's files.

Re:File Formats that ARE (1)

hangareighteen (31788) | more than 6 years ago | (#21949858)

You missed my personal favorite: Windows Metafile [wikipedia.org]

Terrible engineering, that.

So, what changed hands between Microsoft/Corel? (2, Interesting)

defile (1059) | more than 6 years ago | (#21949006)

Why would Microsoft enable a competitor, and, more ludicrously, apologize if there was no reason to? What's in this for Microsoft? Did Corel pay them a fee? Agree to cede a market? Threaten them with some kind of slam-dunk legal action that Microsoft was on the losing side of? We will probably never know.

Re:So, what changed hands between Microsoft/Corel? (4, Insightful)

flyingfsck (986395) | more than 6 years ago | (#21949118)

Corel and Novel both have long histories of suing Microsoft successfully to the tune of hundreds of millions of dollars (about 2 billion between the two of them). Clearly, MS was afraid of getting sued yet again.

Re:So, what changed hands between Microsoft/Corel? (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21949242)

It is called 'credibility' and is something the open source crowd should work on although that is probably too late.

Stop them from getting sued? (1)

EmbeddedJanitor (597831) | more than 6 years ago | (#21949312)

If you tell lies that hurt someone's business you can appear in court which would cause all kinds of mess (particularly if intertwined with the anti-trust rulings).

Likely the apology was a condition of some out of court agreement.

Re:So, what changed hands between Microsoft/Corel? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21949844)

Why would Microsoft enable a competitor, and, more ludicrously, apologize if there was no reason to? What's in this for Microsoft? Did Corel pay them a fee? Agree to cede a market? Threaten them with some kind of slam-dunk legal action that Microsoft was on the losing side of? We will probably never know.


I strongly suspect it has to do with the attempt by Microsoft to get OOXML accepted as a standard.

The strogest feature of ODF is that it is completely open, fully specified, no trade secrets, able to be implemented by any party. It is therefore arguably "future proof" ... it should always be possible in the future to open ODF format documents that are being created today.

OOXML has come under HEAVY criticism for not providing the same capability ... in fact most Microsoft formats historically are the antithesis of this capability ... you have to update your software periodically and later versions have trouble opening files written by earlier versions.

http://en.wikipedia.org/wiki/Office_Open_XML#Technical_criticisms [wikipedia.org]

Microsoft just provided yet another excellent example of lack of "future proofing" in their formats. Now you cannot open files that you used to be able to open.

This incident is not at all a "good look" for Microsoft to have just as their OOXML format is coming up again for consideration as an ISO standard.

Re:So, what changed hands between Microsoft/Corel? (1)

putnondritz (682804) | more than 6 years ago | (#21951204)

You can start with this:

http://www.forbes.com/2000/10/03/1003corel.html [forbes.com]

Oh, here's a quote:
"For starters, what becomes of Corel's Linux plans? Corel has poured considerable resources into its Corel Linux operating system and porting its business and graphics applications to Linux. The company has positioned its Linux efforts as the linchpin of its comeback strategy, but there was no mention of Linux on the conference call Monday."

Perhaps a type of non-disparagement agreement, that if MS betrays, Corel Linux is able to be sprung forth?

Wouldn't Quattro and WordPerfect on X/Linux really hurt MS Office?

Defamation via incompetence (1)

wardk (3037) | more than 6 years ago | (#21949008)

oh gee, so sorry

we just didn't realize

we hope we didn't damage your business, we hate it when we do that to our competitors

we're soooooo sorry

hehehehehehhehehehe

Seriously... (1)

romrunning (963198) | more than 6 years ago | (#21949020)

...barring the legal profession, does anyone use WordPerfect anymore?

Re:Seriously... (1)

flyingfsck (986395) | more than 6 years ago | (#21949134)

Not many people use WP, but I use both and WP is still better than MS Word.

Re:Seriously... (1)

QuietObserver (1029226) | more than 6 years ago | (#21949464)

Agreed. I use WP9 (I hate what they did to WP12; it's too MS Word-like) and it does things I still haven't seen Word 2003 do (and that I doubt Word 2007 has added, either). That, and their file format, their professional tools (such as Table of Contents), and their editing tools (the best being Reveal Codes) are far superior to anything I've ever seen out of Office.

Re:Seriously... (2, Informative)

RuBLed (995686) | more than 6 years ago | (#21949426)

It seems that the extension in question was the .cdr extension used by Corel Draw.

But it was Corel that publicly squawked when it realized Microsoft had blocked its .cdr file format -- still used by its CorelDraw graphics application -- in last September's Office 2003 Service Pack 3 update.


If you ask me, Corel Draw is one good drawing tool, a good partner for Adobe Photoshop. (I'm not a pro at these tools, I just stumble upon them when I rarely need it...)

we're sorry... (4, Insightful)

nguy (1207026) | more than 6 years ago | (#21949042)

That's like saying to a corpse, "Oh, I'm so sorry I killed you; I hope you won't feel too bad about it."

Re:we're sorry... (1)

Catnapster (531547) | more than 6 years ago | (#21949402)

Darwin Tremor [imdb.com] : [manipulating Dupree's mouth so Jack seems to be speaking to him] Oh hell yeah, we was just at the wrong place at the wrong time, so don't feel so bad, chief.

Re:we're sorry... (1)

dougisfunny (1200171) | more than 6 years ago | (#21949664)

You remember the time you were going down into the fire, and I said 'Goodbye' and you were like 'No way', and I was like 'We were only pretending to murder you'?

That was great.

Re:we're sorry... (0)

Anonymous Coward | more than 6 years ago | (#21950060)

Yeah, but the computer didn't succeed, Microsoft did...

that's weird (2, Funny)

SolusSD (680489) | more than 6 years ago | (#21949078)

Microsoft said something that didn't make me upset. hmm. in fact, it was the right thing to do! (i'm scared)

Microsoft apologized?! (1)

arotenbe (1203922) | more than 6 years ago | (#21949158)

Microsoft apologized?!

Wait... uhmm...

So ... confused ...

*** BAM! ***


But seriously, does anyone really think this was an accident or expect this to be any better than it was before?

Re:Microsoft apologized?! (4, Insightful)

corsec67 (627446) | more than 6 years ago | (#21949214)

At this point it doesn't matter if they apologized, the damage is done: opening older Corel documents in Office 2003 is a PITA. Apologizing just gains points with the CTO type people, so there really isn't a downside. Too bad it doesn't dawn on them that before MS was letting them use a "less-secure" method of opening files....

Re:Microsoft apologized?! (1)

mqduck (232646) | more than 6 years ago | (#21949318)

I suspect it's simply that Corel's lawyers sent MS a friendly letter threatening a lawsuit for the claim, and MS realized that 1) it's not worth fighting over, and 2) they would look like idiots if they tried to defend their statement, and they don't need that right now. Further, I doubt they framed it as an "apology". That's Slashdot's doing. More likely they just quietly issued a little statement saying they erred in a previous claim.

Who neutered Microsoft? (4, Interesting)

NullProg (70833) | more than 6 years ago | (#21949174)

'We stated that it was the file formats that were insecure, but this is actually not correct. A file format isn't insecure -- it's the code that reads the format that's more or less secure.'

Admitting FUD is uncharacteristic of Microsoft. Speaking the plain truth means Hell just froze over.

I'm at a loss for words....

Enjoy,

Re:Who neutered Microsoft? (0)

Anonymous Coward | more than 6 years ago | (#21950058)

> Admitting FUD is uncharacteristic of Microsoft.

It is still just FUD.

It is not formats or code that is the reason for this, it is revenue.

Office2007 still supports the formats so the preferred (by MS) solution is for users to _purchase_ MSOffice2007 so that they can continue to access the old format. This also makes MSOOXML the default that is saved and emailed, so others will also need to purchase MSO2007 when they receive that format.

It is probably the _same_ code in 2007.

That this was done for 'security' is likely untrue.
That this was done because of the code is likely untrue.
It was to further the use of proprietry formats and entrench MS's monopoly.

It may also be to answer the critics of MSOOXML where 'formatlikeOffic95' can now to said to be 'obsolete' because "no one uses that format any more (we made sure they can't)".

Alderaan was populated? (0)

Anonymous Coward | more than 6 years ago | (#21949228)

/Vader voice

Well, I'm sorry. Turns out there were people living there. We did a poor job of identifying how many people would get hurt if their planet blew up.

eBay, you're up. (1)

Anonymous Coward | more than 6 years ago | (#21949278)

Apologize to Google for calling their Checkout system insecure.

wow (1)

coaxial (28297) | more than 6 years ago | (#21949288)

Corel still exists? Wow. Who knew?

File formats can't be insecure? (1)

martin-boundary (547041) | more than 6 years ago | (#21949370)

Whoa! I'm going to put all my passwords and bank account numbers online in the clear in a single plain ASCII text file from now on. Who needs encryption? Take that crackers! You thought you could steal my stuff, eh? Just you download that file from my blog and weep, bitches!

Re:File formats can't be insecure? (1)

WK2 (1072560) | more than 6 years ago | (#21949432)

The ASCII file format is not insecure. However, the behavior you suggest is dangerous.

Re:File formats can't be insecure? (1)

martin-boundary (547041) | more than 6 years ago | (#21949560)

The ASCII file format is not insecure. However, the behavior you suggest is dangerous.
The crucial question you're not asking is what is the intended use of the file format. Every file format is intended to be used for something, and once it is stated what that use is, one can ask if the format is secure for its intended purpose.

In my example, the intended purpose makes the format insecure. If I had used plain ASCII to list a bunch of recipes I found online, the format wouldn't be insecure if my purpose didn't include hiding those recipes from the public.

Re:File formats can't be insecure? (1)

Penguinisto (415985) | more than 6 years ago | (#21949606)

...that's funny, becuase Microsoft's argument was more along the lines that Office would be more secure if only those files couldn't be opened.

And yet for some odd reason NeoOffice on my Mac can open them just fine with no adverse reaction.

/P

Re:File formats can't be insecure? (1)

totally bogus dude (1040246) | more than 6 years ago | (#21949736)

If we go ahead and assume that "ASCII file format" means a file containing only the printable ASCII characters, then that's pretty open ended. You can store encrypted data in it just fine by encoding that data as "plain text" (e.g. gpg --armor). The same as how binary files can be sent over SMTP, which traditionally only supports 7-bit ASCII. Or you could come up with your own "cypher", known only to you, so an attacker reading the file would see "mybank.com password: foozball" but you'd know that it's a lie, "mybank.com" actually refers to your gmail password, and "foozball" is a codeword which means "kaequotaegei9EeTie0kietheih6vei3deeb3op0".

So, your use of unencrypted, easily-readable passwords is what is insecure, and has nothing to do with the use of an "ASCII format file". Additionally, what if the OS it resides on allows you to apply access restrictions to the file, and nobody but you can access it? Assuming proper physical security of the computer and strong protection for your account, then that's going to be as secure (for practical purposes) as encrypting it with a forty billion bit cypher.

Re:File formats can't be insecure? (1)

martin-boundary (547041) | more than 6 years ago | (#21950136)

If we go ahead and assume that "ASCII file format" means a file containing only the printable ASCII characters, then that's pretty open ended.
Exactly, that's why I think that _format_ is insecure. It allows entirely unsecured content for any purpose if one so chooses (eg my example).

I use "format" in the sense that there exists a specification which imposes constraints on both the form and the content (ie BNF for the form, and semantic rules for what goes where). I assume you would agree? If I specify 7-bit ASCII only, that's a (very minimal) specification. If you specify 7-bit ASCII containing the output of gpg --armor, that's another specification. If one takes the Unix passwd file format, that's got an existing specification with specific constraints on the fields, etc.

If one takes the RFC 2822 (general purpose email) format, I call that insecure. If however one takes RFC 2822 + 2311 (S/MIME) + specifies the encryption method, then that's a lot more secure.

So, your use of unencrypted, easily-readable passwords is what is insecure, and has nothing to do with the use of an "ASCII format file". Additionally, what if the OS it resides on allows you to apply access restrictions to the file, and nobody but you can access it? Assuming proper physical security of the computer and strong protection for your account, then that's going to be as secure (for practical purposes) as encrypting it with a forty billion bit cypher.
In this case, it seems to me that you're conflating the bits of the file together with the file system and the OS. It's true that if you consider the computer as a black box that a user interacts with, then security concepts can apply to the black box as a whole. But single files can also be copied or sent without duplicating the filesystem reside on, and sometimes without the user's knowledge, so it seems to me that a useful concept of security must be defined at a finer level of granularity, such as the file format.

Re:File formats can't be insecure? (1)

theonlyaether (1146549) | more than 6 years ago | (#21950204)

I think you're confusing security with privacy. A file does not offer any privacy on its own, the creating program is responsible for that. Any file freely available on the internet, encrypted or not, is less secure than one that is not offered up by a network service. That said, when talking about programming and binary file formats, generally as other posters have said the term 'security' is used to describe buffer overflows and whatnot. Obviously in this sense anyone who wanted to could stick bad code in just about anything (WMV has been plagued with this) that fits and do all sorts of nasty stuff, thereby slipping by the normal security systems of a personal computer. Obviously you need an input filter and good error handling when reading files and loading them into memory. Ergo the old import filters need to be more secure.

All that said I'm not gonna argue with you - all files can be inherently "insecure" if the file is made available to a program that does something insecure with it, which is where I see this semantic dance going... The file without a program does nothing, however.

Re:File formats can't be insecure? (1)

martin-boundary (547041) | more than 6 years ago | (#21950278)

Fair point, I think you might be right about security = buffer overflows in this context, I didn't interpret it that way.

All that said I'm not gonna argue with you - all files can be inherently "insecure" if the file is made available to a program that does something insecure with it, which is where I see this semantic dance going... The file without a program does nothing, however.
Only if such a program can actually decode the file, though. If an attack has to be performed on the system level or relies on the user doing something like copying/pasting the "legitimately" decoded data, then the file format has pretty much done its job.

Re:File formats can't be insecure? (2, Insightful)

MrNaz (730548) | more than 6 years ago | (#21949532)

Yes, the file format wouldn't be insecure. Your handling of it would be.

Re:File formats can't be insecure? (1)

martin-boundary (547041) | more than 6 years ago | (#21949650)

If the file format is *intended* to keep my information safe from others, then I think if it easily fails that task, it must be called insecure by definition.

If I specified the format to be freeform text, encrypted with a suitably hidden, suitably complex one time pad, then the resulting file format would have to be called secure, no?

Re:File formats can't be insecure? (1)

fmobus (831767) | more than 6 years ago | (#21949968)

no. Not by itself, at least. You would still need a whole process to securely transport/exchange the keys/one time pad to make it both secure AND useful.

I also believe that's not the point of the "insecure" attribution either: they are likely talking about nasty stuff like buffer overflow, arbitrary execution, privilege escalation, as opposed to the security/privacy of data itself.

Re:File formats can't be insecure? (1)

martin-boundary (547041) | more than 6 years ago | (#21950216)

I also believe that's not the point of the "insecure" attribution either: they are likely talking about nasty stuff like buffer overflow, arbitrary execution, privilege escalation, as opposed to the security/privacy of data itself.
Actually, you might well be right about that. For example, the binary Word format is well known(*) to be pretty close to a serialized memory dump of the Word program's internal object tree.

(*) in case you're trying to reverse engineer the format based on public information available on the net

How about old Mike? (1)

rastoboy29 (807168) | more than 6 years ago | (#21949384)

They must have meant Mike Rosoff.

No shit. (1)

peipas (809350) | more than 6 years ago | (#21949428)

n/t

We don't abuse our monopoly... (4, Funny)

Locklin (1074657) | more than 6 years ago | (#21949540)

See! we apologized! Now leave us alone!

Typical Microsoft to me (1)

rainhill (86347) | more than 6 years ago | (#21949558)

Kill, then apologize.

I wander if Corel can sue Microsoft for this?

Amazing. (5, Insightful)

Scottoest (1081663) | more than 6 years ago | (#21949678)

I remember the /. posting about this topic last week, where everyone rightfully corrected them about file formats not inherently being insecure. There was the usually geejawing about "M$" being brutal thugs, and idiots, etc. etc. etc. Y'know, par for the course on this website.

However, the most entertaining posts on this website, are in cases where Microsoft admits error, or does something "good". We then get to see these same people do logical contortionist routines about how they must have been threatened legally, or baseless conjecturing about what must have been in it for them.

A lot of people here talk a lot about how Microsoft should listen more to the "geek" community. Places like this remind me of precisely why they don't bother.

Slashdot is generally pretty great for my daily fill of tech news. But man oh man, when it comes to Microsoft, any front of being unbiased is quickly cast off.

"kdawson" is probably the worst of the bunch, too.

- Scott

Re:Amazing. (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21949808)

If M$ did the right thing more (after horse fucking their competition. Again.), it wouldn't be such a big deal.

Re:Amazing. (0)

Anonymous Coward | more than 6 years ago | (#21949852)

"kdawson" is probably the worst of the bunch, too.
The worst of the bunch are actually Communist Zonk and Twitter/Erris the Troll. Notice most of stories Communist Zonk posts are anti-capitalist in nature and Twitter/Erris the troll posts comments that are the same communist drivel with "M$" and "Windoze" in their posts.

Mea Culpa (0, Troll)

MrCopilot (871878) | more than 6 years ago | (#21949822)

I would like to take this opportunity to apologize to Microsoft, I was under the assumption that they were staffed by uninformed and relentless monopolists. I therefore vowed not to use, recommend, install, or otherwise service their products.

Now I can see, my assumption was wrong.

By default, these file types are blocked because the parsing code that Office 2003 uses to open and save the file types is less secure. Therefore, opening and saving these file types may pose a risk to you.

It's actually staffed by incompetent coders and management.

Again, I apologize and have updated my reasons for the ban.

Ha! Solution! (1)

Frantactical Fruke (226841) | more than 6 years ago | (#21949992)

After a decade of trying to fix the insecure code used to read these file formats, Microsoft has finally hit on a workable solution: "Let's just disable it. Nobody needs it, right?" Right. I plugged those holes myself years ago - by turning to GNU/Linux and OO.org.

attn: rabid linux users: (1)

jay-be-em (664602) | more than 6 years ago | (#21950036)

So they were wrong about one thing in 3 decades. Big deal.

MicroSpeak translated (0)

Anonymous Coward | more than 6 years ago | (#21950170)

'We stated that it was the file formats that were insecure, but this is actually not correct. A file format isn't insecure it's the code that reads the format that's more or less secure.' This is MicroSpeak for 'Our conversion filters are crap. They have always been crap. We don't care that they are crap. We can't be bothered to fix them because we can't be bothered to waste our time fixing crap. We also don't care that they are also insecure because they are crap. We shovel crap for a living and then blame everyone else because we smell like crap.'

Who? (1)

longacre (1090157) | more than 6 years ago | (#21950254)

All seven members of the human race who use Office to open Corel fucking Draw files are partying hard tonight.

email virus (0)

Anonymous Coward | more than 6 years ago | (#21950300)

This comming from the inventors of the email virus.

plus 2, troll) (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21950342)

It's about time.... (2, Interesting)

Rival (14861) | more than 6 years ago | (#21950422)

[After reading just the story title] It's about time! They laid me off back in '99 five minutes after we RTM'd Win2k, and they're only just now getting around to apologizing? Well, better late than never, I suppose.

[After reading TFA] It is refreshing to see such a direct and honest explanation and rationale [msdn.com] . Even if it isn't exactly front page news, it's much better than the typical PR-filtered triple-speak that tends to get the press. A good reminder that the developers != the company.

Thanks, David. If more decision makers at Microsoft were to take a similar approach to problems, even if just internally, I think the corporate image could be improved. Whether there's time to turn the ship around before it hits the iceberg*, I don't know, but it would be an interesting thing to watch.

*Yes, I know the engine reversal and attempt to turn was what doomed the Titanic. It's a complex analogy, with layers of irony and humor.

We're apologizing... (4, Informative)

Chris Mattern (191822) | more than 6 years ago | (#21950432)

...but we're going to continue to block your file formats by default on our systems. Those who want to use your file formats will need to go through the MicroSoft KB and find our designated fix for it, but we'll try to make that easier to use. Have a nice day!

Chris Mattern

Peace at last! Whew! Celebrate! (2, Funny)

theendlessnow (516149) | more than 6 years ago | (#21950516)

Microsoft also announced a new head of sales and marketing for Office. Little is know if this new hire... however, people believe his name to be Davrus or Debross, something like that. We'll let you know after the press conference. The new president wants to make sure the everyone attends. Supposedly the name of the Corel plugin engine will be Lorec... a natural evolution of the original plugin.

Re:Peace at last! Whew! Celebrate! (0)

Anonymous Coward | more than 6 years ago | (#21951396)

We are the superior coders, COMPILE! COMPILE!

Heh (4, Funny)

hyfe (641811) | more than 6 years ago | (#21950742)

A file format isn't insecure it's the code that reads the format that's more or less secure.'
Secret Passwords.txt

My father has that in his My Documents-folder. It contains secret passwords.

Next up (4, Funny)

Plutonite (999141) | more than 6 years ago | (#21950836)

Chuck Norris gets beaten up by the leave-britney-alone kid, and Bruce Schnier gets r00ted.... by Martha Stewart! Social engineering.

Because in Soviet Redmond, the chairs fear YOU!

Seriously, MS has apologized. To a competitor. On a technical subject. Holy friggin WOW. Since god now obviously exists, here's what I'm going to be praying for over the course of the next few years:

-Physics grant gets awarded to grad student who does not have lips wrapped tightly around String Theory schlong

-Dell admits that their computer cases are uglier than your face.

-Apple fanbois shut up. For good. (and I'm typing this on a macbook pro)

-America elects a Good president.

-Myspace creators realize the magnitude of their crime against human civilization and turn themselves in to local authorities.

-I stop wasting my time on slashdot.

That's going a bit far, I think.. (1)

cheros (223479) | more than 6 years ago | (#21950968)

I stop wasting my time on slashdot.

Look, that's really pushing credibility. No way. :-).

Notice the wording (4, Insightful)

Svenne (117693) | more than 6 years ago | (#21950846)

When he's talking about Corel's file format it's ok to say "insecure," but when it comes to MS Office it's suddenly called "less secure." Wouldn't want to give the wrong impression now, would we?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>