Microsoft Apologizes To Rival

Geoffrey.landis writes "Microsoft apologized to rival software vendor Corel Corp. for saying that Corel's file format posed a security risk, and issued a set of tools to unblock file types that had been blocked by default in the December Office 2003 service pack. In his blog on the Microsoft site, David Leblanc says 'We did a poor job of describing the default format changes.' He goes on to explain, 'We stated that it was the file formats that were insecure, but this is actually not correct. A file format isn't insecure — it's the code that reads the format that's more or less secure.' As noted by News.com, 'it is the parsing code that Office 2003 uses to open and save the file types that is less secure.' Larry Seltzer at pcmag.com also blogs the story."

Wait....

[nizo]

When I took a nap at lunch today, did I wake up in a parallel universe?

Re:Wait....

[Atario]

Yes! Here, rain falls up, and hambugers eat people!

It's a little like your Soviet Union or Bizzarro Universe.

Re:Wait....

[youthoftoday]

Hamburgers eat people?

You must have woken up in Soviet Russia!

Re:Wait....

[GroeFaZ]

Depends. Is everyone around you wearing goatees?

Re:Wait....

[arotenbe]

Is everyone around you wearing goatees? No. Goatses.

Re:Wait....

Isn't that what he said? Reading comprehension 4tw.

Re:Wait....

[Power_Pentode]

When I took a nap at lunch today, did I wake up in a parallel universe?

No kidding! This is, like, the first sign of the apocalypse. What's next, a trailer featuring real in-game action from Duke Nukem Forever?

Re:Wait....

[Fry-kun]

It's a Simpsons reference, you insensitive clod!
The Great Continent of Rand McNally :)

Re:Wait....

[$0.02]

And where Kucinich wins elections.

Re:Wait....

[Midnight+Thunder]

Depends. Is everyone around you wearing goatees?

Why did I read that as:

    "Depends. Is everyone around you wearing goatsies"?

Heck, that site has scarred me life.

Re:Wait....

[rat10177sd]

This just in, the largest order ever for pairs of ice skates (~350,000,000,000) was received by Acme(TM) Industries from Hell.
Here's our Financial Reporter with details
>
>
>
You moved your mouse. Please restart Windows for changes to take effect.

Re:Wait....

[Chris+Mattern]

Nothing parallel about this. Microsoft isn't going to stop blocking the competition's file formats by default, so you'll still need to edit your registry to be able to use them. They'll see about doing something to make it easier...Real Soon Now. Meanwhile, have this absolutely worthless apology! Nothing unusual about this...Microsoft has always been willing to talk sweet when it needs to calm things down a bit. Actually fixing the problem, particularly when the problem has been carefully orchestrated to kick the competition in the crotch? Not so much.

Chris Mattern

Re:Wait....

[Kyokushi]

Conclusion: In Soviet Russia, Microsoft apologizes to YOU!

Re:Wait....

[badran]

In Soviet Russia, YOU eat the Hamburgers..

Re:Wait....

[Tolkien]

You know, when you listen closely enough on a clear moonlit night, you can still hear Duke say "I wanna kick ass and chew bubble gum, and I'm all outta gum." Followed by hordes of aliens firing missiles over the horizon, gurgling "Suck it down."
Unfortunately, there have yet to be sightings of suicidal tentacled strippers. :(

Re:Wait....

[Nahooda]

No, he probably woke up in Hamburg... ;-P

Re:Wait....

[random0xff]

No:

A file format (with some exceptions, like .hlp files) isn't insecure - it's the code that reads the format that's more or less secure. See how he switched from using the word 'insecure' in association with file formats, how uses the terms 'more or less secure' for describing the code they wrote.

Re:Wait....

It's like Rand McNally

Re:Wait....

[mgblst]

Yes, a completely new world.

Allow me to steal a few million from you, and I will happily apologise, so everything will be ok and forgiven. I have no problem with this new world. Fool.

Re:Wait....

[davidsyes]

No, you woke up in an amoeba in an amoebius strip-shaped unparallel uniwerse...

restated for those with a sense of humor or who are not ms shills... (well, even a shill can have a sense of humor, right?)

Re:Wait....

[jwaters]

At the risk of letting the facts get in the way of a good Microsoft bashing, the blog post linked in the article includes links to .reg files which actually fix the problem.

Re:Wait....

He said parallel, not inside out!

Re:Wait....

[DDR3]

I think the story might be a duplicate as MS does once they don't need some entity any more!

Re:Wait....

[gr8scot]

A sincere apology should have mentioned blocking a competitor's file formats without explanation. Chris Mattern is right on, despite a minor inaccuracy, in the matter of a very trivial detail.

Oops, sorry

Hope you didn't lose any sales.

Heheh.

Re:Oops, sorry

[Jeremiah+Cornelius]

Umm?

Boo-hoo.

Boiled down

[Romancer]

So boiled down, microsoft is saying that their software is the problem? That Office has "less secure" ways of opening formats than they could have?

Re:Boiled down

[davester666]

Yes. Rather than fixing their implementation, they just made it more difficult for users to use their implementation.

It just happens to be that some of their faulty implementations are for reading formats for competing products... You are not permitted to draw any inference from this fact.

Re:Boiled down

[joe_bruin]

It boiled down to Microsoft, instead of fixing their bad file parsing code, disabled it so customers couldn't access their older files AND blamed Corel's file format. Notice that they are still not admitting that their code is bad or fixing it, they're just re-enabling their buggy code because customers complained that they couldn't open files.

Re:Boiled down

[Smidge204]

Read it carefully for the doublethink!

"A file format isn't insecure -- it's the code that reads the format that's more or less secure."

Read it again if you didn't catch it.
=Smidge=

Re:Boiled down

Well, if a file format specifies:

This block of data should be executed as code with root permissions.

Then ANY compatible program reading that format is insecure, it would be better to say that the format itself is insecure.

Re:Boiled down

Microsoft has a certain amount of resources available to make parsers secure. Let's say they can make one file parser secure in one month. If they have 12 parsers to secure, how should they spend their resources?

* Should they secure the most common ones (i.e. post-Word 6.0) first and issue an update with the common ones secure and leave the rest vulnerable for the rest of the year?

* Should they secure all of them and issue an update all at once, leaving all users vulnerable all year?

* Or should they secure the most common ones first, issue an update that secures the common ones and disables the uncommon ones, then at the end of the year issue an update that secures and re-enables the uncommon ones?

I'm pretty sure that Theo de Raadt would immediately audit the code everybody depends on, then disable the rest until an audit is complete. Of course everybody on /. drools over themselves talking about how secure OpenBSD is when he does something like that. When Microsoft does it, they're just incompetent.

Remember, these parsers were written back when the worst a bad .DOC file would do is crash Word and /.'s complaints about Word mainly centered around bloat. If MS had spent time on hardening the parser, /. would have bitched about how Office was late, slow, and bloated. Nobody would know (or care) about the security.

And don't think every other program out there doesn't have similar bugs. I have no doubt you could effectively attack Lotus 1-2-3 too, but nobody does because it's easier to write an exploit than it is to find a Lotus user. Unix programs are notoriously bad in this regard also.

dom

Re:Boiled down

[BeanThere]

They've just sent a message to all their customers etc. that they can and will disable support for all those other programs people are using anytime (and even suggesting that "special tools" [sic] should be required to use those formats gives one a definite feeling that the other products you're using are on shaky ground), so customers will basically give in and realise they are better off just accepting that they should get onto the latest Microsoft products. They're basically saying "we're the *standard*", get onto our products; this apology-after-the-fact for this "mistake" (puh-lease, does anyone really think Microsoft broke a whole bunch of formats by mistake?) doesn't really reverse the damage that's already been done, so it doesn't matter - their message has been sent, and it will have the desired effect. Basically mafia-like tactics, in effect.

Re:Boiled down

[bytesex]

"Remember, these parsers were written back when the worst a bad .DOC file would do is crash Word and /.'s complaints about Word mainly centered around bloat. If MS had spent time on hardening the parser, /. would have bitched about how Office was late, slow, and bloated. Nobody would know (or care) about the security."

What is the worst that Word can do these days ? What's the worst it _should_ be able to do ?

Re:Boiled down

At worst, Word should crash (or hang) if it can't deal with some input. It's altogether possible that some input would be impractical to handle gracefully. Afterall, I want it to be able to quickly read all of my actual documents, while I only care that it stops attacks.

Unfortunately, any buffer overrun has the potential to get the CPU to execute data as code. If that can happen, Word would be able to do anything that you can do, from send out spam to DDoSing somebody's computer, to emailing copies of the bad document to every email it finds on your disk.

Keep in mind that this applies to *any* program that isn't prepared for such attacks. A malformed TIFF opened in The GIMP could turn your Linux box into a zombie. A malformed PDF opened in Adobe Reader could do the same thing.

Of course you could argue something like a word processor has no business being allowed to access the Internet. But then you wouldn't be able to use WebDAV to access files, or distribute documents with links to images so the images don't fill up everybody's inbox.

dom

Re:Boiled down

Are you trying to tell me that Microsoft has only just found out about all these file format vulnerabilities, and they did this as an immediate response? I don't believe that, I believe that Microsoft has known about them for a while and just decided that now is a good time to disable the old file formats that they can't be bothered to fix. IMO, the correct response to this is to issue a security warning as soon as they know about these vulnerabilities and tell the user how to disable them if they think it is a risk, and write patches fixing them ASAP. Microsoft hasn't even said they will ever fix this, and I doubt they will unless they get lots of pressure from a number of their large customers.

Re:Boiled down

[odourpreventer]

Please excuse if my inexperience shines through, but buffer overruns? To this day? I am by no means an expert programmer, but I've had my share of buffer coding, and I couldn't make an insecure one by sheer slooppiness, it would take an effort.

Re:Boiled down

Did you read the same summary I did? He pretty much admitted the file-format is not insecure, the parsing code for the format contains the security issue. Now, they still might not be fixing it, but it definitely seems to me he said, our code is broken. And provide the /. effect is in full force, you get modded interesting and apparently didn't even RTFS.

Re:Boiled down

[dave87656]

Where I work, we design security in from the start, something MS has never done. You don't have to spend resources "securing" a parser. If MS can't even write a document parser that is secure, you can imagine how unsafe their operating systems are.

Business as usual

[jpaz]

This is like a newspaper reporting someone is guilty of a crime on the front page, then a year later a retraction is printed on page 57 when he's found innocent of any wrongdoing.

It took MS 4 years to apologize?

Re:Business as usual

[mr_mischief]

Nah. Just 4 months.

The blocking of the file formats was from September's Office 2003 Service Pack 3 update. The KB article was probably issued the same time, but it was edited yesterday (and the MSKB doesn't show the original date, just the last review date and the number of times edited).

The apology was yesterday.

File Formats that ARE

[krray]

File formats that ARE insecure ... the ones that come to mind are .EXE, .COM, .SCR, .PIF, .CHM, .DLL, .VB* ... the list is long.
Oh, wait ... with Microsoft's logic these aren't insecure. It's the program (Windows) that uses them. I would agree.
Fortunately my various flavors of un*x boxes don't understand what to do with these...

I would love to read the letter Microsoft's legal department got over the December update.

Too bad that won't be made public.

Re:File Formats that ARE

[_merlin]

Well it's true of the formats - .EXE is no more or less secure than an ELF binary, .COM is no more or less secure than a.out format, .CHM is no more or less secure than a tarball, .DLL is no more or less secure than ELF .so, .VBS is no more or less secure than a Perl script. The issue is whether the environment they run in is secure or not. You could argue that the execution environment that an ELF binary runs in under Solaris is more secure than the environment that a .EXE runs in under Windows, but a malicious program could still scavenge personal data send it to the "bad guys" over HTTP (which is open in most people's firewalls). Perl is definitely a lot more secure than the VBScript runtime, but that won't stop a malicious script from deleting or overwriting a user's files.

Re:File Formats that ARE

[hangareighteen]

You missed my personal favorite: Windows Metafile

Terrible engineering, that.

Re:File Formats that ARE

[rant64]

Of course, it's not just the parser. It's the content as well, or, more specifically, parsing malicious content without properly sanitizing. In that respect, if you make any file executable, does your un*x box sanitize malicious code it executes?

Do you read and interpret the source code of everything you download?

The only difference here is that Windows operating systems have a number of file formats that will execute by default, which, to be honest, make them a little easier to use. Meanwhile, keep on wondering why *nix desktop adoption has been in progress for the last.. umm.. decades.

Re:File Formats that ARE

[dave87656]

First, a malicious script would have to find it's way on to your system, something that seems to happen alot more on Windows boxes than on *nix boxes. Secondly, *nix users almost always are logged in as a user, not root, so a malicious script cannot affect system files. Most Windows users use their one and only account with administration privileges.

Re:File Formats that ARE

[dave87656]

Linux desktop has been in process because Windows ships by default on 99% of the PC's. In no small part because MS gives bigger discounts when you only sell Windows. Something they couldn't effectively do if they didn't have a monopoly.

They've been sued for this in the US and in Europe.

Re:File Formats that ARE

[_merlin]

I know it's pointless arguing, but root isn't necessary to do damage. You can send plenty of spam when logged on with any user account. Spyware only needs user privileges to spy on a user. A user probably cares just as much, or even more, about their e-mail, documents, photos, etc. being damaged as they do about system files being damaged - it's easy to reinstall an OS, while photos may be irreplaceable.

Besides which, my point was that the formats are no more or less secure than their Windows equivalents, and it's just the environment that they run in that is arguably more secure.

Re:File Formats that ARE

[dave87656]

I agree. A lot of damage can be done without root access. However, the infection of a program whose executable is not in my user space (and most are installed under /usr, /opt and so on) is not possible without root access.

Re:File Formats that ARE

[gr8scot]

No need to apologize.

I know it's pointless arguing, but ...

AFAIK, "pointless arguing" is the whole point of online forums. Better for society than duels at high noon, anyway.

So, what changed hands between Microsoft/Corel?

[defile]

Why would Microsoft enable a competitor, and, more ludicrously, apologize if there was no reason to? What's in this for Microsoft? Did Corel pay them a fee? Agree to cede a market? Threaten them with some kind of slam-dunk legal action that Microsoft was on the losing side of? We will probably never know.

Re:So, what changed hands between Microsoft/Corel?

[flyingfsck]

Corel and Novel both have long histories of suing Microsoft successfully to the tune of hundreds of millions of dollars (about 2 billion between the two of them). Clearly, MS was afraid of getting sued yet again.

Re:So, what changed hands between Microsoft/Corel?

Why would Microsoft enable a competitor, and, more ludicrously, apologize if there was no reason to? What's in this for Microsoft? Did Corel pay them a fee? Agree to cede a market? Threaten them with some kind of slam-dunk legal action that Microsoft was on the losing side of? We will probably never know.

I strongly suspect it has to do with the attempt by Microsoft to get OOXML accepted as a standard.

The strogest feature of ODF is that it is completely open, fully specified, no trade secrets, able to be implemented by any party. It is therefore arguably "future proof" ... it should always be possible in the future to open ODF format documents that are being created today.

OOXML has come under HEAVY criticism for not providing the same capability ... in fact most Microsoft formats historically are the antithesis of this capability ... you have to update your software periodically and later versions have trouble opening files written by earlier versions.

http://en.wikipedia.org/wiki/Office_Open_XML#Technical_criticisms

Microsoft just provided yet another excellent example of lack of "future proofing" in their formats. Now you cannot open files that you used to be able to open.

This incident is not at all a "good look" for Microsoft to have just as their OOXML format is coming up again for consideration as an ISO standard.

Re:So, what changed hands between Microsoft/Corel?

[putnondritz]

You can start with this:

http://www.forbes.com/2000/10/03/1003corel.html

Oh, here's a quote:
"For starters, what becomes of Corel's Linux plans? Corel has poured considerable resources into its Corel Linux operating system and porting its business and graphics applications to Linux. The company has positioned its Linux efforts as the linchpin of its comeback strategy, but there was no mention of Linux on the conference call Monday."

Perhaps a type of non-disparagement agreement, that if MS betrays, Corel Linux is able to be sprung forth?

Wouldn't Quattro and WordPerfect on X/Linux really hurt MS Office?

Re:So, what changed hands between Microsoft/Corel?

[CarpetShark]

No reason to? Are you nuts? They deliberately slandered Corel in a childish, disrespectful manner. Taken with their monopoly status, that also constitutes (to my eyes at least) an abuse of power --- big surprise there.

Anyway, I'm waiting for the real apology, which should go more like: "Dear computer world. We suck. Sorry, we'll go now, and you'll all be better off for it." (And no, that's not childish or disrespectful; it's humor, justified by the companie's past).

Defamation via incompetence

[wardk]

oh gee, so sorry

we just didn't realize

we hope we didn't damage your business, we hate it when we do that to our competitors

we're soooooo sorry

hehehehehehhehehehe

Seriously...

[romrunning]

...barring the legal profession, does anyone use WordPerfect anymore?

Re:Seriously...

[flyingfsck]

Not many people use WP, but I use both and WP is still better than MS Word.

Re:Seriously...

[RuBLed]

It seems that the extension in question was the .cdr extension used by Corel Draw.

But it was Corel that publicly squawked when it realized Microsoft had blocked its .cdr file format -- still used by its CorelDraw graphics application -- in last September's Office 2003 Service Pack 3 update.

If you ask me, Corel Draw is one good drawing tool, a good partner for Adobe Photoshop. (I'm not a pro at these tools, I just stumble upon them when I rarely need it...)

Re:Seriously...

[QuietObserver]

Agreed. I use WP9 (I hate what they did to WP12; it's too MS Word-like) and it does things I still haven't seen Word 2003 do (and that I doubt Word 2007 has added, either). That, and their file format, their professional tools (such as Table of Contents), and their editing tools (the best being Reveal Codes) are far superior to anything I've ever seen out of Office.

Re:Seriously...

[zenior]

Have a look at Xara Xtreme, unbelievably easy to use, fast, powerfull, low memory usage, good manual/help and reasonably priced on Windows ($80).

Also, the source has been open for a few years (http://www.xaraxtreme.org/), and has been ported to Linux, runs fine AFAIK although the project appears to have stalled mid-2006.

Just to be slightly less off-topic, Corel has owned this product for a short period but probably hasn't managed to position it properly versus CorelDraw. At least they didn't kill it.

No, I don't work for them, I've just been a huge fan since 1998.

Re:Seriously...

Sure! Here in the MOOXML team it's an essential part of our formatting toolkit.

we're sorry...

[nguy]

That's like saying to a corpse, "Oh, I'm so sorry I killed you; I hope you won't feel too bad about it."

Re:we're sorry...

[Catnapster]

Darwin Tremor: [manipulating Dupree's mouth so Jack seems to be speaking to him] Oh hell yeah, we was just at the wrong place at the wrong time, so don't feel so bad, chief.

Re:we're sorry...

[dougisfunny]

You remember the time you were going down into the fire, and I said 'Goodbye' and you were like 'No way', and I was like 'We were only pretending to murder you'?

That was great.

Re:we're sorry...

Yeah, but the computer didn't succeed, Microsoft did...

that's weird

[SolusSD]

Microsoft said something that didn't make me upset. hmm. in fact, it was the right thing to do! (i'm scared)

Microsoft apologized?!

[arotenbe]

Microsoft apologized?!

Wait... uhmm...

So ... confused ...

*** BAM! ***

But seriously, does anyone really think this was an accident or expect this to be any better than it was before?

Re:Microsoft apologized?!

[corsec67]

At this point it doesn't matter if they apologized, the damage is done: opening older Corel documents in Office 2003 is a PITA. Apologizing just gains points with the CTO type people, so there really isn't a downside. Too bad it doesn't dawn on them that before MS was letting them use a "less-secure" method of opening files....

Re:Microsoft apologized?!

[mqduck]

I suspect it's simply that Corel's lawyers sent MS a friendly letter threatening a lawsuit for the claim, and MS realized that 1) it's not worth fighting over, and 2) they would look like idiots if they tried to defend their statement, and they don't need that right now. Further, I doubt they framed it as an "apology". That's Slashdot's doing. More likely they just quietly issued a little statement saying they erred in a previous claim.

Who neutered Microsoft?

[NullProg]

'We stated that it was the file formats that were insecure, but this is actually not correct. A file format isn't insecure -- it's the code that reads the format that's more or less secure.'

Admitting FUD is uncharacteristic of Microsoft. Speaking the plain truth means Hell just froze over.

I'm at a loss for words....

Enjoy,

Re:Who neutered Microsoft?

> Admitting FUD is uncharacteristic of Microsoft.

It is still just FUD.

It is not formats or code that is the reason for this, it is revenue.

Office2007 still supports the formats so the preferred (by MS) solution is for users to _purchase_ MSOffice2007 so that they can continue to access the old format. This also makes MSOOXML the default that is saved and emailed, so others will also need to purchase MSO2007 when they receive that format.

It is probably the _same_ code in 2007.

That this was done for 'security' is likely untrue.
That this was done because of the code is likely untrue.
It was to further the use of proprietry formats and entrench MS's monopoly.

It may also be to answer the critics of MSOOXML where 'formatlikeOffic95' can now to said to be 'obsolete' because "no one uses that format any more (we made sure they can't)".

Re:Who neutered Microsoft?

[nine-times]

We stated that it was the file formats that were insecure, but this is actually not correct. A file format isn't insecure -- it's the code that reads the format that's more or less secure.

That quote just makes me want to ask, "And whose 'code' is that....? Whose code is insecure...?" Come on, just say it! It's not 'the code' that's insecure, it's 'your code'.

Alderaan was populated?

/Vader voice

Well, I'm sorry. Turns out there were people living there. We did a poor job of identifying how many people would get hurt if their planet blew up.

eBay, you're up.

Apologize to Google for calling their Checkout system insecure.

wow

[coaxial]

Corel still exists? Wow. Who knew?

Breaking news

[EmbeddedJanitor]

David Leblanc admitted to hospital with chair-induced head injuries.

Re:Breaking news

[naoursla]

Steve Ballmer is a pretty big guy. Had he hit Mr. Leblanc with a chair then Mr. Leblanc would be dead and not in a hospital with "injuries".

Stop them from getting sued?

[EmbeddedJanitor]

If you tell lies that hurt someone's business you can appear in court which would cause all kinds of mess (particularly if intertwined with the anti-trust rulings).

Likely the apology was a condition of some out of court agreement.

Nothing Worth Selling

[WED+Fan]

Hope you didn't lose any sales.

Uh, sparky, the assumption that Corel has anything of value to market and sell is a bit of a stretch. They have so mismanaged the brand that it is almost criminal what they did to their office products.

I was a big time WordPerfect user. I tried to stick around through their sale to Novell and lack of effort from them. Later, sold to Corel, the company sat on it and did nothing allowing Microsoft Word to over take it and take over Office Suite dominance. This is what turned MS into the big monster it is now.

Corel should be apologizing to the world.

They took a great product and took a dump on it. This would be like DC turning the Superman franchise over to Alexander Salkind...oh, wait, they did.

Re:Nothing Worth Selling

[pimpimpim]

I guess they realized it would be a lost cause fighting against Microsoft Office, throwing away developer time. Then again, if they would have endured and realized back then that the eternal reign of MS Office could be overthrown, they might be growing by now, at a time where switching from office** to office 2007 is just as hard as switching to another suite, and with a current public and political outcry for open document formats.

The first thing I used after wordperfect 5.1 was Lotus WordPro, since it came with my Aptiva pentium 100 "multimedia" pc. This was actually a pretty good program, it had a latex-like equation editor, and came with a nicer selection of fonts than the default MSoffice. I just checked and it appears that IBM changed the whole SmartSuite to something called "symphony" now, made it free of charge and able to work with ODF.

IBM may be on to something here, the lack of backward compatibility in MSOffice plus the high costs of obligatory contract renewals will make more and more people (better: the companies that employ these people) realize the problems MS gets them in, and look for alternatives. All these dirty tricks might end up to be MS nailing its own coffin: as soon as companies switch to another browser, to another office suite, why should they be dependent on MS at all?

Re:Nothing Worth Selling

[gaspyy]

Unfortunately it's not just their office.

Corel's flagship is CorelDraw, which is a actually a very capable illustration software.
Corel Draw and Corel Photo-Paint used to be on par and sometimes above competitors' products (Adobe Illustrator, Macromedia Freehand; Photo-Paint was at least as capable as Photoshop in 2000).

They stopped innovating. The last Corel Draw suite was released in 2005 (they issued 2 service packs). Photo-Paint remained untouched for years, now lagging behind Photoshop in many areas.

Such a shame. The products used to be really good in terms of features and UI. Now they've buried everything.

Re:Nothing Worth Selling

I was a big time WordPerfect user. I tried to stick around through their sale to Novell and lack of effort from them. Later, sold to Corel, the company sat on it and did nothing allowing Microsoft Word to over take it and take over Office Suite dominance. This is what turned MS into the big monster it is now.

A little research could help your understanding of what happened to Wordperfect and many other companies.

Microsoft intentionally gave Novell bad code (when they were given code) for Windows 95, so when Win95 was released, Wordperfect would not work correctly and Microsoft Office would, giving users the appearance that MS Office was a superior product, and Wordperfect was inferior.

Granted, Novell and Corel could use some help in the marketing and management fronts, but when you rely on the dominant OS provider to give you timely and correct code to work with their OS, and they do not because they want to make you look bad, it kind of hurts your image.

http://www.groklaw.net/article.php?story=20041112184610953

Re:Nothing Worth Selling

Or maybe they took a clue that innovation for innovation's sake is bullshit.

CorrelDraw X3 does everything that the Adobe equivalent can do, and then some. Also, a student like me can buy a full legal copy of CorrelDraw for $30 (compare to the default student price of $250 for Photoshop). But then again, I am probably the only student that actually pays for my software...

Re:Nothing Worth Selling

[WED+Fan]

All that happened AFTER the product was significantly ignored through at least 2 product upgrades. The boys in Orem made their money off the product through 4.2 and just decided to let it die. By the time it hit 5.0 and 5.1 (remember "for Windows"?), Word was already taking off, and other competitors had entered the market: Sprint anyone? And other brands died because of their lack of response to market: Wordstar anyone?

Re:Nothing Worth Selling

Also, a student like me can buy a full legal copy of CorrelDraw for $30 (compare to the default student price of $250 for Photoshop).

Out of curiosity, where can you get X3 that cheap? I don't see the educational version going for less than $89.

Re:Nothing Worth Selling

http://www.fitnesoft.com/AlmostPerfect/

I book I think you might find enjoyable, a very good insight into the fall of WP.

Re:Wait....for the red pill.

[neo]

Yes... everything you know is a lie. There is a world behind this one. One in which Microsoft is not evil.

File formats can't be insecure?

[martin-boundary]

Whoa! I'm going to put all my passwords and bank account numbers online in the clear in a single plain ASCII text file from now on. Who needs encryption? Take that crackers! You thought you could steal my stuff, eh? Just you download that file from my blog and weep, bitches!

Re:File formats can't be insecure?

[WK2]

The ASCII file format is not insecure. However, the behavior you suggest is dangerous.

Re:File formats can't be insecure?

[MrNaz]

Yes, the file format wouldn't be insecure. Your handling of it would be.

Re:File formats can't be insecure?

[martin-boundary]

The ASCII file format is not insecure. However, the behavior you suggest is dangerous.

The crucial question you're not asking is what is the intended use of the file format. Every file format is intended to be used for something, and once it is stated what that use is, one can ask if the format is secure for its intended purpose.

In my example, the intended purpose makes the format insecure. If I had used plain ASCII to list a bunch of recipes I found online, the format wouldn't be insecure if my purpose didn't include hiding those recipes from the public.

Re:File formats can't be insecure?

[Penguinisto]

...that's funny, becuase Microsoft's argument was more along the lines that Office would be more secure if only those files couldn't be opened.

And yet for some odd reason NeoOffice on my Mac can open them just fine with no adverse reaction.

/P

Re:File formats can't be insecure?

[martin-boundary]

If the file format is *intended* to keep my information safe from others, then I think if it easily fails that task, it must be called insecure by definition.

If I specified the format to be freeform text, encrypted with a suitably hidden, suitably complex one time pad, then the resulting file format would have to be called secure, no?

Re:File formats can't be insecure?

[totally+bogus+dude]

If we go ahead and assume that "ASCII file format" means a file containing only the printable ASCII characters, then that's pretty open ended. You can store encrypted data in it just fine by encoding that data as "plain text" (e.g. gpg --armor). The same as how binary files can be sent over SMTP, which traditionally only supports 7-bit ASCII. Or you could come up with your own "cypher", known only to you, so an attacker reading the file would see "mybank.com password: foozball" but you'd know that it's a lie, "mybank.com" actually refers to your gmail password, and "foozball" is a codeword which means "kaequotaegei9EeTie0kietheih6vei3deeb3op0".

So, your use of unencrypted, easily-readable passwords is what is insecure, and has nothing to do with the use of an "ASCII format file". Additionally, what if the OS it resides on allows you to apply access restrictions to the file, and nobody but you can access it? Assuming proper physical security of the computer and strong protection for your account, then that's going to be as secure (for practical purposes) as encrypting it with a forty billion bit cypher.

Re:File formats can't be insecure?

[fmobus]

no. Not by itself, at least. You would still need a whole process to securely transport/exchange the keys/one time pad to make it both secure AND useful.

I also believe that's not the point of the "insecure" attribution either: they are likely talking about nasty stuff like buffer overflow, arbitrary execution, privilege escalation, as opposed to the security/privacy of data itself.

Re:File formats can't be insecure?

[martin-boundary]

If we go ahead and assume that "ASCII file format" means a file containing only the printable ASCII characters, then that's pretty open ended.

Exactly, that's why I think that _format_ is insecure. It allows entirely unsecured content for any purpose if one so chooses (eg my example).

I use "format" in the sense that there exists a specification which imposes constraints on both the form and the content (ie BNF for the form, and semantic rules for what goes where). I assume you would agree? If I specify 7-bit ASCII only, that's a (very minimal) specification. If you specify 7-bit ASCII containing the output of gpg --armor, that's another specification. If one takes the Unix passwd file format, that's got an existing specification with specific constraints on the fields, etc.

If one takes the RFC 2822 (general purpose email) format, I call that insecure. If however one takes RFC 2822 + 2311 (S/MIME) + specifies the encryption method, then that's a lot more secure.

So, your use of unencrypted, easily-readable passwords is what is insecure, and has nothing to do with the use of an "ASCII format file". Additionally, what if the OS it resides on allows you to apply access restrictions to the file, and nobody but you can access it? Assuming proper physical security of the computer and strong protection for your account, then that's going to be as secure (for practical purposes) as encrypting it with a forty billion bit cypher.

In this case, it seems to me that you're conflating the bits of the file together with the file system and the OS. It's true that if you consider the computer as a black box that a user interacts with, then security concepts can apply to the black box as a whole. But single files can also be copied or sent without duplicating the filesystem reside on, and sometimes without the user's knowledge, so it seems to me that a useful concept of security must be defined at a finer level of granularity, such as the file format.

Re:File formats can't be insecure?

[theonlyaether]

I think you're confusing security with privacy. A file does not offer any privacy on its own, the creating program is responsible for that. Any file freely available on the internet, encrypted or not, is less secure than one that is not offered up by a network service. That said, when talking about programming and binary file formats, generally as other posters have said the term 'security' is used to describe buffer overflows and whatnot. Obviously in this sense anyone who wanted to could stick bad code in just about anything (WMV has been plagued with this) that fits and do all sorts of nasty stuff, thereby slipping by the normal security systems of a personal computer. Obviously you need an input filter and good error handling when reading files and loading them into memory. Ergo the old import filters need to be more secure.

All that said I'm not gonna argue with you - all files can be inherently "insecure" if the file is made available to a program that does something insecure with it, which is where I see this semantic dance going... The file without a program does nothing, however.

Re:File formats can't be insecure?

[martin-boundary]

I also believe that's not the point of the "insecure" attribution either: they are likely talking about nasty stuff like buffer overflow, arbitrary execution, privilege escalation, as opposed to the security/privacy of data itself.

Actually, you might well be right about that. For example, the binary Word format is well known(*) to be pretty close to a serialized memory dump of the Word program's internal object tree.

(*) in case you're trying to reverse engineer the format based on public information available on the net

Re:File formats can't be insecure?

[martin-boundary]

Fair point, I think you might be right about security = buffer overflows in this context, I didn't interpret it that way.

All that said I'm not gonna argue with you - all files can be inherently "insecure" if the file is made available to a program that does something insecure with it, which is where I see this semantic dance going... The file without a program does nothing, however.

Only if such a program can actually decode the file, though. If an attack has to be performed on the system level or relies on the user doing something like copying/pasting the "legitimately" decoded data, then the file format has pretty much done its job.

Re:File formats can't be insecure?

[coolGuyZak]

So, your use of unencrypted, easily-readable passwords is what is insecure, and has nothing to do with the use of an "ASCII format file".

True, but this completely ignores the point of his post: file formats can be insecure, depending upon the metric used to evaluate said security. In MS's case, the format parser is broken. In his example, using a file format sans encryption (or with vulnerable encryption) is also insecure:

Imagine a file format that specifies encrypting with a Caesar cipher, or checksumming with MD5. The file format is insecure, even when the associated program is 100% bug-free.
...
I'm using secure in the meaning "the data in the file is vulnerable to attack"--that an attacker can view or modify information they lack the formal privilege to access.

Providing an alternate means of privileged access, such as file permissions or an ACL, makes the file system, not the file, more or less secure.

Re:File formats can't be insecure?

[coolGuyZak]

You would still need a whole process to securely transport/exchange the keys/one time pad to make it both secure AND useful.

You're changing the argument. The OP never included useful as a metric for evaluation. ;)

How about old Mike?

[rastoboy29]

They must have meant Mike Rosoff.

No shit.

[peipas]

n/t

We don't abuse our monopoly...

[Locklin]

See! we apologized! Now leave us alone!

Typical Microsoft to me

[rainhill]

Kill, then apologize.

I wander if Corel can sue Microsoft for this?

Amazing.

[Scottoest]

I remember the /. posting about this topic last week, where everyone rightfully corrected them about file formats not inherently being insecure. There was the usually geejawing about "M$" being brutal thugs, and idiots, etc. etc. etc. Y'know, par for the course on this website.

However, the most entertaining posts on this website, are in cases where Microsoft admits error, or does something "good". We then get to see these same people do logical contortionist routines about how they must have been threatened legally, or baseless conjecturing about what must have been in it for them.

A lot of people here talk a lot about how Microsoft should listen more to the "geek" community. Places like this remind me of precisely why they don't bother.

Slashdot is generally pretty great for my daily fill of tech news. But man oh man, when it comes to Microsoft, any front of being unbiased is quickly cast off.

"kdawson" is probably the worst of the bunch, too.

- Scott

Re:Amazing.

"kdawson" is probably the worst of the bunch, too. The worst of the bunch are actually Communist Zonk and Twitter/Erris the Troll. Notice most of stories Communist Zonk posts are anti-capitalist in nature and Twitter/Erris the troll posts comments that are the same communist drivel with "M$" and "Windoze" in their posts.

Re:Amazing.

However, the most entertaining posts on this website, are in cases where Microsoft admits error, or does something "good". We then get to see these same people do logical contortionist routines about how they must have been threatened legally, or baseless conjecturing about what must have been in it for them.

You should, in general, think that about almost any large corporation that says something like that. What, you think they suddenly turned over a whole new leaf considering their entire history of past actions? That's more of a miracle than a Slashdotter supporting Microsoft.

They already have a ruined reputation with the geek population and most of the consumer market. They are a convicted monopolist. Altruism isn't going to do anything for them, except perhaps as someone else mentioned: maybe just maybe prevent a lawsuit.

-M

Re:Amazing.

[coolGuyZak]

I remember the /. posting about this topic last week, where everyone rightfully corrected them about file formats not inherently being insecure.

Some of us are still arguing that file formats can be insecure.

It may also surprise you that Slashdot is a community composed of individual people. At any given time, a subset of these people have a particular opinion, a further subset feel the need to post, and a separate subset (mutually exclusive with the former subset) feel the need to moderate what other people say. The groups with the most time and mod points get a soapbox for a while, and can be eventually counteracted by those with less time or mod points. Hence, at any given time, a particular view is projected by the community as a whole.

In other words, "these same people" aren't contorting their logic... in fact, different people are being heard.

Re:Amazing.

[Phroggy]

Slashdot is generally pretty great for my daily fill of tech news. But man oh man, when it comes to Microsoft, any front of being unbiased is quickly cast off. You must be new here. There's never been any such front.

Re:Amazing.

A lot of people here talk a lot about how Microsoft should listen more to the "geek" community. Places like this remind me of precisely why they don't bother.

Microsoft doesn't listen to the geek community, because they don't see any profit in doing so. When they do, they will. It's nothing to do with ad hominem attacks.

Re:Amazing.

You must be from Digg

Re:Amazing.

[Scottoest]

This wasn't a formal statement issued by Microsoft's legal department. It was an informal blog post, made by a Microsoft employee. If they were terrified of being sued, or what have you, they would have surely gone through official channels to protect themselves from legal retaliation.

- Scott

Mea Culpa

[MrCopilot]

I would like to take this opportunity to apologize to Microsoft, I was under the assumption that they were staffed by uninformed and relentless monopolists. I therefore vowed not to use, recommend, install, or otherwise service their products.

Now I can see, my assumption was wrong.

By default, these file types are blocked because the parsing code that Office 2003 uses to open and save the file types is less secure. Therefore, opening and saving these file types may pose a risk to you.

It's actually staffed by incompetent coders and management.

Again, I apologize and have updated my reasons for the ban.

Ha! Solution!

[Frantactical+Fruke]

After a decade of trying to fix the insecure code used to read these file formats, Microsoft has finally hit on a workable solution: "Let's just disable it. Nobody needs it, right?" Right. I plugged those holes myself years ago - by turning to GNU/Linux and OO.org.

The strategy isn't bad...

[filthpickle]

if you know you aren't gonna fix it you may as well disable it by default.

Re:The strategy isn't bad...

[Trolan]

If they keep this up, I can see their next OS: Microsoft Windows BoW (Block of Wood) Ultimate Edition!

But a block of wood isn't complete safe. Someone could get hurt by it. So they'd have to release SP1 which adds padding.

Re:The strategy isn't bad...

[Fred_A]

If they keep this up, I can see their next OS: Microsoft Windows BoW (Block of Wood) Ultimate Edition! I'm already working on t3rm1t3Z, a virus designed to attack BoW, based on an early beta. It's going to make a killing. Lolz !

attn: rabid linux users:

[jay-be-em]

So they were wrong about one thing in 3 decades. Big deal.

MicroSpeak translated

'We stated that it was the file formats that were insecure, but this is actually not correct. A file format isn't insecure it's the code that reads the format that's more or less secure.' This is MicroSpeak for 'Our conversion filters are crap. They have always been crap. We don't care that they are crap. We can't be bothered to fix them because we can't be bothered to waste our time fixing crap. We also don't care that they are also insecure because they are crap. We shovel crap for a living and then blame everyone else because we smell like crap.'

Who?

[longacre]

All seven members of the human race who use Office to open Corel fucking Draw files are partying hard tonight.

email virus

This comming from the inventors of the email virus.

It's about time....

[Rival]

[After reading just the story title] It's about time! They laid me off back in '99 five minutes after we RTM'd Win2k, and they're only just now getting around to apologizing? Well, better late than never, I suppose.

[After reading TFA] It is refreshing to see such a direct and honest explanation and rationale. Even if it isn't exactly front page news, it's much better than the typical PR-filtered triple-speak that tends to get the press. A good reminder that the developers != the company.

Thanks, David. If more decision makers at Microsoft were to take a similar approach to problems, even if just internally, I think the corporate image could be improved. Whether there's time to turn the ship around before it hits the iceberg*, I don't know, but it would be an interesting thing to watch.

*Yes, I know the engine reversal and attempt to turn was what doomed the Titanic. It's a complex analogy, with layers of irony and humor.

We're apologizing...

[Chris+Mattern]

...but we're going to continue to block your file formats by default on our systems. Those who want to use your file formats will need to go through the MicroSoft KB and find our designated fix for it, but we'll try to make that easier to use. Have a nice day!

Chris Mattern

Peace at last! Whew! Celebrate!

[theendlessnow]

Microsoft also announced a new head of sales and marketing for Office. Little is know if this new hire... however, people believe his name to be Davrus or Debross, something like that. We'll let you know after the press conference. The new president wants to make sure the everyone attends. Supposedly the name of the Corel plugin engine will be Lorec... a natural evolution of the original plugin.

Heh

[hyfe]

A file format isn't insecure it's the code that reads the format that's more or less secure.'

Secret Passwords.txt

My father has that in his My Documents-folder. It contains secret passwords.

Re:Heh

[msuarezalvarez]

Assuming that's plain text file: note that this is not an argument showing plain-text is an insecure format: it just means that it is being misused. You can misuse anything.

Re:Heh

[drseuk]

Don't worry, his "Big Boobies" login is perfectly safe - it's Notepad that's the insecure bit.

Next up

[Plutonite]

Chuck Norris gets beaten up by the leave-britney-alone kid, and Bruce Schnier gets r00ted.... by Martha Stewart! Social engineering.

Because in Soviet Redmond, the chairs fear YOU!

Seriously, MS has apologized. To a competitor. On a technical subject. Holy friggin WOW. Since god now obviously exists, here's what I'm going to be praying for over the course of the next few years:

-Physics grant gets awarded to grad student who does not have lips wrapped tightly around String Theory schlong

-Dell admits that their computer cases are uglier than your face.

-Apple fanbois shut up. For good. (and I'm typing this on a macbook pro)

-America elects a Good president.

-Myspace creators realize the magnitude of their crime against human civilization and turn themselves in to local authorities.

-I stop wasting my time on slashdot.

Re:Next up

[aj50]

I read that as:

-Myspace creators realize the magnitude of their crime against human civilization and turn themselves into local authorities.

Notice the wording

[Svenne]

When he's talking about Corel's file format it's ok to say "insecure," but when it comes to MS Office it's suddenly called "less secure." Wouldn't want to give the wrong impression now, would we?

Put another way

A sieve is more or less a bowl.

That's going a bit far, I think..

[cheros]

I stop wasting my time on slashdot.

Look, that's really pushing credibility. No way. :-).

Re:Peace at last! Whew! Celebrate!

We are the superior coders, COMPILE! COMPILE!

And, of course :

'Why aren't you dead yet ?'

Re:Off-topic

[file+terminator]

Oh! I just realized that "in Bizarro Universe Soviet Union, rain falls down and people eat hamburgers." And so on.

Explains a lot, really.

Developers, Developers, Developers!

[jdickey]

You of all people should own stock in cheap-office-furniture companies.

Blame Access Softek

Notice the quote from the Access Softek web site:
"Reverse-engineered Corel Draw files for conversion into WMF/EMF formats for the Microsoft Office Suite."

well...

[vegiVamp]

If I understand the summary correctly, they're not saying that the file format is insecure, but that their competitor's application is crap. How is this an apology ?

Re:well...

[gr8scot]

That was essentially my reading of it, although I was about to put it in terms of a schoolyard bully's apology to his victim, "I'm sorry you're a pathetic weakling, POW!"

"We stated that it was the file formats that were insecure, but this is actually not correct," LeBlanc said, referring to a description in a now-changed support document. "A file format isn't insecure -- it's the code that reads the format that's more or less secure. The parsers we use for these older formats aren't as robust as the code we've written more recently, which is part of our decision to disable them by default.

Also, anybody who remembers an epidemic of viruses containes in Word Macros should notice the unmistakable stench of CYA.

LeBlanc knows that it's neither "code" not "format" which is uniformly to blame, it's the author of any particular block of code, which of course doesn't help Microsoft look good, but that's LeBlanc's job, not mine.

RTM == Released To Manufacturing

[Jaxoreth]

In other words, 'shipped'.

They are saying Word is crap

*THEIR* (Microsoft's) application is crap. Welcome to reality, Microsoft.

Go ahead.

[Mariner28]

Go ahead. Click 'OK'. I dare you.

No. The format is not insecure. The most you could argue is that the software program which produced the data and allowed the user to embed code which require root privileges to execute is insecure. But wait! Didn't Microsoft code the application that produced the data?

Is the bash shell, or the Windows command interpreter for that matter, insecure because it allows me to write scripts that only function if I'm running it as root or administrator?

Re:Peace at last! Whew! Celebrate!

[drseuk]

however, people believe his name to be Davrus Oh great, Borgs and Daleks ganging up on Tux.

FAIL

FAIL

"Rival???"

[nightcats]

How does Corel get spun as a "rival" to M$? Far as I know, WordPerfect had its day in the DOS era, when 5.1 was the best word processor alive, but now? I might as well claim that Mike Gravel is a rival to Barack Obama as say that Corel threatens M$. Can Quattro Pro be said to "rival" Excel? Yeah right, so can Apple's Numbers.