Microsoft says those who are criticizing its decision to block older file formats in Office 2003 Service Pack 3 (SP3) are “exaggerating,” but Corel Corp., whose files were among those barred from opening, wonders what its rival was thinking.
Office 2003 SP3, released in mid-September, prevents users from opening scores of aged file formats, including those from early editions of Microsoft Word, Excel and PowerPoint, as well as older formats used by the obsolete Lotus 1-2-3 spreadsheet and Corel Corp.’s still-current graphics software, CorelDraw. Microsoft’s rationale: the file formats present a security risk.
Barring access to CorelDraw’s files mystified Gerard Metrallier, Corel’s director of product management, graphics. “Corel has unsuccessfully tried to figure out the basis for categorizing .cdr [CorelDraw] files as ‘less secure’ [and] we are currently working with Microsoft to get more details about this issue,” said Metrallier. “If there is a known problem that had security implications, we will get this resolved as quickly as possible.”
Checks by Corel with vulnerability databases compiled by the likes of US-CERT found no listings for CorelDraw, he added. Other databases, including the one kept by Danish vulnerability tracker Secunia ASP, do not list any CorelDraw bugs, patched or otherwise, either, according to research by Computerworld.
Today, Metrallier confirmed that the two companies have been talking about the blocking of .cdr files, but declined to answer questions about possible solutions, including a roll-back of the .cdr blocking. “They’re working from their side,” said Metrallier, “to clarify and correct the Knowledge Base [support] document.”
Metrallier had no idea why Microsoft had added the .cdr format to the list of blocked files. “We didn’t know where the issue was coming from.”
Microsoft is looking into alternatives to the manual Windows registry hack that it’s offered non-corporate users as the way to restore access to the now-blocked formats, according to Reed Shaffner, Office product manager, although he wouldn’t go into details. “We’re already [working on] an update to the KB [Knowledge Base article], and we’re looking at ways to automate the [unblocking] process.”
Shaffner also reiterated earlier Microsoft reasons for the changes. “We wanted to reduce the surface area of future attacks,” said Shaffner, who also confirmed that the file formats themselves are not potentially risky, but the code within Office’s applications that parses those file formats. “The code for doing that had certain security vulnerabilities,” he acknowledged.
Microsoft Office — the 2003 version in particular — has been hard hit during the last two years by hackers who have used “fuzzing” tools to sniff out flaws in the app’s parsing of files when opening them. Word, Excel and PowerPoint file formats have been used at various times by attackers to target high-value malware or identity theft victims in corporations.
Shaffner admitted that the Office team could have done a better job at getting out the word about the file format changes in Office 2003 SP3 — “We did do a poor job,” he said — but also defended the decision by citing Office 2007. “This is something that Office 2007 has done by default since the day it shipped, and it hasn’t impacted users there.”
In fact, said Shaffner, the rhubarb over the changes has been overblown. “It’s never a molehill if it affects just one user,” he said, “but I would say that from what we’ve seen, the user impact has not been as much as the articles [in the news] indicate. I think people are exaggerating the impact a little bit.”
Ironically, Corel’s Metrallier agreed. “This isn’t a major problem,” he said today. “It’s not impacting the users. But anything that is security-related is the highest-possible critical thing.”