Wednesday, January 02, 2008
Legacy format FUD
From CyberTech Rambler (and Slashdot) comes the news that the Office 2003 Service Pack #3 disables (blocks) access to a number of legacy document formats. Details are in this MS support article. Formats so blocked include legacy Lotus 1-2-3 and Corel Quattro Pro formats. Why? According to the Microsoft support article, "By default, these file formats are blocked because they are less secure. They may pose a risk to you.".
Interesting. Well, let's look at the record. If we query the CERT vulnerability database for "WK1", "WK3", "WK4", etc., how many reported vulnerabilities do we see? Zero. Nothing.
But search the same database for "XLS" and what do we see? Eleven reported vulnerabilities:
Hmm... I'm so glad they disabled access to the risky formats.
And what about the Data Interchange Format (DIF), the text based format for exchanging data between spreadsheets. As well as being text-based and easy to parse, DIF doesn't allow any active code (scripts, macros) at all. Where is the security risk there, real or perceived? By what stretch of the imagination can Microsoft say, "...these file formats are blocked because they are less secure. They may pose a risk to you."
Now it may be entirely possible that these old import filters in Excel are poorly written and poorly maintained and that Microsoft may be trying to reduce the overall security exposure of MS Office by ditching old code that is not strategic for them. But call it that. The MS Office code has the problem. Don't malign the formats. Don't make up some untenable story that DIF format is "less secure" and "may pose a risk for you".
Interesting. Well, let's look at the record. If we query the CERT vulnerability database for "WK1", "WK3", "WK4", etc., how many reported vulnerabilities do we see? Zero. Nothing.
But search the same database for "XLS" and what do we see? Eleven reported vulnerabilities:
| ID | Date Public | Name |
|---|---|---|
| VU#493185 | 01/09/2007 | Microsoft Excel vulnerable to arbitrary code execution via malformed record |
| VU#176556 | 10/10/2006 | Microsoft Office fails to properly parse malformed records |
| VU#807780 | 10/10/2006 | Microsoft Office fails to properly parse malformed Smart Tags |
| VU#194944 | 03/07/2007 | Microsoft Windows fails to properly handle malformed OLE documents |
| VU#234900 | 10/10/2006 | Microsoft Office fails to properly parse malformed strings |
| VU#534276 | 10/10/2006 | Microsoft Office fails to properly parse malformed chart records |
| VU#613740 | 02/02/2007 | Microsoft Excel memory access vulnerability |
| VU#706668 | 10/10/2006 | Microsoft Excel fails to properly process malformed DATETIME records |
| VU#252500 | 10/10/2006 | Microsoft Excel fails to properly process malformed COLINFO records |
| VU#143292 | 07/03/2006 | Microsoft Excel fails to properly process malformed STYLE records |
| VU#802324 | 06/16/2006 | Microsoft Excel vulnerability |
Hmm... I'm so glad they disabled access to the risky formats.
And what about the Data Interchange Format (DIF), the text based format for exchanging data between spreadsheets. As well as being text-based and easy to parse, DIF doesn't allow any active code (scripts, macros) at all. Where is the security risk there, real or perceived? By what stretch of the imagination can Microsoft say, "...these file formats are blocked because they are less secure. They may pose a risk to you."
Now it may be entirely possible that these old import filters in Excel are poorly written and poorly maintained and that Microsoft may be trying to reduce the overall security exposure of MS Office by ditching old code that is not strategic for them. But call it that. The MS Office code has the problem. Don't malign the formats. Don't make up some untenable story that DIF format is "less secure" and "may pose a risk for you".
Digg | Reddit | Del.icio.us
# posted by Rob : 1/02/2008 10:00:00 AM 17 comments (policy) links to this post
