• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

An Antic Disposition

  • Home
  • About
  • Archives
  • Writings
  • Links
You are here: Home / Archives for 2008

Archives for 2008

Legacy format FUD

2008/01/02 By Rob 17 Comments

From CyberTech Rambler (and Slashdot) comes the news that the Office 2003 Service Pack #3 disables (blocks) access to a number of legacy document formats. Details are in this MS support article. Formats so blocked include legacy Lotus 1-2-3 and Corel Quattro Pro formats. Why? According to the Microsoft support article, “By default, these file formats are blocked because they are less secure. They may pose a risk to you.”.

Interesting. Well, let’s look at the record. If we query the CERT vulnerability database for “WK1”, “WK3”, “WK4”, etc., how many reported vulnerabilities do we see? Zero. Nothing.

But search the same database for “XLS” and what do we see? Eleven reported vulnerabilities:

ID Date
Public
Name
VU#493185 01/09/2007 Microsoft Excel vulnerable to arbitrary code execution via malformed record
VU#176556 10/10/2006 Microsoft Office fails to properly parse malformed records
VU#807780 10/10/2006 Microsoft Office fails to properly parse malformed Smart Tags
VU#194944 03/07/2007 Microsoft Windows fails to properly handle malformed OLE documents
VU#234900 10/10/2006 Microsoft Office fails to properly parse malformed strings
VU#534276 10/10/2006 Microsoft Office fails to properly parse malformed chart records
VU#613740 02/02/2007 Microsoft Excel memory access vulnerability
VU#706668 10/10/2006 Microsoft Excel fails to properly process malformed DATETIME records
VU#252500 10/10/2006 Microsoft Excel fails to properly process malformed COLINFO records
VU#143292 07/03/2006 Microsoft Excel fails to properly process malformed STYLE records
VU#802324 06/16/2006 Microsoft Excel vulnerability

Hmm… I’m so glad they disabled access to the risky formats.

And what about the Data Interchange Format (DIF), the text based format for exchanging data between spreadsheets. As well as being text-based and easy to parse, DIF doesn’t allow any active code (scripts, macros) at all. Where is the security risk there, real or perceived? By what stretch of the imagination can Microsoft say, “…these file formats are blocked because they are less secure. They may pose a risk to you.”

Now it may be entirely possible that these old import filters in Excel are poorly written and poorly maintained and that Microsoft may be trying to reduce the overall security exposure of MS Office by ditching old code that is not strategic for them. But call it that. The MS Office code has the problem. Don’t malign the formats. Don’t make up some untenable story that DIF format is “less secure” and “may pose a risk for you”.

Filed Under: Office

  • « Go to Previous Page
  • Go to page 1
  • Interim pages omitted …
  • Go to page 9
  • Go to page 10
  • Go to page 11

Primary Sidebar

Copyright © 2006-2022 Rob Weir · Site Policies