An Antic Disposition

You are here: Home / Archives for Office

Office

Legacy format FUD

By 17 Comments

From CyberTech Rambler (and Slashdot) comes the news that the Office 2003 Service Pack #3 disables (blocks) access to a number of legacy document formats. Details are in this MS support article. Formats so blocked include legacy Lotus 1-2-3 and Corel Quattro Pro formats. Why? According to the Microsoft support article, “By default, these file formats are blocked because they are less secure. They may pose a risk to you.”.

Interesting. Well, let’s look at the record. If we query the CERT vulnerability database for “WK1”, “WK3”, “WK4”, etc., how many reported vulnerabilities do we see? Zero. Nothing.

But search the same database for “XLS” and what do we see? Eleven reported vulnerabilities:

ID Date
Public		 Name
VU#493185 01/09/2007 Microsoft Excel vulnerable to arbitrary code execution via malformed record
VU#176556 10/10/2006 Microsoft Office fails to properly parse malformed records
VU#807780 10/10/2006 Microsoft Office fails to properly parse malformed Smart Tags
VU#194944 03/07/2007 Microsoft Windows fails to properly handle malformed OLE documents
VU#234900 10/10/2006 Microsoft Office fails to properly parse malformed strings
VU#534276 10/10/2006 Microsoft Office fails to properly parse malformed chart records
VU#613740 02/02/2007 Microsoft Excel memory access vulnerability
VU#706668 10/10/2006 Microsoft Excel fails to properly process malformed DATETIME records
VU#252500 10/10/2006 Microsoft Excel fails to properly process malformed COLINFO records
VU#143292 07/03/2006 Microsoft Excel fails to properly process malformed STYLE records
VU#802324 06/16/2006 Microsoft Excel vulnerability

Hmm… I’m so glad they disabled access to the risky formats.

And what about the Data Interchange Format (DIF), the text based format for exchanging data between spreadsheets. As well as being text-based and easy to parse, DIF doesn’t allow any active code (scripts, macros) at all. Where is the security risk there, real or perceived? By what stretch of the imagination can Microsoft say, “…these file formats are blocked because they are less secure. They may pose a risk to you.”

Now it may be entirely possible that these old import filters in Excel are poorly written and poorly maintained and that Microsoft may be trying to reduce the overall security exposure of MS Office by ditching old code that is not strategic for them. But call it that. The MS Office code has the problem. Don’t malign the formats. Don’t make up some untenable story that DIF format is “less secure” and “may pose a risk for you”.

Beware of Geeks Bearing Gifts

By 4 Comments

Some interesting news, via Bob Sutor.

Let’s take a closer look at the what is being offered as part of this “royalty free” deal from Microsoft.

At first it appears like an early Christmas present from Microsoft, a royalty-free license to the Office UI for “software vendors who wish to incorporate the 2007 Microsoft Office User Interface into their own products.” Woo hoo!

Now to be totally honest, I must admit that I’m not a big fan of the new Office ribbon UI. It smacks a bit too much of the kind of New, Improved Packaging! campaign that snack food companies engage in periodically. It is the same junk food in the end, with a new wrapper. But the domination of Microsoft is so great on the client, that their UI whim is practically the law for everyone else. So we must pay attention. Their market presence defines the norms, and these norms define user expectations and therefore intuitiveness. User interface guru Jakob Nielsen said it well:

If anybody else introduced a new user interface paradigm, it would probably remain a curiosity for years, but Microsoft Office has a special status as the world’s most-used interaction design. We know from user testing that users often demand that other user interfaces work like Office. When you’re used to one style most of the day, you want it in other applications and screens as well.

So, any genuine attempt to encourage the free and open use of new UI paradigms is to be applauded. The current Windows UI is certainly the result of an industry-wide evolution, with contributions from Xerox, Apple, IBM, NeXt and many others. Although Microsoft is the main beneficiary of this UI consolidation, they were not the sole contributors. So it is good to share the love and continue this evolution.

But then we read the fine print in what Microsoft is offering:

The program does not involve code or technical specifications and there are no protocols or file formats either.

OK. So what exactly are they offering? Answer:

pending utility and design patent claims, copyrights, trade dress and trademark rights.

OK. Another one of those, “We got stuff; you’ll need to deal with us” FUD messages. Odd that they aren’t offering any code or technical specifications, but they are still claiming copyright? Anyone remember Lotus v. Borland? “Method of operation” ring a bell?

We read further:

Your Licensed UI must comply with the Design Guidelines. If Microsoft notifies you that the Design Guidelines have been updated or that you are not complying with the Design Guidelines, you will make the necessary changes to comply as soon as you reasonably can, but no later than your next product release that is 6 months or more from the date you receive notice.

So once you accept this license, Microsoft can pretty much jerk you around whenever they want. I’ve seen terms like this before when licensing redistributable code modules. But has anyone seen this for merely following someone’s UI guidelines?

It gets still stranger:

This license contains no sub-license rights. If you allow others to use, copy, modify or distribute your Licensed UI in their products, your contract with them must state that they receive no Microsoft rights in the Licensed UI from you.

Not very open source friendly, is this? You can marry into the family and get protection from the Godfather, but you can’t transfer this to anyone. They need to make their own accommodation with Microsoft.

This makes me wonder about the Microsoft-funded ODF Add-in for Word that Clever Age and others are working on. This add-in does UI-level manipulations of the Office 2007 ribbon. Are they covered under Microsoft’s license program? Are their user’s covered? What about anyone who takes the source code and modifies it and redistributes it?

And then the nail in the coffin:

“Excluded Products” software products or components, or web-based or hosted services that perform primarily the same general functions as the Microsoft Office Word, Excel, PowerPoint, Outlook and Access software applications, and that are created or marketed as a replacement for any or all of those Microsoft applications.

So here the mask of openness falls off and we see this for what it is. This is very reminiscent of the original license on the Microsoft binary file formats, back in the days when the specifications were published on MSDN CD’s:

[Y]ou may use documentation identified in the MSDN Library portion of the SOFTWARE PRODUCT as the file format specification for Microsoft Word, Microsoft Excel, Microsoft Access, and/or Microsoft PowerPoint (“File Format Documentation”) solely in connection with your development of software product(s) that operate in conjunction with Windows or Windows NT that are not general purpose word processing, spreadsheet, or database management software products or an integrated work or product suite whose components include one or more general purpose word processing, spreadsheet, or database management software products.

Interestingly in that case, once they achieved their goal of total market domination, Microsoft removed the file format documentation from MSDN and it was only available under a special license. They started open, in order to gain market domination, but once their goals were achieved, the openness ended. What prevents this from happening again?

Caveat emptor, even when it appears to be free. The first one always is.

Genesis 11:5-9

By 5 Comments

This, fresh from from Office Watch: “Office 2007 compatibility pack disappoints”.

Update 11/15: Some readers have written with more information. This may be an issue between the pre-1.5-final-draft version of OOXML and the final RTM Compatibility Pack. Evidently there were some late changes to the OOXML specification, including a change in namespace URI’s. So the problems seem to be between documents created in the beta version of Office 2007 (not sure whether all beta’s including the Technical Refresh) and the RTM version of Office. Confusing to say the least. It looks like the referenced article is being updated with additional details.

Update 11/7: The cited article updated again. This seems to be an issue related to what patch level you are running. If you have all of the updates applied to Windows/Office, the Compatibility Pack works as advertised.

Since there are a number of convertor initiatives under development, it is probably worth backing up and taking a survey of where we stand today:

ODF = Open Document Format, an XML-based document format used in products like IBM Workplace, the next version of Lotus Notes, OpenOffice.org, KOffice, AbiWord, GNUmeric, etc. ODF is an ISO standard and is maintained at OASIS.

OOXML = Office Open XML, an XML-based format which will be used in Microsoft Office 2007 when it is released in January. OOXML is currently a draft specification in Ecma, though it will certainly be adopted as an Ecma standard in December.

The Legacy Formats = the proprietary binary formats that Microsoft used before Office 2007, the familiar DOC, XLS and PPT files.

So, what can be converted to what, using what, and does it really work?

If you upgrade to Office 2007 when it comes out, you will be able to read and write both the OOXML and the Legacy formats. Both are supported out-of-the-box.

If you want to stay on an older version of Office, and need to exchange documents with someone using the new OOXML formats, then you need Microsoft’s Compatibility Pack. As the above article points out, getting this to work in practice requires first ensuring that your patch level is current.

What about ODF? If you are on Microsoft Office, then there are two initiatives underway to bring ODF support to Office. One is the Microsoft-supported (and now Novell as well) odf-convertor project on SourceForge. Their initial deliverable will be the “ODF Add-in For Microsoft Word”. I didn’t have all that much luck with an earlier “alpha” version of the Add-in, but I’ve heard it is much improved. However, in the near term it only supports reading ODF text documents. No support for writing, and no support for presentations or spreadsheets. These other features are slated to be delivered in future phases of the project. The Open Document Foundation is also developing a convertor, which they call the “ODF Plugin”. Sam Hiser will be presenting on it at XML 2006 in Boston, so hopefully we’ll learn more about it then.

If you are running OpenOffice.org, then you already have excellent integrated conversion support between ODF and the Legacy Office formats. But if you need to exchange documents with someone using Office 2007 and its default OOXML formats then you are out of luck for now. However, please note that the recent Novell/Microsoft agreement included a statement (if I’m reading this correctly) that Novell would help add OOXML support to OpenOffice.org. So this support should eventually make it into OpenOffice.org.

So, based on what really works today, I’d offer this recommendation: If you must upgrade to Office 2007 , then turn the default file formats to be the Legacy binary formats. Until the OOXML convertors mature and all Office users have migrated off the beta and have compatible OOXML versions, you’ll only be causing chaos with those you exchange documents with if you save as OOXML.

The OOXML Compatibility Pack

By

Just saw something worth noting. I was on a machine running Office XP and tried to open an Office Open XML (OOXML) formatted document. I don’t know why I tried that, but I did.

Word was smart enough to put up the following dialog:

Now, that is something I hadn’t seen before. I think we all knew that Microsoft was planning a compatibility pack for enabling OOXML on Office 2003 and Office XP. But my 2002 version of Windows XP knows about OOXML? I guess this wisdom must have come down in a previously downloaded Office patch.

In any case, if you click yes, you are directed to this page where you are offered a download of “Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats (Beta 2)”. I had the pre-req’s, which included Windows XP SP2 and Office XP SP 3. So downloading a few file conversion filters should be simple and small, right?

Well, simple, but not so small. I was suprised to see that the convertors download was 43MB. That seems a bit large. In comparison, you can download a complete copy of OpenOffice.org, with included support for ODF documents and the Office binary formats, and the entire product is only a 93MB download. The 0.2 ODF Add-in for Word is only 1MB in size. So why does adding OOXML support to Office XP require a 43MB download?

In any case, once it is downloaded and installed, the integration with Office appears seemless. You can open OOXML files from the Windows Explorer by double-clicking on them, you can browse and load them as expected from the File Open dialog in Office, you can re-save files in OOXML format via the File Save, you can create a new document and save it as OOXML, you can even configure Word XP so the OOXML formats are the default format for all saved documents in Word. In fact, you can do all of those things that the Microsoft-supported ODF Add-in is not doing.

As reported earlier, the Microsoft support for ODF puts this ISO standard at a distinct disadvantage, providing no shell integration, removing it from its expected place in the File/Open and File/Save menus, and preventing users from making it the default format in Office.

So, let’s update the file format support matrix:

Criterion DOC Format in OpenOffice ODF Format in Word 2007 OOXML Format in Word XP
1. Format supported in default install Yes. No. Requires a download and install of separate, unsupported Add-in. No, but you are prompted to download a free converter pack the first time you attempt to open an OOXML file
2. File Open integration Yes. No. ODF is not listed in the default File Open dialog and doing a Control-O will not show ODF documents. However, ODF import is available in a separate menu item elsewhere in the menu system. Yes.
3. Save new document integration Yes. No. In fact no ODF save ability exists in the current version of the Add-in. There is a place holder for the ODF save operation, though it is on its own menu, and would not be shown when doing a simple Control-S to save a new document. Yes.
4. Can be made the default format Yes. No. Although other non-Microsoft formats, such as “Plain Text” can be made the default format, ODF cannot. Yes.
5. Simple round-tripping Yes. No. When an ODF document is loaded, its name is automatically changed and it is made read-only. So loading sampler.odt results in Word having a read-only version of sampler_tmp.docx. Attempting a simple Control-S to save will give an error. Yes.
6. Shell integration Yes. No. Yes.

I tip my hat to Microsoft for the way they have provided OOXML support in earlier versions of Office. Aside from the size of the download, the process was simple and the integration was seamless. That’s the way it should be. But what makes them think that customers using ODF format would want anything less than this? That fact that they’ve been able to integrate OOXML so well only increases the shame in having integrated ODF so poorly.

A quick look at the 0.2 ODF Add-in for Word

By Leave a Comment

An updated version of the Microsoft-sponsered ODF Add-in for Word has been posted. A few weeks ago I had tried out the earlier 0.1 version with results you can read here and here.

The Add-in’s Highlights page for the 0.2 version says that “This release is comprehensive with respect to Text, Formatting, Paragraphs, Images, Styles & document metadata scenarios”.

So, I gave it a try, installing it with Office 2007 beta 2 running on Windows XP. Here’s a summary of what I saw.

The UI integration I previously described and criticized remains unchanged. This will put ODF documents at a disadvantage not only compared to Word’s native format, but also compared to other export formats suported by Word such as RTF or even plain text. The only other format that will be ostracized from the File Open menu like this is PDF, and that seems to be because of legal squabbling with Adobe. But what did ODF users do to deserve this treatment?

I tested a conversion with my sampler.odt file. This is a one-page ODF document that uses a combination of essential word processor features. It is not intended to be an acid test. Unfortunately the 0.2 Add-in failed to load the document at all, hanging with the winword.exe process spinning at 100% CPU. So there appears to be some sort of infinite looping going on.

I tried a few variations of this sample.odt document, removing page elements until I could get it to load without hanging. It appears that the image with the caption may be the source of the problem. I’ve reported this defect to the project’s bug tracker and will try again when I hear that it is fixed.