Daily Archives: May 24, 2007

security, software, windows

Microsoft: .doc and .xls are dangerous

A common phenomenon in the tech world is when vendors trash their own past products in an effort to convince you of the value of shiny new ones.

Here is an example. Microsoft’s security advisory 937696 and the related KB 935865 tells us of the dangers posed by Office binary formats including .doc, .xls and .ppt:

MOICE uses the 2007 Microsoft Office system converters to convert the Office binary format files into the Office Open XML format. This process helps remove the potential threat that may exist if the document is opened in the binary format. Additionally, MOICE converts incoming files in an isolated environment. This helps protect the computer from a potential threat.

What’s MOICE? It’s the Microsoft Office Isolated Conversion Environment, proving that even after Silverlight, the department of verbose and meaningless names is alive and well in Redmond. It is an add-on to Office 2003 or 2007 that automatically converts Office binary formats to Office Open XML (OOXML). Further, administrators can now choose to implement File Block, which prevents users from opening specified binary document types without first converting them.

The presumption here is that OOXML documents are safer. Probably true, especially since documents containing macros now require a different extension (.docm, .xlm) to flag the fact that they contain macros.

A side effect is that MOICE spreads the adoption of OOXML. Like Joe Wilcox, I can’t help wondering whether it was this, rather than security, which has prompted this release.

OOXML has real advantages, yet it can also be tiresome. Users install Office 2007, email a Word document to someone, then get a perplexed reply saying that the document won’t open. I’ve been known to show people how to set the default back to the old binary formats to avoid this problem – I would love to know how many Office 2007 rollouts do this as a matter of course.

After all, it is late in the day for Microsoft to consider blocking these formats. The Sophos web site has a Top Ten Viruses page with a neat feature: you can see stats for the last 10 years. These confirm my hunch. Back in 1999, there were 9 office macro viruses in the top 10 (Sophos prefixes these with WM or XM). Today? None. Further, note that the top 10, according to Sophos, account for 94.6% of all viruses in the wild.

The reason is that in the intervening years Microsoft has built reasonably good macro protection into Office. A factor here is that emailed documents rarely need to contain macros, so if you double-click an attachment and it wants to run a macro, that’s a big clue that something is awry.

That said, there is clearly still some risk from macro viruses, or from documents with crafted corruptions that infect a PC. Recently, Open Office has also been shown to be vulnerable. So MOICE has a value, but is it enough to compensate for the cost in terms of inconvenience? After all, while Office binary formats are almost universally readable, that’s not the case for OOXML. If you run Windows, and have Office 2000 or higher, and broadband Internet, and sufficient rights to install the converter, then the process is reasonably smooth; but that is a long way from universal.

MOICE strikes me as low priority in security terms, but nevertheless an intriguing development in the battle for XML office format adoption.

 

Uncategorized

Sorry Ryan, this can’t be done

1 Comment

I enjoy Ryan Stewart’s Universal Desktop blog on Rich Internet Applications. It’s changing though. Stewart now works for Adobe, though he says:

I’m joining Adobe as a Rich Internet Application Evangelist on the Platform Team. One of the things I get a lot of feedback on is that everyone appreciates me being “neutral” and covering all angles of the rich internet application space. None of that is going to change.

Can’t be done unfortunately. He will have to get used to being Adobe’s Ryan Stewart.

 

Technorati tags: ,
internet, software development

Why Rich Internet Applications Matter

1 Comment

Anne Zelenka is sceptical about RIAs:

The idea is that we need more rich interactivity from our browser apps than they give us. But is this just developer fantasy, or does it represent a real end user need?

It’s a great question. I believe it’s fair to say that the all the interest in RIA, sparked by Flash and enflamed by Silverlight, is still more hype than real-world usage (especially Silverlight, still in Alpha for the .NET version).

There are multiple issues here. In particular:

  • Will we see HTML/CSS/JavaScript (call it AJAX if you like) gradually giving way to browser-hosted apps running in plug-ins (Flash, Silverlight, Java)?
  • Will we see a new breed of internet-delivered, zero-install desktop apps that will diminish our dependence on web browsers?  

I have few doubts about the first of these. Ease of development, flexibility and predictability of design, performance benefits of JIT compilers, convergence between internet and broadcasting, richer content enabled by ubiquitous broadband, to name some of them. 

The second is more contentious. But I think it will happen. There is room for debate about what constitutes a “real end user need”; but if you rephrase that as “real end user benefits” then it makes more sense. The main reasons are offline use and better integration with local OS services.

A while back a web app sceptic (I forget who) described the browser to me. “I call it Window”, he said. His point still holds. There is no need to do all your work within a browser box.

 

Technorati tags: , , ,