Microsoft has hit back at vendors who have criticised the company's decision to block older file formats in Office 2003 Service Pack 3 (SP3).
According to Microsoft Office product manager, Reed Shaffner, companies who are complaing are exaggerating the problem. "It's never a molehill if it affects just one user," he said, "but I would say that from what we've seen, the user impact has not been as much as the articles [in the news] indicate. I think people are exaggerating the impact a little bit," he said.
The problem started when Office 2003 SP3, released in mid-September, prevented users from opening many aged file formats, including those from early editions of Microsoft Word, Excel and PowerPoint, as well as older formats used by the obsolete Lotus 1-2-3 spreadsheet and Corel's still-current graphics software, CorelDraw. Microsoft said that it had acted because of a perceived security risk.
However, Corel is one vendor still not mollifed by Microsoft's version of events. Gerard Metrallier, Corel's director of product management, graphics said; "Corel has unsuccessfully tried to figure out the basis for categorising .cdr [CorelDraw] files as 'less secure' [and] we are currently working with Microsoft to get more details about this issue. If there is a known problem that had security implications, we will get this resolved as quickly as possible."
Checks by Corel with vulnerability databases compiled by the likes of US-CERT found no listings for CorelDraw, he added. Other databases, including the one kept by Danish vulnerability tracker Secunia, do not list any CorelDraw bugs, patched or otherwise, either, according to research by Computerworld.
Metrallier had no idea why Microsoft had added the .cdr format to the list of blocked files. "We didn't know where the issue was coming from."
Microsoft is looking into alternatives to the manual Windows registry hack that it's offered non-corporate users as the way to restore access to the now-blocked formats, according to Shaffner, although he wouldn't go into details. "We're already [working on] an update to the KB [Knowledge Base article], and we're looking at ways to automate the [unblocking] process."
Shaffner also reiterated earlier Microsoft reasons for the changes. "We wanted to reduce the surface area of future attacks," said Shaffner, who also confirmed that the file formats themselves are not potentially risky, but the code within Office's applications that parses those file formats. "The code for doing that had certain security vulnerabilities," he acknowledged.
Microsoft Office - the 2003 version in particular - has been hard hit during the last two years by hackers who have used "fuzzing" tools to sniff out flaws in the app's parsing of files when opening them. Word, Excel and PowerPoint file formats have been used at various times by attackers to target high-value malware or identity theft victims in corporations.
Shaffner admitted that the Office team could have done a better job at getting out the word about the file format changes in Office 2003 SP3 - "We did do a poor job," he said - but also defended the decision by citing Office 2007. "This is something that Office 2007 has done by default since the day it shipped, and it hasn't impacted users there."