Office 2007



  • some microsoft guy on the new office file format based on xml... 

     Mr Capossela said: "XML is a lot more robust and secure. It's much harder to break into those file formats and do bad things."

     erm...wtf...dont get me worng the idea of the xml format is gd because of interoperability...but xml is more secure?!?!

     



  • I think in this case "secure" means;

    It doesn't natively carry any of those macro/VB-based virii that Microsoft is famous for [we'll need to implement all kinds of nasty CDATA hacks before it will do that].



  • I believe that what makes it more secure is not the XML in itself, but the fact that they are constructing a new file format from scratch, and are considering security all the way. That is much simpler to keep secure than using an old unsecure format and try to handle it in a secure way.

    The security lies in ditching the old format that was constructed without the everyday security knowledge that we possess today.

     



  • [quote user="Guffa"]

    I believe that what makes it more secure is not the XML in itself, but the fact that they are constructing a new file format from scratch, and are considering security all the way. That is much simpler to keep secure than using an old unsecure format and try to handle it in a secure way.

    The security lies in ditching the old format that was constructed without the everyday security knowledge that we possess today.

     

    [/quote]

    Which will last riiiiiiiiiiiiiight up until the future-compatible method of embedding macros in XML documents, transitioned from older stuff. in revealed. 



  • I think what they're trying to say is:

    "There are less buffer overruns in our XML parser than there are in our old parser"

    That's believable. The number of unfixed bugs in IE and Office's parsers that are still waiting to be publicised is probably quite large.

    Doesn't help you though, because the new versions of the software will still contain the old parsers.
     



  • [quote user="foxyshadis"][quote user="Guffa"]

    I believe that what makes it more secure is not the XML in itself, but the fact that they are constructing a new file format from scratch, and are considering security all the way. That is much simpler to keep secure than using an old unsecure format and try to handle it in a secure way.

    The security lies in ditching the old format that was constructed without the everyday security knowledge that we possess today.

    [/quote]

    Which will last riiiiiiiiiiiiiight up until the future-compatible method of embedding macros in XML documents, transitioned from older stuff. in revealed. 

    [/quote]

    But Office XML documents WITH macros have a different file extension (DOCM or XLSM) than their no-macro equivalents (DOCX or XLSX), so they are impossible to "disguise" as normal documents.



  • [quote user="BradC"]But Office XML documents WITH macros have a different file extension (DOCM or XLSM) than their no-macro equivalents (DOCX or XLSX), so they are impossible to "disguise" as normal documents.[/quote]

    The REAL WTF is that now you can't rename the file, because the DRM in Office is strong it takes over your file system!



  • [quote user="Benanov"]

    [quote user="BradC"]But Office XML documents WITH macros have a different file extension (DOCM or XLSM) than their no-macro equivalents (DOCX or XLSX), so they are impossible to "disguise" as normal documents.[/quote]

    The REAL WTF is that now you can't rename the file, because the DRM in Office is strong it takes over your file system!

    [/quote]

    Not really what I meant. Renaming a DOCM file as a DOCX doesn't "fool" the application.
    When Office opens a DOCX or XSLX file, it doesn't expect to see any macro code, and if it finds any, it will simply ignore it.
    If it opens a DOCM or XLSM file, it expects to find macro code, but will give all the normal warnings about "trusting the sender" that you get now in the current version.



  • "When Office opens a DOCX or XSLX file, it doesn't expect to see any macro code, and if it finds any, it will simply ignore it."

    If Office is going to determine the type of a document based on the filename extension, that's a mighty huge WTF in of itself.

     



  • [quote user="Xarium"]

    I think in this case "secure" means;

    It doesn't natively carry any of those macro/VB-based virii that Microsoft is famous for [we'll need to implement all kinds of nasty CDATA hacks before it will do that].

    [/quote]

    CDATA?  No, no.  That's what XML processing instructions are for:

     <?msrun insecure.dll "C:\spambot.exe"?>
     



  • If Office is going to determine the type of a document based on the filename extension, that's a mighty huge WTF in of itself.
    (emph. added)

    You mispelled Windows, and it is.

    Personally I'm quite fond of the *nix-world file utility, and (I'm a GNOME user) the way Nautilus handles the mime type.

     

    To go further up the thread: 

    You'd figure, rightly or wrongly, that DOCM and DOCX would be opened by the same application on a typical office install.  That's a reasonable assumption, no?

    I would assume that most file formats would have a header that should tell the application what it is loading.  If that's what you meant, that's fine, but you need to specify that.

    Do not forget that thanks to extension-hiding and other stupid
    WTFs that Microsoft has committed it is possible to convince someone to
    open
    "ILOVEYOU.TXT                                                        
    .EXE"

    Pardon my sarcasm, but you walked right into it. :)


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.