OOXML Fataly Flawed?

Thanks to Roy’s tenacity and constant vigilance, I have learned how it now appears the MS Office binary format that is wrapped in XML and is now known as IS 29500 (OOXML), an ISO Standard Office Document Specification (ROTFL), is giving hackers everywhere a field day.

It is now official and also confirmed that OOXML files are not just insecure but there are also persistent attacks against new flaws (without any security patches being available, i.e. zero-day).

There are some good links and sources to this article so recommended reading for anyone who is considering using Office 2007 or receives an OOXML document (the ones ending in x, e.g docx, pptx and xlsx). IMHO your automatic response should be to return it directly to the sender, do not attempt to open it, and ask for them to send it to you in an open format such as ODF or PDF or even plain text. I would also suggest that you provide a link to OpenOffice.org in the reply.

In the last few scant months, there have been several major and very serious security flaws and attack opportunities with Microsoft’s software. Surely, it must be becoming clear to everyone by now:

If the foundations are weak, the walls crumbling, the windows broken and the roof collapsing; it’s time to move.

A new ISO Document Standard is born

Well, well, well.

It seems as though we will soon have a new ISO Standard for electronic documents: ISO 32000 Standard (DIS).

It went through a ballot – just like DIS29500 – but it passed. Jim King writes:

Adobe has received word that the Ballot for approval of PDF 1.7 to become the ISO 32000 Standard (DIS) has passed by a vote of 13::1.

Countries voting positive with no comments: Australia, Bulgaria, China, Japan, Poland, South Africa, Spain, Sweden, Ukraine. (9)
Countries voting positive with comments: UK (13), USA (125), Germany (11), Switzerland (19). (4)
Countries voting negative with comments: France (37). (1)
Countries abstaining: Russia (1)
Italy sent comments but is not a voting (P) member.

Total votes 14.

13 Positive is 93% (must be > 66.6%) 1 Negative is 7% (must be < 25%). Clear winner!

Total comments (205).

Five countries added comments to their ballots for a total of 205 that will have to be resolved.

Isn’t it interesting how this proprietary software company has managed to ease their specification through the Standardisation process with barely a murmur? No allegations of committee stuffing, vote rigging, bribery or any other skulduggery (that’s a good word! I haven’t written that one for along time) as far as I can tell. Why?

Because, Adobe have been open and transparent. The format is also very widely used and implemented already, and by many other software products too, not just Adobe’s. It is also a “Portable” format; meaning you can create a PDF file on one machine, give it to anyone you like, not care about what computer they use, what printer they have etc etc and it will render faithfully to the original.

Adobe announced their intention to release the entire PDF specification to the ISO in January this year:

SAN JOSE, Calif. — Jan. 29, 2007 — Adobe Systems Incorporated (Nasdaq:ADBE) today announced that it intends to release the full Portable Document Format (PDF) 1.7 specification to AIIM, the Enterprise Content Management Association, for the purpose of publication by the International Organization for Standardization (ISO).

You can download the current specification document from Adobe’s web site here. And it isn’t 6000+ pages long either, the 4 files that go to make up the entire spec are just under 1400 pages.

Now Adobe also own some Patents with respect to the reading and writing of PDF documents. But on a clear and easy to understand web page they give free license to use within the terms of the specification:

Adobe desires to promote the use of PDF for information interchange among diverse products and applications. Accordingly, the following patents are licensed on a royalty-free, nonexclusive basis for the term of each patent and for the sole purpose of developing software that produces, consumes, and interprets PDF files that are compliant with the Specification…

That is quite a bit different from the convoluted legalise that Microsoft is spouting in their “Open Specification Promise”:

  • The Promise does not cover any material that is referenced, but not described in detail, within the specification. Even if the referenced material is required for an implementation, no patent rights extend to the implementer. For example, numerous sections, including those sections which require replicating the behavior of proprietary Microsoft products, do not appear to be described in detail and therefore are not covered by Microsoft’s Promise. Additional necessary Microsoft proprietary technologies not described in detail include OLE, macros/scripts, encryption, and DRM. Microsoft has not stated a position on whether any patent rights associated with these technologies will be made available on terms acceptable to ISO.
  • The Promise is limited to claims “..that are necessary to implement only the required portions of the Covered Specification.” [emphasis added]. The Promise does not cover optional aspects. To the extent that the implementer includes “excluded optional portions (or non-required elements of optional portions)” that are in OOXML, the implementer would be unlicensed to any Microsoft patents covering those items and vulnerable to patent infringement allegations. For example, password features for WordProcessingML may not be required but are described in the specification (2.15.1.28, page 1,158). From a practical perspective, all optional aspects of a format are necessary for a full implementation to function effectively across the wide range of possible software behaviours.

I wonder how Microsoft will feel about their ISO specification attempt of XML Paper now?

The XML Paper Specification (XPS) provides users and developers with a robust, open and trustworthy format for electronic paper. The XML Paper Specification describes electronic paper in a way that can be read by hardware, read by software, and read by people. XPS documents print better, can be shared easier, are more secure and can be archived with confidence.

This sounds very similar to what PDF, a proven, globally used and respected specification, already gives us. Once again, we have a fine standard, already approved and capable of being used by anyone. Why would we want – or need – another? For who’s benefit would this new specification be?

Let’s conclude with some more from Jim King at Adobe:

I have been nominated by the US Committee to be the technical editor so for the meeting of the International working group on ISO 32000 on January 21-23, 2008 I will come prepared with responses to all of the 205 comments. If the group can address all the comments to the satisfaction of all countries, especially the ones voting negatively, it is possible to finish at that meeting and publish the revised document. If the resolution is more complicated then we will enter a 2 month FDIS vote. The FDIS votes are not accompanied by comments so if we get no more negative votes at that time the revised document will be the one published as ISO 32000.

It may seem strange that the sponsoring country (US) is the one with the most comments (125) but I think that is a reflection of two things: the US committee contains a lot of knowledgeable people including several from Adobe, and we honestly found some mistakes that we felt must be corrected. To me this reflects the honesty with which this group has approached this whole effort. We could have held back to reduce the number but that is not the way this whole effort has been conducted and we are not about to start with any trickery.

Good words, especially the “…and we are not about to start with any trickery.” bit ;-).