The JEHM Net News

BRUSSELS — Microsoft Corp. has failed in a first step to win enough support to make the data format behind its flagship Office software a global standard, the International Standards Organization said Tuesday.

This weekend’s vote by national standards agencies from 104 nations did not provide the two-thirds majority needed to give Microsoft’s format the ISO stamp of approval. But they will meet again in February to try to seek a consensus, and Microsoft could win them over at last.

ISO approval for Microsoft’s Open Office XML would encourage governments and libraries to recognize the format for archiving documents, which in turn could help ensure that people using different technologies in the future could still open and read documents written today in Open Office XML.

Approval of its system as a standard would also help Microsoft tamp down competition from the OpenDocument Format, created by open source developers and pushed by such Microsoft rivals as IBM Corp.

Massachusetts state government stirred huge interest in the matter when it advocated saving official documents for long-term storage in the nonproprietary ODF format. That prompted Microsoft to seek recognition of Open XML by the global standards body.

The company has offered to license Open Office XML for free to anyone who wants to build products that access information stored in Office documents. It claims the format is richer than ODF because, being based on XML computer language, it can store the layout of spreadsheets and legal documents created with Office 2007.

But Shane Coughlan of the Free Software Foundation Europe, a group of open source developers, questioned whether Open Office XML would truly live up to its name and be open to all. Coughlan said it was unclear whether some of the code requires Microsoft’s permission to be used.

“It is important that everyone owns their data, that access does not depend on any one company,” he said. “Any serious corporation or government should be dubious about using it if the legality is unclear.”

Publishing an open standard means it will be available to everyone, a sort of Rosetta stone that makes sure the key documents of today — whether they be legal texts, novels-in-progress or accounting spreadsheets — don’t become unreadable hieroglyphics to future generations.

Despite losing the initial round of voting with ISO, Microsoft was confident of future success, saying many of the ISO members that did not vote for the format said they would do so when certain criticisms have been addressed.

“This preliminary vote is a milestone for the widespread adoption of the Open XML formats around the world for the benefit of millions of customers,” said Microsoft’s general manager for interoperability, Tom Robertson. “We believe that the final tally in early 2008 will result in the ratification of Open XML as an ISO standard.”

According to ISO, Microsoft had 53 per cent of the votes in favor — instead of the 66 per cent it needed.

The ISO process is essentially a debate that tries to fix outstanding problems so a format can win sufficient support. But Coughlan said Microsoft’s heavy lobbying for Open Office XML had showed that ISO selection needs to be reviewed to make sure one voice could not shout louder than others. Coughlan and others have alleged that Microsoft unduly influenced the industry committees that advise national standards bodies on ISO votes.

(Globe and Mail)

New This Month

Threats posed to Windows Vista™ becoming evident

Microsoft’s new operating system, Windows Vista, is expected to be widely adopted and will likely have a significant effect on the security landscape. Symantec has continued to research potential issues and risks associated with the new operating system. LEARN MORE

New phishing economies

As phishing becomes entrenched as a mainstream attack activity, antiphishing techniques are improving and phishers are being forced to focus on new targets and adopt new methods. Symantec believes that, in the near future, phishers will expand the scope of their targets to include new industry sectors. LEARN MORE

SMiShing — Spam and phishing go mobile

In July 2006, Symantec reported that SMS and MMS had emerged as new vectors for spam and phishing activity. Subsequently, the term SMiShing was coined by the industry to describe this class of threat. Symantec speculates that SMS- and MMS-based phishing and spam will continue to increase. LEARN MORE

Presenting the most comprehensive online protection we’ve ever created. Norton 360™ provides all-in-one protection that keeps you, your family, your PC, and your information secure.

This comprehensive solution combines Symantec’s proven, industry-leading security and PC tune-up technologies with new automated backup and antiphishing features, providing a full circle of protection.

Learn More

A flaw has been found in Citrix’s Presentation Server Client, an application that allows remote users to access corporate servers from outside the office.

Versions older than 10.0 could be vulnerable to a buffer overflow which would enable an attacker to compromise a user’s machine, according to researcher Karl Lynn of Juniper Networks, who discovered the flaw. Security advisory organization Secunia has rated the vulnerability as highly critical.

The vulnerability is caused by an error in the support for ICA (Independent Computing Architecture) connections through a proxy server. This may be exploited to execute arbitrary code when a user visits a malicious Web site, Citrix warned in an advisory last week.

ICA, designed by Citrix, is a proprietary protocol for application server systems. The protocol gives specifications for passing data between servers and clients, regardless of platform.

The vulnerability currently has no patch. Citrix recommends users protect themselves by upgrading to version 10.0 of Citrix Presentation Server Client.

Tom Espiner of ZDNet UK reported from London.

Researchers have discovered a “highly critical” security flaw in newly released Office 2007, despite Microsoft’s efforts to deliver its most secure version yet of the productivity software.

The consumer version of Office 2007, which launched only four weeks ago, is designed to withstand higher scrutiny by malicious code writers, as Microsoft subjected the software to code auditors as part of its security development lifecycle.

But researchers at eEye Digital Security found a file format vulnerability in Microsoft Office Publisher 2007, which could be exploited to let an outsider run code on a compromised PC.

“We were surprised we could find a flaw so quickly (after Office 2007 launched) and one that was part of their core products,” said Ross Brown, eEye’s chief executive.

An attacker could create a malicious publisher file, he said. Once the recipient opens the file, he or she could find the system infected and susceptible to a remote attack.

Researchers at eEye used a standard process of code auditing in discovering the vulnerabilities, Brown added. He noted that Microsoft either did not do a “good job” with its code auditing, or it may not have had enough people working on such a task.

Microsoft, meanwhile, said it is investigating eEye’s report of a possible vulnerability in Publisher 2007 and will provide users with additional guidance if necessary.

Executives at the software giant have recently said they expect security challenges to keep emerging, as an increasing number of devices connect to the Internet.

No public exploits have been reported in circulation for Publisher 2007 and, given Office 2007’s recent release, the flaw may hold little attraction for attackers who may wish to concentrate on software that is in greater distribution, eEye said.

(News.com)