BlogAll Blog Posts | Next Post | Previous Post
Monday, February 15, 2010If you have been looking at the "What's new" sections in the last FlexCel releases, you might have noticed a mysterious "Office 2010 Protected mode support". Here I would like to expand on what that means, but before going any further, let's focus in the message I want you to get from this post:
Please update FlexCel (both VCL or .NET) to the latest version. It is important that you do so.
As you know, we take pride in our long support cycle, and we in this case it is not different: Both 5.1 in .NET and 3.2 in VCL are free updates for everybody who has a valid license, so you have no excuse not to upgrade.
Ok, now that this has been sorted out, and while you are downloading the new files, I think I should explain a little. The reason I am asking you to update, is that Excel 2010 comes with a new feature, called "Protected View" that will flag files created with older FlexCel versions as invalid.
This feature will try to detect if the file is a "genuine" Excel file or not, and if it isn't, drop a big scary red box at the top:
In our case, we had both good and bad news. The good news: As we always cared a lot about creating files that would be virtually impossible to differentiate from a "real" Excel file, there wasn't much Excel complained about, we only found 3 wrong records in thousands of files. The bad news: Sadly one of those records was written to almost every file, so Excel 2010 would complain in most files FlexCel created.
So we fixed those records and then spent more than a month testing literally thousands of files created by FlexCel (from single "Hello world" files to files as complex as you can imagine) to verify that Excel 2010 opens them fine. Each one of them was individually opened in Excel 2010 and we manually verified it was ok.
So now it's your turn. Please install the latest FlexCel versions today, so when your customers get Excel 2010, they won't complain.
Do we still have some minutes left ? Ok, then it's rant time.
I would like to keep this kind of confidential between me an you, but really, I must say really, I don't get it. Saying it is the silliest idea ever would be mean, so I will just say "I don't get it".
To have yet another silly real world analogy, this is like if you discovered that "most terrorists use black t-shirts". So, you ban people with black t-shirts from airports, and claim to have "improved the security". You might even be able to convince someone that it was in fact a bright idea, but what will actually happen is that: 1) Terrorists will start using white T-shirts. 2) Lots of innocent people using black t-shirts will be banned from the airports.
In this case something very similar happens. Excel checks for some records, and if it sees they aren't exactly what it would expect, it will declare the file "dangerous". The problem? 1) If I am doing a malicious file, I will make very sure I get those records right. And yes, there are thousands of ways to craft a malicious file without them. 2) You will be banning millions of innocent files that bear no risk at all. For the record, the screenshot above wasn't made with a file created with an older FlexCel version, but with the latest (a couple of days old) version of OpenOffice. I just dropped a chart over an empty sheet, and voila, I had a "dangerous" file.
How many files completely harmless but not created with Excel itself are out there? What's the idea? OpenOffice, GEdit, KOffice, ourselves, are all "terrorists" now?
If you ask me, what Microsoft should have really have done here is fix the problem, period. Remove all possible buffer overflows. All of them. Review every line of the file loading process, and make sure there is no way a wrong value can crash Excel. Too much work you say? Well, not when the product generates the kind of revenue Office generates:
If they used just a fraction of those billions to fix Office instead of financing xbox and bing, they could buy a legion of security experts to review every single line. Or some engineers to rewrite the xls-loading code in managed code. Or both. What do we get instead? A band aid solution that doesn't solve anything, but does make life more complex to everyone.
Ok, the rant is off. You can ignore everything else in this post, but just remember to update FlexCel.
Thanks for your time,
This blog post has received 4 comments.
All Blog Posts | Next Post | Previous Post