You won't have missed the widespread reports of the Windows Metafile (WMF) vulnerability that's been painfully exploited since about Christmas through Microsoft Office and Windows software.
Notably, the Microsoft patch set took more than a week to materialize. This is its own form of PR disaster (plump with irony) & pregnant with the ugly spawn of general security implications, i.e., nothing new from The Trustworthy Computing Company.
Now, I'd like to route your attention to a further wrinkle in the WMF vulnerability story which has escaped coverage so far and which gives me pause as someone intimately involved in the OpenDocument deployment in Massachusetts (which, despite rumours to contrary, is well on course).
The WMF, itself, is a proprietary implementation of a way to render graphics in Windows. In fact, it is an obsolete service that exists in modern versions of Windows merely to maintain backward compatibility with the way the early, 16-bit, versions of Windows (Windows 3.x, 95, 98, ME, NT) rendered certain graphics (think of JPEG thumbnails in the Windows Explorer file manager or running down the left-hand margin of PowerPoint). Therefore -- apart from serving backward-compatibility -- WMF is unnecessary to the latest versions of Windows and Office, within themselves.
WMF interacts with something else in Windows, another proprietary api called GDI, the Graphical Device Interface.
This means that WMF, a proprietary segment of code, references another proprietary set of code that is unique to that single OS platform, Windows. They are, separately and together, perfect examples of PROPRIETARY SOFTWARE DEPENDENCIES, which are anathema to open architectures, where everyone (Munich, The German Ministry of the Interior, Massachusetts, The Australian National Archive, The US Library of Congress, The British Library, to name just a few modest examples) is heading.
WMF runs executable scripts without user approval (another bad habit cultivated by Microsoft engineers who were pushed by marketing to throw out good sense for convenience). This is a natural part of the design of the WMF in its quotidian task of drawing images on your screen; however, malicious scripts have been written and propagated lately which are intended to take your system down (or do anything in particular) by setting themselves up to be called when WMF executes a thumbnail image draw.
Now, what I find shocking, penetrating & newsworthy is that there is a reference to an implementation of the WMF in the "Ecma spec" for Office "Open" XML. The reference falls in Section 14.3 of the 1900-page Ecma format specification where it discusses how a single WMF is stored in a file along with their Presentation ML code specification. This is how a file draws its embedded thumbnail images.
This is significant to me for several reasons:
1) It means that the Microsoft file format for Office 12 -- the one that is headed for Ecma & ISO approval in approximately 18 months to 2 years time -- has a significant security flaw, WMF. This means that WMF or other serious security flaws introduced into Microsoft's file format specification would endanger other applications and operating systems that also implement this specifcation (while adhering to the requirement of a fully "CONFORMING" implementation).
It means that any other product that supports the eventual XML Reference Schema will be at risk of painting a hacking target on its users' backs, given how tightly Microsoft's Ecma submission is entwined within Office and Windows. In other words, if a hacker finds a back door that's required by the Ecma standard, you would be stepping into the thicket of brambles simply by complying, as required, with Microsoft's Ecma file format specification.
It means Microsoft's falsely labelled "open" standard, as it is being rubberstamped, would be insecure and compromise the safe platforms, too.
2) It means that Microsoft's Office "Open" XML has single-vendor proprietary services embedded within it (which overtly contradicts the most reasonable, accepted criteria for open software standards). If Office "Open" XML were developed in an open and collaborative environment, the WMF vulnerabilities would not exist...would not have even made it into the Ecma spec.
3) It means that, despite vows that Office "Open" XML is open from Microsoft officials all over Beacon Hill...
...that the existence of such proprietary dependencies in this allegedly "open" file format would disqualify it from meeting the general criteria for openness. It plainly contradicts such knowingly false statements as this by Alan Yates.Microsoft's Alan Yates on December 14th in the Massachusetts Senate Reading Room:
"We've been very gratified by the positive reception to our recent announcement of moving the Office OpenXML formats into a standards organizations, ECMA International, to make them utterly, completely, perpetually open by any measurement of openness at that point."
Conclusion
In bucking the global trend to open standards, Microsoft has chosen the odd strategy to feint or bluff the market (odd unless interpreted as a stall), to dress their new XML format, together with many old proprietary hooks (WMF is just one example), in the mantle of openness through submission to well-known standards bodies. What the WMF implementation in the Ecma spec reveals is that Microsoft officials are boldly lying about the openness of its newly "openned" XML file format, the only open aspect of which is the name.
The real significance is that they are doing so in such an obvious way which, given the increasing sophistication of enterprise customers, will not produce fruit for them in the market-place.
I add that mature observers have voiced serious concerns for the reputations of the standards bodies, ECMA International and ISO, who will find their own credibility under pressure if they rubberstamp Microsoft's corrupt file format standards initiative with no rigorous laundry list to elide the proprietary dependencies and security vulnerabilities. The standards bodies will need to adapt to the surging demand for genuinely adherent open software standards or new bodies who respect all openness criteria will simply grow up around them.
European governments, as well as organizations in the private sector there, are extremely sensitive to the correct criteria for open software standards and have been watching file format developments closely since 2001 when the early implementations of OpenDocument first became deployable in the OpenOffice.org and StarOffice software. They will not be fooled, nor will the US State CIOs who have been digesting the Wagnerian drama in Massachusetts...every lightning-bolt, measure and coda.
Excellent Sam!
One of the things that fascinates me about ECMA MSXML is that there's very little deception here. Least ways not the kind of outrageous misleading and slight of hand that has long been part and parcel of Microsoft's embrace-extend-extinguish business practice. ECMA MSXML is an in your face like it or lump it entanglement of platform specific systems level dependencies, interfaces and communications protocols. They don't attempt to hide anything?
Whence the source of this unbounded hubris? The presidential pardon they got in 2001 from the Bush administration? The fact that Chairman Bill's bag man in those years leading up to the pardon was none other than Jack the Knife Abramoff, who is now hell bent on taking down the entire house of corruption that is the marriage of unbounded corporate influence and power and a political system with the kind of thirst for money that shatters the second law of thermodynamics? While Chairman bill laughs at the havoc his dollars, once ours, have wrought? Or did they just take ODF for a chump – the ultimate diss being that Charmian Bill didn't even consider the challenge worthy of his best embrace and extend prodigies attention?
The ECMA MSXML specification isn't just a peak under the grand kimona. It's laid bare for all the world to see that Microsoft seeks far more than ECMA ratification of a somewhat, at least it appears at a glance to be, an almost XML file format. What they seek with this wrapper of proprietary systems level dependencies is nothing short of the global ratification of MS Vista as a standard, including 15 years of legacy warts and wobbles. It's almost like they dare us to object, to assert our rights, to say this isn't right.
ODF and MSXML are clearly moving in opposite directions. ODF is a wrapper of Open XML technologies and standard Open Internet methodologies, protocols and practices. Read the license, read the patent disclaimers of the contributors, read the charter that pledges rigid adherence to and rapid embracing of Open XML technologies, read the fiduciary promises of OASIS, the ODF steward, and you'll see that in every way, ODF is setting the high bar defining all future open standards. The specification is highly portable, redefining in every way what it means to be an application and platform independent standard.
Now, drop your jaw 180 degrees, and look at MSXML. It's a pseudo XML wrapper of proprietary technologies that are notably platform specific and systems level dependent - all under the control of single monopolist with a reputation and conviction record for ferociously ruthless, illegal, and reprehensible business practices. MSCML offers us zero interoperability, zero fidelity of transformation, and being locked into the MS Vista – XP platform one hundred ways to Sunday, offers zero portability, and zero application independence.
I'll give Microsoft this; MSXML has fought ODF to a standoff on the desktop. But that's such a small part of the digital information story. ODF on the other hand hits the Open Internet trifecta with all cylinders pumping.
The ODF Trifecta is of course:
The Desktop Productivity Environment ....... where traditional local bound documents are transitioning to intelligent compound documents, connecting and wrapping content, data, and streaming media into Open Internet ready highly portable documents.
SOA ... Service Oriented Architectures where disparate legacy systems and desktops are horizontally connected and wired into next generation information management systems using Open XML- Open Internet methodologies. The model here is Doug Alberg's Boeing implementation of ODF as a common "universal transformation layer".
The Open Internet ...... ODF as successor to HTML and XHTML. ODF is ready to bridge a wealth of unstructured content to into the next generation model of highly structured - metadata centric portable documents. ODF is also currently being worked to bridge the XML data model with the relationship model of RDF. Which is to say, ODF will be at the heart of the Semantic Web.
Notice that it is only on the desktop that MSXML can compete with ODF. When it comes to SOA and the Open Internet, MSXML is a no show. Totally useless. So one of the things that interests me is moving the discussion from the desktop, away from competing vendors, away from the norm of having to struggle with many different file formats and compromised reverse engineering efforts, and pushing forward to SOA and the Open Internet where ODF wins in a walk.
I know some will argue that Microsoft still controls a monopoly base of over 450 million hapless Windows users. The truth is that only 8% of that user base has upgraded to the XP 2003 platform, and can make use of MSXML as a proprietary channel for information moving through the desktop, devices and suite of MS servers that define the XP integrated stack model.
Microsoft is more intent on force upgrading the vast herd of non XP Windows users than they are protecting that monopoly base. The amount of money they stand to make with a forced march upgrade is so incredible that i think they've lost sight of the fact that they have in effect cut the great herd loose. The monopoly base is now up for grabs, with cross platform multi Windows distro enabled OpenOffice.org and Mozilla.org having a great shot at intercepting the great migration.
If OOo and Mozilla can deliver to the great herd, now set adrift and abandoned, a good measure of the collaborative computing functionality Microsoft has promised and reserved exclusively for the XP integrated stack, then all bets are off regarding the future of MSXML. ODF can today run on 100% of the 450 million desktops locked on some version of Windows. MSXML is only available to 8%. Time to fork the great herd if you ask me.
Thanks for putting yourself and your respect for the truth at the front lines of freedom Sam. Beware the treachery, stay the course. ODF is going to prevail.
~ge~
Posted by: Gary Edwards | January 07, 2006 at 04:06 AM
There's a lot of your fine work with OASIS ODF TC in this, Gary.
You make some intriguing points with the momentum of a Beat poet who's pants are on fire!
One among many that I find interesting is Microsoft's attitude about opening. Indeed they have published the MS XML spec, and yet their best-trained disinformation officers (Alan Yates, for one) continue to repeat the "open" messaging.
One only imagines the orthodox view inside that company is that no one reads the 2000-page technical memoranda.
Yet we talk, here on the Twilight Bark.
Posted by: Sam | January 07, 2006 at 05:23 AM