Microsoft has announced a buffer overrun in JPEG processing in GDI+ that could allow code execution -- this affects a lot of software including Internet Explorer and Outlook (two apps in which a lot of JPEG images get loaded automatically).
This sounds like serious stuff to me and I fear a rash of exploits will show up in the near future.
http://news.com.com/Major+graphics+flaw+threatens+Windows+PCs/2100-1002_3-5366314.html?tag=html.alert :
Microsoft published on Tuesday a patch for a major security flaw in its software's handling of the JPEG graphics format and urged customers to use a new tool to locate the many applications that are vulnerable.
http://www.microsoft.com/security/bulletins/200409_jpeg.mspx (emphasis mine):
The GDI+ security update for September 2004 addresses newly discovered issues in JPEG processing technology. This issue affects software that supports this image format, including some versions of Microsoft Windows, Microsoft Office, and Microsoft developer tools. If you have any of the listed software installed on your computer, you should install the related update.
Depending on the software you are using, you may need to install multiple updates from multiple locations.
Important Windows XP Service Pack 2 (SP2) is not affected by this issue. Windows XP SP2 users only need to update Office (if installed).
The TechNet bulletin on affected software with links to updates is at http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx.
Affected software:
Windows XP
Windows XP Service Pack 1 (SP1)
Windows Server 2003
Internet Explorer 6 SP1
Office XP SP3
Note Office XP SP3 includes Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, FrontPage 2002, and Publisher 2002.
Office 2003
Note Office 2003 includes Word 2003, Excel 2003, Outlook 2003, PowerPoint 2003, FrontPage 2003, Publisher 2003, InfoPath 2003, and OneNote 2003.
Digital Image Pro 7.0
Digital Image Pro 9
Digital Image Suite 9
Greetings 2002
Picture It! 2002 (all versions)
Picture It! 7.0 (all versions)
Picture It! 9 (all versions, including Picture It! Library)
Producer for PowerPoint (all versions)
Project 2002 SP1 (all versions)
Project 2003 (all versions)
Visio 2002 SP2 (all versions)
Visio 2003 (all versions)
Visual Studio .NET 2002
Note Visual Studio .NET 2002 includes Visual Basic .NET Standard 2002, Visual C# .NET Standard 2002, and Visual C++ .NET Standard 2002.
Visual Studio .NET 2003
Note Visual Studio .NET 2003 includes Visual Basic .NET Standard 2003, Visual C# .NET Standard 2003, Visual C++ .NET Standard 2003, and Visual J# .NET Standard 2003.
.NET Framework 1.0 SP2
.NET Framework 1.0 SDK SP2
.NET Framework 1.1
Platform SDK Redistributable: GDI+
It has been quite a while since I was a day-to-day WordPerfect and Quattro Pro user. In fact, it's been quite a while since I've received or even seen a Quattro Pro spreadsheet file. This week my wife received a Quattro Pro QPW file by email. Much to our dismay, Microsoft Excel 2003 will not open it. Some newsgroup spelunking revealed that this is a common complaint. So I tried to open the QPW in OpenOffice. Same results. Neither program supports Quattro Pro QPW files.
I think this stinks. I *SHOULD* be able to import from Quattro Pro, especially if the spreadsheet contents are simple lists of data with standard aggregation formulas. (Caveat: It is possible that Corel makes it exceedingly difficult to import their data -- I don't know. If that's the case, my apologies to Microsoft and OpenOffice.org plus a stern "shame on you" to Corel.)
To have a healthy market we need a few competitors in core software areas like OS (Windows, Linux, Mac) and office productivity (Microsoft, Corel, Lotus/IBM, StarOffice, OpenOffice.org). For some thoughts on how this plays out in other industries, read Eric Sink's discussion of The Law of Duality. But key to having healthy competition is the ability to play somewhat nicely together. For example, Coke and Pepsi have to agree to be sold in the same stores and have vending machines side-by-side (I know, I know -- they also cut exclusive deals with restaurants, etc.).
I continue to hear a lot of talk about Linux on the desktop and alternative Office-like suites. Trends in other markets suggest that Microsoft is unlikely to maintain such incredible market dominance down the road so we need our various platforms, productivity tools, and line of business applications to play nicely together. Network based innovations like HTML over HTTP and even email are great examples of how smart people got past the platform/OS navel gazing that continues to haunt information technology. HTML-formatted email has become a core conduit for conducting business. We all have HTML editing tools embedded in our email clients and we know that most recipients will also have an HTML-aware email client. It's so much easier than dealing with Word-WordPerfect-StarOffice-Lotus conversion woes. More recently XML and Web services (SOAP over HTTP) have further improved that platform interoperability story.
Please don't get me wrong -- I am a big Microsoft proponent. Windows + Office + Visual Studio + assorted Microsoft server products has been the pinnacle of my professional and academic experiences. I've done the UNIX and C/C++ thing. I've done the Linux and Perl/CGI thing. I've done the Java thing. But quite frankly the current and forthcoming generations of Microsoft server and development offerings are absolutely fantastic compared with the alternatives. And Microsoft has some great vision about security, interoperability, and user experience (even if it's the culmination of ideas originally formulated by non-Microsofties). BUT at the end of the day we need choices. I choose Microsoft because its products are top-notch. But some colleagues and customers use Linux and MacOS. I *need* to work with them seamlessly.
The major software vendors who build the products that are most widely deployed (operating systems, browsers, email clients, office productivity) have an obligation to build software that plays nicely with the other prominent players in their market. These vendors should be leading by example but they are not. We continue to have proprietary crap all over the place that makes it HARDER for the rest of us to do our jobs. Sigh. Case in point: compose an email in Outlook using Word as the editor and read it from a Gmail account or from Eudora. See all that extra whitespace? That's bad.
Developers writing line of business applications have to get disparate systems working together PERFECTLY or it costs their companies money. Meanwhile, software deployed to the masses continues to have glaring interoperability problems. It stinks and I hope that in the future the most successful software vendors will be the ones who master the art of playing nicely with others because I'm tired of proprietary nonsense making my life harder than necessary.