connecting users of the CorelDRAW family of products
We take every threat seriously. CorelDRAW.com has not been affected by the Heartbleed security bug.
CorelDRAW .CDR file format and Microsoft Office 2003 SP3
Gérard on Graphics
A product management view on the Graphics world, CorelDRAW and much more.

With the release of Service Pack 3 for Office 2003, it appears that installing this program "blocks certain file formats. According to the knowledge base article posted by Microsoft, this includes CorelDRAW .CDR files because they are deemed  "less secure." Since this has been posted, we have unsuccessfully tried to figure out the basis for categorizing CDR files as "less secure" and sites such as FrSIRT or US-CERT don't have any information about CorelDRAW. Not surprisingly, this story has received some visibility from the press (article from The Register, InformationWeek and ZDNet to name a few) and bloggers all over the Internet (here is the post on Slashdot).

First of all, rest assured that you can still use CorelDRAW Graphics Suite normally on a system where you have installed Microsoft Office 2003 with Service Pack 3. This update from Microsoft does not impact at all CorelDRAW and the capability of opening CDR files from within CorelDRAW or from the Windows Explorer. The blocking only seems to appear with embedded CorelDRAW documents inside an MS Office 2003 document through OLE and when using Microsoft's import filters, and the instructions in the Microsoft knowledge base article referenced above explain how to remove this limitation. And for an even better solution, talking with my colleagues from the Corel WordPerfect team, there would be no problem using that Office suite instead of the one from Microsoft Smile

In speaking with the support and development teams at Corel and looking through all the reports related to CDR file format security, we have not been able to locate the source of this alleged "lessened security." One option we are currently investigating is the fact that CorelDRAW can be automated and scripted using Microsoft's own Visual Basic for Applications. Wouldn't it be ironic if Microsoft was the source of any .CDR file format deemed "less secure" by Microsoft. But again, I cannot believe that the problem is related to VBA as many other products would have been listed and not only focus on CorelDRAW file format. From Corel, these would include, amongst others, Corel PHOTO-PAINT, Corel DESIGNER and Corel WordPerfect. We are currently working with Microsoft to get more details about this issue as we want to make 100% certain our file formats have no security concern for any of our users.

In summary, Corel is currently not aware of any security issue related to the CorelDRAW .CDR file format. If there was a known problem that had security implications, we would get this resolved as quickly as possible.

UPDATE (Jan 4, 2008): I posted a follow-up entry in my blog about this. 

UPDATE 2 (Jan 6, 2008): The Microsoft Knowledge base article has been updated - as initially expected, the source of the problem is not with the file format, but with the import filters in Microsoft Office. The knowledge base article also includes ways to turn this feature back on easily. 


Share
Posted Thu, Jan 3 2008 16:14 by Gerard Metrailler

Comments

Internet Explorer Update » CorelDRAW .CDR file format and Microsoft Office 2003 SP3 wrote Internet Explorer Update » CorelDRAW .CDR file format and Microsoft Office 2003 SP3
on Thu, Jan 3 2008 15:20

Pingback from  Internet Explorer Update » CorelDRAW .CDR file format and Microsoft Office 2003 SP3

Microsoft Internet Explorer » Blog Archive » CorelDRAW .CDR file format and Microsoft Office 2003 SP3 wrote Microsoft Internet Explorer » Blog Archive » CorelDRAW .CDR file format and Microsoft Office 2003 SP3
on Thu, Jan 3 2008 15:36

Pingback from  Microsoft Internet Explorer  » Blog Archive   » CorelDRAW .CDR file format and Microsoft Office 2003 SP3

http://coreldraw.com/blogs/gerard/archive/2008/01/03/coreldraw-cdr-file-format-and-microsoft-office-2003-sp3.aspx wrote http://coreldraw.com/blogs/gerard/archive/2008/01/03/coreldraw-cdr-file-format-and-microsoft-office-2003-sp3.aspx
on Thu, Mar 27 2008 2:24
© Corel Corporation. The content herein is in the form of a personal web log ("Blog") or forum posting. As such, the views expressed in this site are those of the participants and do not necessarily reflect the views of Corel Corporation, or its affiliates and their respective officers, directors, employees and agents. Terms and Conditions / User Guidelines.