When Office 2003 SP3 was released, it blocked some file formats because they were deemed insecure. This included CorelDRAW CDR files. I find it funny that Microsoft calls the file formats of others insecure when Office files are some of the least secure file formats out there.
Corel is obviously not very happy with this. Gerard Metrallier, Director of Product Management, Graphics at Corel had the following to say.
“Microsoft recently announced that with the release of Service Pack 3 for Office 2003, installing this program will block certain files formats. According to a Microsoft knowledge base article on the subject, these file formats include CorelDRAW .CDR files because they are deemed less secure. Since this has posted, Corel has unsuccessfully tried to figure out the basis for categorizing .CDR files as ‘less secure’ and sites such as FrSIRT or US-CERT don’t have any information about CorelDRAW.”
“CorelDRAW users can rest assured that they can still use CorelDRAW Graphics Suite normally on a system where Microsoft Office 2003 Service Pack 3 has been installed. This update from Microsoft does not impact CorelDRAW at all or the capability of opening .CDR files from within CorelDRAW or from Windows Explorer. We are currently working with Microsoft to get more details about this issue, as we want to make 100 percent certain our file formats pose no security concern for any of our users. Corel is not aware of any security issue related to the CorelDRAW .CDR file format. If there is a known problem that had security implications, we will get this resolved as quickly as possible.”
Obviously Corel isn’t very happy that their formats are called insecure. I don’t blame them. While there may be a possibility of insecurity, they are not used by a high enough percentage of users to be a format that hackers would likely target. I’m guessing the possibility exists because CorelDRAW files can contain VBA (Visual Basic for Applications) macros. Hmm, VBA is licensed from Microsoft.
There is a way to unblock the files. Microsoft has posted a knowledge base article about the blocking and how to edit the registry to unblock certain formats. I think it was Outlook 2000 that added blocking of certain attachment types, like EXE files, in a service pack. This also required a registry hack to bring them back. It shouldn’t require a risky registry hack, there should be a dialog box in the program for users to select which formats to block.
Now as I understand this, it only affects files you wish to import into Office 2003 applications. Given that Microsoft had to reverse engineer the CDR format to import the files, it isn’t a good idea to directly import a CDR file into Office. This also means the import filter doesn’t support newer versions of CorelDRAW. Basically, it is much ado about nothing in my mind. Of course Microsoft suggest the problem can be solved by upgrading to Office 2007. While I enjoy Office 2007, I don’t think this is a good way to convince users to upgrade.
My suggestion, export your files from CorelDRAW to WMF, EMF or PNG (depending on how the file will be used) and import those files into CorelDRAW and this blocking won’t affect you at all.