Office 2003 SP3 – The Facts and Fiction

What turned out to be a relatively simple security service pack for an end-of-life version of Office has turned into an all out blood-rage instigated by individuals who's resumes would lead us to believe they expound technical competence and experience.  The reality is much different.  A select few sensational bloggers pounced on a Microsoft KB article 938810 which was first appeared in back in September with a 2nd revision posted in December and immediately sought out to write what can only amount to sensational garbage spawning inaccurate vitriol.  I can only hope that people read this article and learn a much greater lesson in all this, the lesson being that bloggers are not journalists.  Bloggers do not have to live by a code of ethics when reporting newsworthy stories.  Bloggers do no have to fact-check their sources and get trusted opinions, at best they just have to link to another blogger to provide evidence of their claims which, in all practicality, is tantamount to hearsay and unsubstantiated banter.    

The Facts

  • Microsoft Office 2003 becomes "end-of-life" on June 30th 2007 with extended support out to 2009
  • On September 17th 2007, Microsoft releases SP3 for Office 2007, a major milestone against security threats that MSRC has been dealing with since 2006.
  • Like all patches, Knowledge Base articles are published and IT administrators have every chance to determine whether to deploy this patch and to validate use in their environment.
  • Knowledge Base indicates that default settings only block formats PRIOR to 'Word 6.0 for Windows'
  • Slashdot reports disabling of legacy file formats on January 2nd, 2008, months after the service pack release
  • I write a post on January 2nd 2007 advising customers who emailed me as a result of Slashdot
  • January 4th 2008, Microsoft releases a third revision to clarify issues with the knowledge base

The Fiction

  • Microsoft blocks all formats outlined in the KB article
    •  FALSE, only formats prior to Word 6.0 for Windows, Lotus, Quattro, dif, slk, and pre-97 PowerPoint formats.
  • The only way to recover documents is to install OpenOffice
    • FALSE, the documents can be quickly opened by making registry modifications outlined in the KB or by utilizing the ADM registry template.  Furthermore, those files can still be opened on earlier versions of Office as well as other compatible productivity suites on a plethora of platforms, including OpenOffice.  Also, registry files are now available as of January 4th so that end-users can easily fix the problem.
  • Microsoft did this to push Office 2007 sales.
    •  FALSE, binary formats are essentially memory dumps which can execute malicious code by directly modifying memory values and targeted macros if opened in Office or other vulnerable applications.  Programming concepts that made sense in the past are no longer justifiable after considering the security implications.  Please know that the format is not insecure, it is the application reading the file.
  • Security threats from old formats are not significant!
    • FALSE, document security threats are not like viruses out in the wild.  Document security threats are typically targeted against an organization. "Older formats would do things like write offsets directly into the file, and in some cases would write pointer values right into the file. It seemed like a good idea back in 1995 or so, but isn't something we want to do now." (LeBlanc May 07)  Starting in 2006, new attacks were being encountered by MSRC which exploited such vulnerabilities.  These vulnerabilities continued through 2007.  The nature of the attacks were targeted against specific organization's PCs but had the potential to impact the general user base.

  • Office 2003 SP3 is just as secure as Office 2007!
    • FALSE, David LeBlanc clearly outlines the thoughts and methodology around blocking new attack vectors in Office 2007.  Furthermore, he describes core engineering principles that make it impossible for Office 2003 to be as secure as 2007.
    • A key excerpt from LeBlanc, "I have to be clear that there are some things we just can't do in a service pack. For example, the compiler we used for Office 2003 was shipped in Visual Studio 7.1, and the compiler we used for Office 2007 was the compiler used in Visual Studio 2005. As I documented in "Writing Secure Code for Windows Vista", there are mitigations in the new compiler that stop certain attacks cold, and the older compiler doesn't do as well."
  • I have to convert thousands of my files manually!
    • FALSE, Office Migration Planning Manager is well documented, free to download tool that IT professionals can use to reliably converts an infinite number of files to OpenXML.  Furthermore it creates an index to catalog all files in your environment so IT managers can implement document lifecycle policies in their organization.


I will say that when you do read stuff that is overly critical of Microsoft, try to judge the actions and intentions on their merits.  Microsoft is a 70,000+ organization with a lot of gears turning in different directions.  I haven't met one person in this company that thinks like a monopolist, and I know that many who did have dramatically changed their viewpoints for the better.  In my opinion, we could have done a better job at notifying users of this loss of functionality.  I have full confidence that the appropriate people at Microsoft have updated their methodology so inconveniences like this one do not happen in the future.  People here are honestly trying to do the right thing.  Amazingly, the most honest unofficial assessment came from Rob Weir.

Thanks to David Leblanc for providing links to these registry files to re-enable functionality:

The .reg files you can use to change the security settings can be downloaded here:

To re-enable Word file formats only - UnblockWord.reg

To re-enable Excel file formats only - UnblockExcel.reg

To re-enable PowerPoint file formats only - UnblockPowerPoint.reg

To re-enable the CorelDraw (CDR) file format only - UnblockCDR.reg

To restore the blocked Word file types only - RestoreBlockingWord.reg

To restore the blocked Excel file types only - RestoreBlockingExcel.reg

To restore the blocked PowerPoint file types only - RestoreBlockingPowerPoint.reg

To restore the blocked CorelDraw (CDR) file type only - RestoreBlockingCDR.reg


David LeBlanc's Post on Office 2003 SP3 and File Formats

David LeBlanc's Original Office 2003 SP3 Post

David LeBlanc's Discussion on Document Security and MOICE

Office Migration Planning Manager Guide - TechNet

Fun But Fictional Reading

Permanent Link to Microsoft Decides You Don’t Need Your Old Data - Zoli Erdos

Microsoft breaks the perpetual licence covenant - Phil Wainewright

Microsoft hoses user data - again! - Robin Harris

Comments (12)

  1. Anonymous says:

    Here’s an analogy: You have a house built by a contractor, who insists on retaining a master key so they can do onging repairs inside your house at their convenience.

    One day, you find you can’t get into the rooms in your house because they’ve changed the locks.

    But that’s OK, as the reason they changed the locks is because the locks they installed when they built the house were defective.

  2. Anonymous says:

    Read this: Have You Seen My Stapler? – Viral Tarpara's Blog : Office 2003 SP3 – The Facts and Fiction

  3. Anonymous says:

    Actually Mr. Harris, not to sound like a broken record, but your fact-checking is amateur at best as you seem to pick and choose your facts.  Office Migration Planning Manager is free for ANYONE to use.  I provide the links to the download.  It is an IT tool, but thoroughly documented.  

    Only files PRIOR to Word 6.0 for Windows, Lotus, Quattro, and Pre-97 PowerPoint files are blocked by default.  

    As for "reprinting" the KB article, you are disingenious with how to interpret the KB implying that ALL formats are blocked.  Furthurmore your article is misleading and inflammatory to the point that you imply that Microsoft acted maliciously, which is certainly not the case.

    I will agree with you that we did not make it easy for "average" users so Microsoft has revised the KB again to provide simple, easy to use fixes which are also provided on my blog article.  We could have done a better job of informing home-users and unmanaged organizations.

    Overall, after reading a handful of your article, I will say that even though you seemed to blame Microsoft for world’s computer problems, you do bring a valid viewpoint when it comes to home-users and extremely IT-challenged businesses.

  4. Anonymous says:

    But it still begs the question… why does it appear that Microsoft shoots themselves in the foot all the time with incomplete communication?

  5. Anonymous says:

    Read this: Have You Seen My Stapler? – Viral Tarpara's Blog : Office 2003 SP3 – The Facts and Fiction

  6. Anonymous says:

    Read this: Have You Seen My Stapler? – Viral Tarpara's Blog : Office 2003 SP3 – The Facts and Fiction

  7. Becky Burwell says:

    You say: Microsoft Office 2003 becomes "end-of-life" on June 30th 2007 with extended support out to 2009

    I assume you mean June 30th 2008 not 2007.

  8. Becky Burwell says:

    I just looked at the Microsoft site and see end of life support for Office 2003 is indeed July 30, 2007.

  9. Robin Harris says:

    The list I published came direct from the KB article. And you say it is false.


    My point is that millions of small businesses and home users, who don’t have access to Office Migration Planning Manager or the expertise required to use it or the other tools you proffer, are left out holding the bag. You don’t care about them, do you? You don’t even seem to know they exist.

    Also, I didn’t make any of the claims you list above – other than reprinting the KB list. If that list is wrong, Microsoft has only themselves to blame.

    Robin Harris

  10. EricE says:

    Sigh – rather then getting mad at the end users for misinterpreting your intentions and complaing that the "bloggers" are gunning for you, perhaps it would be best for MS to try to come up with a better way to communicate.

    Or better still, stop changing default behavior of things automatically!

    You guys know that there are people who are going to take anything you do and read nefarious purposes into whatever you do, so anticipate them!

    Instead of just turning off old file formats as part of a patch (and telling people you didn’t have to install the patch is silly – MS has been, rightfully so, encouraging people to patch!)why can’t you pop up a dialog box offering to disable the formats with the default action (for those who don’t even bother to read the dialog, let alone the technote) to retain the status quo?

    That’s a much more up-front approach.  One could argue that MS shouldn’t have to do so, that the technote covers it, but here we are yet again with MS with egg on their face and coming off as being autocratic and inconsiderate of their users needs.  The bottom line, the patch changes default behavior – behavior that, by judging the reaction from people, is pretty important.  Hopefully that tells MS something.

    It’s been said that insanity is doing the same thing over and over, but expecting a different result each time.  Can we stop the insanity?

  11. raginguva says:

    This site has amazing facts, please visit my site   for more interesting facts and tips u can enjoy

Skip to main content