Office 2003 SP3 - The Facts and Fiction

What turned out to be a relatively simple security service pack for an end-of-life version of Office has turned into an all out blood-rage instigated by individuals who's resumes would lead us to believe they expound technical competence and experience.  The reality is much different.  A select few sensational bloggers pounced on a Microsoft KB article 938810 which was first appeared in back in September with a 2nd revision posted in December and immediately sought out to write what can only amount to sensational garbage spawning inaccurate vitriol.  I can only hope that people read this article and learn a much greater lesson in all this, the lesson being that bloggers are not journalists.  Bloggers do not have to live by a code of ethics when reporting newsworthy stories.  Bloggers do no have to fact-check their sources and get trusted opinions, at best they just have to link to another blogger to provide evidence of their claims which, in all practicality, is tantamount to hearsay and unsubstantiated banter.    

The Facts

  • Microsoft Office 2003 becomes "end-of-life" on June 30th 2007 with extended support out to 2009
  • On September 17th 2007, Microsoft releases SP3 for Office 2007, a major milestone against security threats that MSRC has been dealing with since 2006.
  • Like all patches, Knowledge Base articles are published and IT administrators have every chance to determine whether to deploy this patch and to validate use in their environment.
  • Knowledge Base indicates that default settings only block formats PRIOR to 'Word 6.0 for Windows'
  • Slashdot reports disabling of legacy file formats on January 2nd, 2008, months after the service pack release
  • I write a post on January 2nd 2007 advising customers who emailed me as a result of Slashdot
  • January 4th 2008, Microsoft releases a third revision to clarify issues with the knowledge base

The Fiction

  • Microsoft blocks all formats outlined in the KB article
    •  FALSE, only formats prior to Word 6.0 for Windows, Lotus, Quattro, dif, slk, and pre-97 PowerPoint formats.
  • The only way to recover documents is to install OpenOffice
    • FALSE, the documents can be quickly opened by making registry modifications outlined in the KB or by utilizing the ADM registry template. Furthermore, those files can still be opened on earlier versions of Office as well as other compatible productivity suites on a plethora of platforms, including OpenOffice. Also, registry files are now available as of January 4th so that end-users can easily fix the problem.
  • Microsoft did this to push Office 2007 sales.
    •  FALSE, binary formats are essentially memory dumps which can execute malicious code by directly modifying memory values and targeted macros if opened in Office or other vulnerable applications. Programming concepts that made sense in the past are no longer justifiable after considering the security implications. Please know that the format is not insecure, it is the application reading the file.
  • Security threats from old formats are not significant!
    • FALSE, document security threats are not like viruses out in the wild. Document security threats are typically targeted against an organization. "Older formats would do things like write offsets directly into the file, and in some cases would write pointer values right into the file. It seemed like a good idea back in 1995 or so, but isn't something we want to do now." ( LeBlanc May 07 ) Starting in 2006, new attacks were being encountered by MSRC which exploited such vulnerabilities. These vulnerabilities continued through 2007. The nature of the attacks were targeted against specific organization's PCs but had the potential to impact the general user base.
  • Office 2003 SP3 is just as secure as Office 2007!
    • FALSE, David LeBlanc clearly outlines the thoughts and methodology around blocking new attack vectors in Office 2007. Furthermore, he describes core engineering principles that make it impossible for Office 2003 to be as secure as 2007.
    • A key excerpt from LeBlanc, "I have to be clear that there are some things we just can't do in a service pack. For example, the compiler we used for Office 2003 was shipped in Visual Studio 7.1, and the compiler we used for Office 2007 was the compiler used in Visual Studio 2005. As I documented in "Writing Secure Code for Windows Vista", there are mitigations in the new compiler that stop certain attacks cold, and the older compiler doesn't do as well."
  • I have to convert thousands of my files manually!
    • FALSE, Office Migration Planning Manager is well documented, free to download tool that IT professionals can use to reliably converts an infinite number of files to OpenXML. Furthermore it creates an index to catalog all files in your environment so IT managers can implement document lifecycle policies in their organization.

Summary

I will say that when you do read stuff that is overly critical of Microsoft, try to judge the actions and intentions on their merits.  Microsoft is a 70,000+ organization with a lot of gears turning in different directions.  I haven't met one person in this company that thinks like a monopolist, and I know that many who did have dramatically changed their viewpoints for the better.  In my opinion, we could have done a better job at notifying users of this loss of functionality.  I have full confidence that the appropriate people at Microsoft have updated their methodology so inconveniences like this one do not happen in the future.  People here are honestly trying to do the right thing.  Amazingly, the most honest unofficial assessment came from Rob Weir.

Thanks to David Leblanc for providing links to these registry files to re-enable functionality:

The .reg files you can use to change the security settings can be downloaded here:

To re-enable Word file formats only - UnblockWord.reg

To re-enable Excel file formats only - UnblockExcel.reg

To re-enable PowerPoint file formats only - UnblockPowerPoint.reg

To re-enable the CorelDraw (CDR) file format only - UnblockCDR.reg

To restore the blocked Word file types only - RestoreBlockingWord.reg

To restore the blocked Excel file types only - RestoreBlockingExcel.reg

To restore the blocked PowerPoint file types only - RestoreBlockingPowerPoint.reg

To restore the blocked CorelDraw (CDR) file type only - RestoreBlockingCDR.reg

Resources

David LeBlanc's Post on Office 2003 SP3 and File Formats

David LeBlanc's Original Office 2003 SP3 Post

David LeBlanc's Discussion on Document Security and MOICE

Office Migration Planning Manager Guide - TechNet

Fun But Fictional Reading

Permanent Link to Microsoft Decides You Don’t Need Your Old Data - Zoli Erdos

Microsoft breaks the perpetual licence covenant - Phil Wainewright

Microsoft hoses user data - again! - Robin Harris