By Richard Thurston
Special to CNET News.com
January 7, 2008
Microsoft has acknowledged it made a mistake over a security advisory it
released concerning Office 2003.
The advisory, posted in December, told users that dozens of file formats
had been blocked in the latest service pack for Office 2003--Service
Pack 3 (SP3)--because they were insecure.
It provided a workaround for users who wanted to unblock the formats,
but made the process complicated, requiring changes to the registry
which could have made users' PCs inoperable if they were applied
On Friday, Microsoft admitted that the information it had provided was
wrong, and that it had underestimated how many users had been affected.
It now says that, instead of the file formats themselves being insecure,
it is the parsing code that Office 2003 uses to open and save the file
types that is less secure.
Speaking to ZDNet.co.uk on Friday, Reed Shaffner, worldwide product
manager for Microsoft Office, confirmed that the advisory provided by
Microsoft was incorrect, and that manual registry fix which Microsoft
had provided had been difficult to implement by end users.
Asked why Microsoft had not made the fix easier to implement, Shaffner
said: "We thought it would not impact many users. And the messages we
have been receiving are that it hasn't affected many users. But it was a
mistake on our part."
Microsoft updated the advisory on Friday evening and included links to
four downloadable updates that would unblock the file formats. One
update was provided for each of Word, Excel, PowerPoint, and CorelDraw
The downloadable updates should prove to be much easier to implement
than a manual registry fix, details of which were retained in the
The software giant also provided four downloadable updates to reblock
the file formats.
Shaffner said: "For IT administrators, we recommend that they use the
(registry) fix that was there before. For end users, if they frequently
use the older formats, this (the downloadable update) is the way." He
suggested that if users did not frequently use the older formats, they
should apply the update.
David LeBlanc, a senior software development engineer in the Microsoft
Office group, added further details to Microsoft's change of direction.
He wrote on Friday in his blog: "We noticed that attackers seemed to be
preferentially hitting the parsers for the older formats, and if the
great majority of you don't need the older format, it's risk without
reward. This was the thinking behind disabling the older formats by
default in Office 2007 and eventually Office 2003 SP3. We'll try harder
to make enabling older formats much more user-friendly in the future."
Richard Thurston of ZDNet UK reported from London.
Copyright 1995-2008 CNET Networks, Inc. All rights reserved.
Visit InfoSec News