Microsoft has acknowledged it made a mistake over a security advisory it released concerning Office 2003.
The advisory, posted in December, told users that dozens of file formats had been blocked in the latest service pack for Office 2003--Service Pack 3 (SP3)--because they were insecure.
It provided a workaround for users who wanted to unblock the formats, but made the process complicated, requiring changes to the registry which could have made users' PCs inoperable if they were applied incorrectly.
On Friday, Microsoft admitted that the information it had provided was wrong, and that it had underestimated how many users had been affected. It now says that, instead of the file formats themselves being insecure, it is the parsing code that Office 2003 uses to open and save the file types that is less secure.
Speaking to ZDNet.co.uk on Friday, Reed Shaffner, worldwide product manager for Microsoft Office, confirmed that the advisory provided by Microsoft was incorrect, and that manual registry fix which Microsoft had provided had been difficult to implement by end users.
Asked why Microsoft had not made the fix easier to implement, Shaffner said: "We thought it would not impact many users. And the messages we have been receiving are that it hasn't affected many users. But it was a mistake on our part."
Microsoft updated the advisory on Friday evening and included links to four downloadable updates that would unblock the file formats. One update was provided for each of Word, Excel, PowerPoint, and CorelDraw file types.
The downloadable updates should prove to be much easier to implement than a manual registry fix, details of which were retained in the updated advisory.
The software giant also provided four downloadable updates to reblock the file formats.
Shaffner said: "For IT administrators, we recommend that they use the (registry) fix that was there before. For end users, if they frequently use the older formats, this (the downloadable update) is the way." He suggested that if users did not frequently use the older formats, they should apply the update.
David LeBlanc, a senior software development engineer in the Microsoft Office group, added further details to Microsoft's change of direction.
He wrote on Friday in his blog: "We noticed that attackers seemed to be preferentially hitting the parsers for the older formats, and if the great majority of you don't need the older format, it's risk without reward. This was the thinking behind disabling the older formats by default in Office 2007 and eventually Office 2003 SP3. We'll try harder to make enabling older formats much more user-friendly in the future."
Richard Thurston of ZDNet UK reported from London.
You don't address a security concern by disabling functionality unless you have no other alternative.
If people use virus protection software (and everyone should), shouldn't that protect against most document-based attacks?
Could it be that Microsoft is disabling old file formats because they're seeing that their customer base is not upgrading to later versions of Office nearly as quickly as they would like from a revenue perspective?
Thus, by disabling the formats in Office 2003 and 2007, these "lagging" users will get calls from companies that have upgraded that say, "Sorry, I can't read your document", and will make people think that they have to upgrade to remain interoperable with their peers (when they really don't).
[i]"You don't address a security concern by disabling functionality unless you have no other alternative."[/i]
...or you really need to boost sales for the newer version of the crippled product. ;)
I agree with you - I think MSFT got caught reaching a bit too far, and wound up getting their hand slapped by their customer base.
[i]"Thus, by disabling the formats in Office 2003 and 2007, these "lagging" users will get calls from companies that have upgraded that say, "Sorry, I can't read your document", and will make people think that they have to upgrade to remain interoperable with their peers (when they really don't)."[/i]
That wouldn't quite work anymore... any company faced with a sudden demand to spend money for upgrades will likely look at least towards an interim solution until the money becomes available for such upgrades... A solid solution in that vein is OpenOffice. Once they do have OO in place and start using it, they may quickly discover that they really don't have much need to spend the ~$300 (or so, in bulk) per seat that Office 2007 would cost them. In turn, this would lose Microsoft a lot of sales, and a sizeable chunk of user base.
I think MSFT's realization of that is why they suddenly pulled back and stopped blocking formats.
As it is, I suspect that enough people got bit, and hard enough, that those users will very likely start looking at removing Microsoft Office from the equation anyway.
I think it's clear MS made working with older formats of their data (and others', I think) simply to muscle people into upgrading to newer versions of Office. I ran into problems with Office when I upgraded to Vista, which I did right after it came out. I was told I needed to upgrade, which I fortunately did not need to do, thanks to having the current Mac version. As far as MS claiming not to have had a lot of complaints regarding this issue, I suspect most people do not know how to complain in such a way that MS would consider it "reportable" and that they wouldn't take the time to even if they did.
The idea that its an appearant non-issue to M$ is because people are not upgrading, like they want. And so its only now people are really discovering the issue. I am still using Office 2003, and Windows XP, and will continue to do so until the IT Dept puts me at gun point, at which point I will simply hide my real working system behind a few switches and still use what works for me.
Perhaps M$ will pull out all the stops and begin disabling software remotely with Windows Update (don't think for a second that they could not...)
P.S> Now that I have seen Vista, where is the lawsuit? talk about trying to rip off the competition. Its such a rip off of the Mac interface that I am disgusted by it. If I want a Mac I will get a Mac, not some pathetic imitation by M$.
Seriously... I'm glad they at least removed their head from their collective arse and owned up to their mistake.
OTOH, it does show that they'll happily lie about technical issues if the issue doesn't affect many users, but will come clean only if it affects a large portion of their user base.
I can safely call it a lie on their part because the "security" of file formats, vs. that of the app handling that format is a CS 1000 - level concept. In other words, even the lowliest help desk monkey can grok the difference.
IMHO, I think they realized that the issue threatened their future income, and decided to backpedal as hard as they could. I wouldn't be surprised if they didn't already have the patches in place beforehand (it's only been what, a few days since the discovery)?
/P
(cue hordes of MSFT fanboys trying to cover up for their idol...)
I agree this was a horrible mistake by Microsoft. I am not all that surprised that they have fixed it, though. Per your comments, however, it appears you should eat at least a little crow:
"I don't care if you're a Fortune 10 -ranked corp... you can demand until you're blue in the face, but MSFT isn't going to let your tantrum gum up their upgrade mill.
Only when (in rare cases) enough people whine and complain will they even deign to address the issue.*
I do find it very hard to believe that you're big enough to matter to MSFT. Seriously, you're using blind-installs via Automatic Update for your users, instead of tools such as WSUS. You've shown not even a hint of a patch roll-out policy (which would've at least halfway caught something this ugly).
/P
* This has only happened once that I'm aware of. MSFT decided to try and decertify all NT 4.0 MCSE's by 10/2001, in order to force some revenue from licenses of the Win2k MCSE/MCP classes and tests. They backed off after almost nobody upped their certs to Win2k."
Care to retract? Or are you now aware of only 2 instances of Microsoft admitting to and correcting a mistake?
Amazing how the word 'lies' and your name keeps coming up together. Hmm.
It's also amazing that even when Microsoft does something that you demanded they do that you still flame them. Nobody can make you happy, it appears. Do something you don't like and you attack. When they fix the issue and acknowledge it, and you still attack.
Time to get off the high horse, sir. You're getting a nosebleed from the attitude- err, altitude.
I'm not a big MS fan, and I ran into quite a few problems with Vista when I moved to it right after it was released (for a good reason, even though I knew it would be tough), but the problems were almost all due to hardware and software vendors not having prepared for Vista and then not being aggressively proactive in catching up -- and I only say this because many of the vendors did do this. Vista Business has been the best MS OS I've used to date (and I date back to DOS). MS tech support during the first 4-6 weeks that it took to iron out the issues was (shockingly) terrific. The only company that really disappointed me was Hewlett-Packard, who refused to support a scanner I purchased only two-and-a-half years prior to the Vista release. Not only did they fail to support it, the "discount" replacement scanner they offered could be purchased on Amazon for $75 less. Boo for HP. In any case, as far as Vista goes, obviously if your hardware can't handle it, there's probably no reason to update atm. All I know is I'm very happy with it.
Did hell freeze over? So those were pigs flying? Lindsay Lohan is a virgin, living in a convent, selling flowers by the curb side?! Has the world gone mad?
Next you'll tell me that the iphone is the worlds most over hyped toy in all of 2007!
Maybe that is what Microsoft wants you to do. Install OpenOffice and use it to load and convert files to other formats. Course, don't use it too much or you might decide to just USE OpenOffice and forget about licenses and stuff!
For legal reasons, some documents Must be left in original format. Anything signed should not be modified in any way. Anything verified by a security hash (contracts, work orders, patent requests, etc) cannot be changed at all. Ever.
I can't believe that Microsoft could have made such a basic blunder: No one with any security background would do this, so who came up with this farce, and why didn't management catch it?
for microsoft that is. Anti Microsft I am not, and I do use their products daily. That being said, I am also thankful for Open Office. It is free, compared to hundreds of dollars for MS Office. It does open almost all documents(which is kind). It is what we install with every machine we sell. Look bash it if you must, but it is a good alternitive, compared to the mismanagement in decisions made by Microsoft these days.
This was just more confusion for me. If the older file formats are open to possible hacks during opening and saving of the files then it stands to reason that the software is flawed so the software should be fixed. Also it stands to reason that newer file formats do not have this issue even if the register is changed to allow access to them. So what is the problem here. Save new files in new formats and open old files with the knowledge that there are some security risks. Maybe Norton or the like could add something to their security checking software. Alternatively Microsoft could Just fix the parsing code they now admit is less secure and lets get on with our work with which ever file format we want. BIG FAT BOO to 'MEGA'SOFT on security
H have some .ppt files from 1995 which I need to access and would like Office 2007 to permit this. At present I get an error message saying invalid format etc.
An older file viewer displays the files fine. I really want to avoid installing Open Office if possible.
Help #2 "Microsoft updated the advisory on Friday evening and included links to four downloadable updates that would unblock the file formats. One update was provided for each of Word, Excel, PowerPoint, and CorelDraw file types."
Help #3 You ought to think about updating your presentation. There have been many changes in this world since 1995.
Help #4 If you don't have any other use for MS office, you should consider OO. For most low-end users, it does what you want for free.
This article is like a lot of so-called "news" shows on TV--it gives the headline and various spins on that headline but not the underlying facts, specifically in this case: what formats are affected by this over-reaching Microsoft move. Please tell your writers they should at least include a link to the original information if all important facts are not in their report.
This story is a follow-up story. In the original story, the writer never cared to be precise. He left it to sound like MS killed everything before the year 2000. From what I can gather, MS word 1.0- maybe 2.0. Some powerpoint files, prob from 95 and earlier, some WordPerfect files from well over a decade old and some old Lotus files. You'd have to go to MS website to get the real skinny if your really concerned, but for %99.99 of the people in this world, it isn't a problem. The service packs had been released for 2-3 months before this story and no one complained during that time period that I know of.
I was trying to get you to use your brain. Unfortunately, I failed. Anytime you want to discuss how to value a company, you just let me know. Cuz I am real sure you are shorting MS stock...being as confident as you are about the company's last gasp for breath and all. Got any more hot stock tips?
i apologize for the emotion, stupidity and intentional blindness does that to me. I should remember that a cnet forum has no bar for entry.
Peng just hates MS. To each his own. Peng and a myriad of other have great intellect, (just asked them :-) ) Why, I suppose that all of them could tell me why a third party app that my company bought for 100K tells me that an Oracle program written in Sun Java CAN'T SUPPORT HOSTED PRINTING!!!!....Any tech types care to 'splain to this "wishing it was written in a MS language guy"?
I think I just found the reason for Microsoft's "mea culpa" (apology): they wrongfully claimed Corel's word processing format(s) to be insecure and now are backpedalling to avoid a big lawsuit for defamation (slander or libel)--and possibly on other grounds as well that could even be used as the basis to claim MS was intentionally trying to drive Corel's Word Perfect out of the market.
Did they actually disable Corel formats? Is it legal for them to do that? If so, Have they released patches for the Corel formats disabled? Is this the real ploy here, quietly disable competitors products?
1. If they had written things carefully in the first place their would not be a security issue.
2. If they actually had new, valueable features and new useful functions people were demanding, then people would buy the next upgrade, without being coerced with disabled file formats.
3. Its not a mistake, it was intentional and they admit it, they are lying as to why. Even with the new fix out there, they have also promoted the fact that these old formats are insecure. So are their new formats, and the next, and the next.
4. Software has no moving parts it does not wear out. What worked last year should still work this year, except M$ will release details of all the flaws they knew were in it to begin with, because how else could you make people upgrade a product that otherwise could not wear out?
Create the problem, sell the solution...The M$ Way
The M$ Way... 1. Buy small reputable software Titles. 2. Inject the code with flaws and window dressing. 3. Force Bundle with OS, call it integrated. 4. Once usage is commonplace and standard unbundle, begin charging for separate license. 5. Force upgrades, Publish security flaws injected in step 2. 6. Deviate from accepted industry standards, with new 'features' that are actually major security flaws. 7. Massively distribute deviant software, usurping any other vendors software. 8. use security flaws to rapidly steal and release other's IP as your own before the competition. 9. repeat steps 5 through 8 until you destroy the economy and own the entire world...
WHAT DID YOU EXPECT? GATES IS IN BED WITH BIG BROTHER, NEW WORLD ORDER GOVERNMENT.
GET EVERYONE HOOKED ON THE SYSTEM AND RETAIN THE ABILITY TO SHUT DOWN THE WHOLE SHEBANG WITHOUT NOTICE. ONLY TOO LATE DO WE REALIZE THE TRAP WE ARE IN.
MS with the vast millions of $ made from extortionate profits, should give all registered purchasers of any MS office suite FREE office 2007/8! I have now reached the age of 70 and am retired can no longer afford new software especially GATES prices! Regards to all please have a super 2008. Prof. Brian Bevan HOW ABOUT a hates and likes/fors and againsts page?
should give me a new Caddy because, well I'm older and can't afford one every year. And while we're at it, academia, with their vast millions made from extortionate profits, should give all recent class attendees a free ride for semester or 2. We're older now and just can't afford to keep spending money for some letters in front of or behind our names. As far as the likes/for idea, in essence we have one. Just read any story regarding MS and you'll see the haters out in force. Best wishes
The real problem is this: "instead of the file formats themselves being insecure, it is the parsing code that Office 2003 uses to open and save the file types that is less secure." So rather than fix the import/export code that is the root of the problem, Microsoft took the cheap/lazy way out and disabled those file types instead. Thanks Microsoft, I really appreciate how you look out for your customers....
Microsoft had taken over the Internet world after Netscape. And the early products were fairly good. I upgraded my computer, and an OEM version was part of the computer purchase. What I have suffered despite the "Windows Easy Transfer" program provided is unspeakable.
Outlook Express was automatically replaced by Windows Mail, but id doesn't do what OE used to do. Inbox folders open all the way, even if there is no new email, and when you close them, in order to have a handier, clearer overview of all folders, they are opened again, when the program is restarted. Now I can't even drop an address into a newly 'created mail' through the "TO" and "CC" prompts in the new message. It simply reports "Unable to choose recipients". There is help suggested, namely to delete one of MS's latest Update KB933928. But by the time you restart your computer is is right back on,- and of course its malaise, too.
Outlook (Office 2000) isn't even allowed to access the "pst" files. It just doesn't recognize the transferred files. So, my calendar, full of appointments and reminders is now useless. I am tired of Microsoft! Can it retire together with Bill Gates? Otto
probably your attempting to use redundant programs, Outlook express and Outlook. You can't. I just staged my first Vista pro at the job place to see how it plays with the progs. and other PCs. I haven't played much with Outlook but so far no probs. In fact, while I'm not much for "eye candy", I was duly impressed. I'll check out Outlook tomorrow and see how it goes.
Microsoft sells software on the condition that one should be prepared to endlessly download and install updates. This tantamounts to deficiency in services for not having checked the product thoroughly before making it available to the public. If there is a defect in a car, the manufacturer recalls the vehicle, rectifies the defect, and returns it to its legal owner, all at its own cost. This implies that Microsoft is selling BETA versions to this date. I am sure there must be laws as in India to sue Microsoft for deficiency of service regarding their products together with financial loss and anguish suffered by users of their products. If the users happen to get together and file a common complaint in the courts of their respective countries, Gates will become a pauper overnight.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
If people use virus protection software (and everyone should), shouldn't that protect against most document-based attacks?
Could it be that Microsoft is disabling old file formats because they're seeing that their customer base is not upgrading to later versions of Office nearly as quickly as they would like from a revenue perspective?
Thus, by disabling the formats in Office 2003 and 2007, these "lagging" users will get calls from companies that have upgraded that say, "Sorry, I can't read your document", and will make people think that they have to upgrade to remain interoperable with their peers (when they really don't).
...or you really need to boost sales for the newer version of the crippled product. ;)
I agree with you - I think MSFT got caught reaching a bit too far, and wound up getting their hand slapped by their customer base.
[i]"Thus, by disabling the formats in Office 2003 and 2007, these "lagging" users will get calls from companies that have upgraded that say, "Sorry, I can't read your document", and will make people think that they have to upgrade to remain interoperable with their peers (when they really don't)."[/i]
That wouldn't quite work anymore... any company faced with a sudden demand to spend money for upgrades will likely look at least towards an interim solution until the money becomes available for such upgrades... A solid solution in that vein is OpenOffice. Once they do have OO in place and start using it, they may quickly discover that they really don't have much need to spend the ~$300 (or so, in bulk) per seat that Office 2007 would cost them. In turn, this would lose Microsoft a lot of sales, and a sizeable chunk of user base.
I think MSFT's realization of that is why they suddenly pulled back and stopped blocking formats.
As it is, I suspect that enough people got bit, and hard enough, that those users will very likely start looking at removing Microsoft Office from the equation anyway.
/P
Perhaps M$ will pull out all the stops and begin disabling software remotely with Windows Update (don't think for a second that they could not...)
P.S> Now that I have seen Vista, where is the lawsuit? talk about trying to rip off the competition. Its such a rip off of the Mac interface that I am disgusted by it. If I want a Mac I will get a Mac, not some pathetic imitation by M$.
OTOH, it does show that they'll happily lie about technical issues if the issue doesn't affect many users, but will come clean only if it affects a large portion of their user base.
I can safely call it a lie on their part because the "security" of file formats, vs. that of the app handling that format is a CS 1000 - level concept. In other words, even the lowliest help desk monkey can grok the difference.
IMHO, I think they realized that the issue threatened their future income, and decided to backpedal as hard as they could. I wouldn't be surprised if they didn't already have the patches in place beforehand (it's only been what, a few days since the discovery)?
/P
(cue hordes of MSFT fanboys trying to cover up for their idol...)
that surprised that they have fixed it, though. Per your
comments, however, it appears you should eat at least a little
crow:
"I don't care if you're a Fortune 10 -ranked corp... you can
demand until you're blue in the face, but MSFT isn't going to let
your tantrum gum up their upgrade mill.
Only when (in rare cases) enough people whine and complain
will they even deign to address the issue.*
I do find it very hard to believe that you're big enough to matter
to MSFT. Seriously, you're using blind-installs via Automatic
Update for your users, instead of tools such as WSUS. You've
shown not even a hint of a patch roll-out policy (which would've
at least halfway caught something this ugly).
/P
* This has only happened once that I'm aware of. MSFT decided
to try and decertify all NT 4.0 MCSE's by 10/2001, in order to
force some revenue from licenses of the Win2k MCSE/MCP
classes and tests. They backed off after almost nobody upped
their certs to Win2k."
Care to retract? Or are you now aware of only 2 instances of
Microsoft admitting to and correcting a mistake?
It's also amazing that even when Microsoft does something that you demanded they do that you still flame them. Nobody can make you happy, it appears. Do something you don't like and you attack. When they fix the issue and acknowledge it, and you still attack.
Time to get off the high horse, sir. You're getting a nosebleed from the attitude- err, altitude.
Next you'll tell me that the iphone is the worlds most over hyped toy in all of 2007!
.........................What do you mean it is!?
AHH!!!!
Anything verified by a security hash (contracts, work orders, patent requests, etc) cannot be changed at all. Ever.
I can't believe that Microsoft could have made such a basic blunder: No one with any security background would do this, so who came up with this farce, and why didn't management catch it?
open to possible hacks during opening and saving of the files
then it stands to reason that the software is flawed so the
software should be fixed. Also it stands to reason that newer file
formats do not have this issue even if the register is changed to
allow access to them. So what is the problem here. Save new
files in new formats and open old files with the knowledge that
there are some security risks. Maybe Norton or the like could
add something to their security checking software. Alternatively
Microsoft could Just fix the parsing code they now admit is less
secure and lets get on with our work with which ever file format
we want. BIG FAT BOO to 'MEGA'SOFT on security
An older file viewer displays the files fine. I really want to avoid installing Open Office if possible.
Any help?
David.
Perhaps, if you can get an old copy of Office and get it to run, you can open them up and save it in something Office 2007 can read.
Or you can just say no to getting screwed and just open it in open office.
Help #2 "Microsoft updated the advisory on Friday evening and included links to four downloadable updates that would unblock the file formats. One update was provided for each of Word, Excel, PowerPoint, and CorelDraw file types."
Help #3 You ought to think about updating your presentation. There have been many changes in this world since 1995.
Help #4 If you don't have any other use for MS office, you should consider OO. For most low-end users, it does what you want for free.
i apologize for the emotion, stupidity and intentional blindness does that to me. I should remember that a cnet forum has no bar for entry.
Is it legal for them to do that?
If so, Have they released patches for the Corel formats disabled? Is this the real ploy here, quietly disable competitors products?
Live long and.... prosper?
2. If they actually had new, valueable features and new useful functions people were demanding, then people would buy the next upgrade, without being coerced with disabled file formats.
3. Its not a mistake, it was intentional and they admit it, they are lying as to why. Even with the new fix out there, they have also promoted the fact that these old formats are insecure. So are their new formats, and the next, and the next.
4. Software has no moving parts it does not wear out. What worked last year should still work this year, except M$ will release details of all the flaws they knew were in it to begin with, because how else could you make people upgrade a product that otherwise could not wear out?
1. Buy small reputable software Titles.
2. Inject the code with flaws and window dressing.
3. Force Bundle with OS, call it integrated.
4. Once usage is commonplace and standard unbundle, begin charging for separate license.
5. Force upgrades, Publish security flaws injected in step 2.
6. Deviate from accepted industry standards, with new 'features' that are actually major security flaws.
7. Massively distribute deviant software, usurping any other vendors software.
8. use security flaws to rapidly steal and release other's IP as your own before the competition.
9. repeat steps 5 through 8 until you destroy the economy and own the entire world...
GET EVERYONE HOOKED ON THE SYSTEM AND RETAIN THE ABILITY TO SHUT DOWN THE WHOLE SHEBANG WITHOUT NOTICE. ONLY TOO LATE DO WE REALIZE THE TRAP WE ARE IN.
Regards to all please have a super 2008.
Prof. Brian Bevan
HOW ABOUT a hates and likes/fors and againsts page?
As far as the likes/for idea, in essence we have one. Just read any story regarding MS and you'll see the haters out in force.
Best wishes
SUYTS
I upgraded my computer, and an OEM version was part of the computer purchase. What I have suffered despite the "Windows Easy Transfer" program provided is unspeakable.
Outlook Express was automatically replaced by Windows Mail, but id doesn't do what OE used to do. Inbox folders open all the way, even if there is no new email, and when you close them, in order to have a handier, clearer overview of all folders, they are opened again, when the program is restarted.
Now I can't even drop an address into a newly 'created mail' through the "TO" and "CC" prompts in the new message. It simply reports "Unable to choose recipients". There is help suggested, namely to delete one of MS's latest Update KB933928. But by the time you restart your computer is is right back on,- and of course its malaise, too.
Outlook (Office 2000) isn't even allowed to access the "pst" files. It just doesn't recognize the transferred files. So, my calendar, full of appointments and reminders is now useless.
I am tired of Microsoft! Can it retire together with Bill Gates?
Otto
<a class="jive-link-external" href="http://www.flickr.com/photos/kool_skatkat/" target="_newWindow">http://www.flickr.com/photos/kool_skatkat/</a>