Microsoft admits Office 2003 'mistake'

Microsoft has acknowledged it made a mistake over a security advisory it released concerning Office 2003.

The advisory, posted in December, told users that dozens of file formats had been blocked in the latest service pack for Office 2003--Service Pack 3 (SP3)--because they were insecure.

It provided a workaround for users who wanted to unblock the formats, but made the process complicated, requiring changes to the registry which could have made users' PCs inoperable if they were applied incorrectly.

On Friday, Microsoft admitted that the information it had provided was wrong, and that it had underestimated how many users had been affected. It now says that, instead of the file formats themselves being insecure, it is the parsing code that Office 2003 uses to open and save the file types that is less secure.

Speaking to ZDNet.co.uk on Friday, Reed Shaffner, worldwide product manager for Microsoft Office, confirmed that the advisory provided by Microsoft was incorrect, and that manual registry fix which Microsoft had provided had been difficult to implement by end users.

Asked why Microsoft had not made the fix easier to implement, Shaffner said: "We thought it would not impact many users. And the messages we have been receiving are that it hasn't affected many users. But it was a mistake on our part."

Microsoft updated the advisory on Friday evening and included links to four downloadable updates that would unblock the file formats. One update was provided for each of Word, Excel, PowerPoint, and CorelDraw file types.

The downloadable updates should prove to be much easier to implement than a manual registry fix, details of which were retained in the updated advisory.

The software giant also provided four downloadable updates to reblock the file formats.

Shaffner said: "For IT administrators, we recommend that they use the (registry) fix that was there before. For end users, if they frequently use the older formats, this (the downloadable update) is the way." He suggested that if users did not frequently use the older formats, they should apply the update.

David LeBlanc, a senior software development engineer in the Microsoft Office group, added further details to Microsoft's change of direction.

He wrote on Friday in his blog: "We noticed that attackers seemed to be preferentially hitting the parsers for the older formats, and if the great majority of you don't need the older format, it's risk without reward. This was the thinking behind disabling the older formats by default in Office 2007 and eventually Office 2003 SP3. We'll try harder to make enabling older formats much more user-friendly in the future."

Richard Thurston of ZDNet UK reported from London.

[Theosophe74]

Old formats disabled for security?

You don't address a security concern by disabling functionality unless you have no other alternative.

If people use virus protection software (and everyone should), shouldn't that protect against most document-based attacks?

Could it be that Microsoft is disabling old file formats because they're seeing that their customer base is not upgrading to later versions of Office nearly as quickly as they would like from a revenue perspective?

Thus, by disabling the formats in Office 2003 and 2007, these "lagging" users will get calls from companies that have upgraded that say, "Sorry, I can't read your document", and will make people think that they have to upgrade to remain interoperable with their peers (when they really don't).

[Penguinisto]

I told you so.

Seriously... I'm glad they at least removed their head from their collective arse and owned up to their mistake.

OTOH, it does show that they'll happily lie about technical issues if the issue doesn't affect many users, but will come clean only if it affects a large portion of their user base.

I can safely call it a lie on their part because the "security" of file formats, vs. that of the app handling that format is a CS 1000 - level concept. In other words, even the lowliest help desk monkey can grok the difference.

IMHO, I think they realized that the issue threatened their future income, and decided to backpedal as hard as they could. I wouldn't be surprised if they didn't already have the patches in place beforehand (it's only been what, a few days since the discovery)?

/P

(cue hordes of MSFT fanboys trying to cover up for their idol...)

[AppleRocks1963]

Now I'm waiting

for the admission that VISTA is a huge mistake.

[thedreaming]

Microsoft Wrong? You're Kidding?!

Did hell freeze over? So those were pigs flying? Lindsay Lohan is a virgin, living in a convent, selling flowers by the curb side?! Has the world gone mad?

Next you'll tell me that the iphone is the worlds most over hyped toy in all of 2007!

.........................What do you mean it is!?

AHH!!!!

[gsekse]

I can convert all files... with Open Office

Maybe that is what Microsoft wants you to do. Install OpenOffice and use it to load and convert files to other formats. Course, don't use it too much or you might decide to just USE OpenOffice and forget about licenses and stuff!

[ALPICH]

Strange, Odd and Wearied

This was just more confusion for me. If the older file formats are
open to possible hacks during opening and saving of the files
then it stands to reason that the software is flawed so the
software should be fixed. Also it stands to reason that newer file
formats do not have this issue even if the register is changed to
allow access to them. So what is the problem here. Save new
files in new formats and open old files with the knowledge that
there are some security risks. Maybe Norton or the like could
add something to their security checking software. Alternatively
Microsoft could Just fix the parsing code they now admit is less
secure and lets get on with our work with which ever file format
we want. BIG FAT BOO to 'MEGA'SOFT on security

[davidgmore]

What About Office 2007

H have some .ppt files from 1995 which I need to access and would like Office 2007 to permit this. At present I get an error message saying invalid format etc.

An older file viewer displays the files fine. I really want to avoid installing Open Office if possible.

Any help?

David.

[internetexplorer]

needs link back to info on which formats

This article is like a lot of so-called "news" shows on TV--it gives the headline and various spins on that headline but not the underlying facts, specifically in this case: what formats are affected by this over-reaching Microsoft move. Please tell your writers they should at least include a link to the original information if all important facts are not in their report.

[gp2792]

these aren't debating tactics

I was trying to get you to use your brain. Unfortunately, I failed. Anytime you want to discuss how to value a company, you just let me know. Cuz I am real sure you are shorting MS stock...being as confident as you are about the company's last gasp for breath and all. Got any more hot stock tips?

i apologize for the emotion, stupidity and intentional blindness does that to me. I should remember that a cnet forum has no bar for entry.

[internetexplorer]

MS overplayed hand, media is underplaying

I think I just found the reason for Microsoft's "mea culpa" (apology): they wrongfully claimed Corel's word processing format(s) to be insecure and now are backpedalling to avoid a big lawsuit for defamation (slander or libel)--and possibly on other grounds as well that could even be used as the basis to claim MS was intentionally trying to drive Corel's Word Perfect out of the market.

[Frewgle]

OS/2 - Where is Spock

I'm still waiting for the OS/2 diatribe, and how it works with all file formats perfectly...

Live long and.... prosper?

[chash360]

Disabled for revenue, planned obsolesence

1. If they had written things carefully in the first place their would not be a security issue.

2. If they actually had new, valueable features and new useful functions people were demanding, then people would buy the next upgrade, without being coerced with disabled file formats.

3. Its not a mistake, it was intentional and they admit it, they are lying as to why. Even with the new fix out there, they have also promoted the fact that these old formats are insecure. So are their new formats, and the next, and the next.

4. Software has no moving parts it does not wear out. What worked last year should still work this year, except M$ will release details of all the flaws they knew were in it to begin with, because how else could you make people upgrade a product that otherwise could not wear out?

[chash360]

Create the problem, sell the solution...The M$ Way

The M$ Way...
1. Buy small reputable software Titles.
2. Inject the code with flaws and window dressing.
3. Force Bundle with OS, call it integrated.
4. Once usage is commonplace and standard unbundle, begin charging for separate license.
5. Force upgrades, Publish security flaws injected in step 2.
6. Deviate from accepted industry standards, with new 'features' that are actually major security flaws.
7. Massively distribute deviant software, usurping any other vendors software.
8. use security flaws to rapidly steal and release other's IP as your own before the competition.
9. repeat steps 5 through 8 until you destroy the economy and own the entire world...

[briceone]

MS office error ADMITTANCE

MS with the vast millions of $ made from extortionate profits, should give all registered purchasers of any MS office suite FREE office 2007/8! I have now reached the age of 70 and am retired can no longer afford new software especially GATES prices!
Regards to all please have a super 2008.
Prof. Brian Bevan
HOW ABOUT a hates and likes/fors and againsts page?

[Get_Bent]

Microsoft's band-aid solution

The real problem is this: "instead of the file formats themselves being insecure, it is the parsing code that Office 2003 uses to open and save the file types that is less secure." So rather than fix the import/export code that is the root of the problem, Microsoft took the cheap/lazy way out and disabled those file types instead. Thanks Microsoft, I really appreciate how you look out for your customers....

[Seewig]

Microsoft admits mistake? How about WIN Vista?

Microsoft had taken over the Internet world after Netscape. And the early products were fairly good.
I upgraded my computer, and an OEM version was part of the computer purchase. What I have suffered despite the "Windows Easy Transfer" program provided is unspeakable.

Outlook Express was automatically replaced by Windows Mail, but id doesn't do what OE used to do. Inbox folders open all the way, even if there is no new email, and when you close them, in order to have a handier, clearer overview of all folders, they are opened again, when the program is restarted.
Now I can't even drop an address into a newly 'created mail' through the "TO" and "CC" prompts in the new message. It simply reports "Unable to choose recipients". There is help suggested, namely to delete one of MS's latest Update KB933928. But by the time you restart your computer is is right back on,- and of course its malaise, too.

Outlook (Office 2000) isn't even allowed to access the "pst" files. It just doesn't recognize the transferred files. So, my calendar, full of appointments and reminders is now useless.
I am tired of Microsoft! Can it retire together with Bill Gates?
Otto

[gspal]

Microsoft Office 2003 Bugs

Microsoft sells software on the condition that one should be prepared to endlessly download and install updates. This tantamounts to deficiency in services for not having checked the product thoroughly before making it available to the public. If there is a defect in a car, the manufacturer recalls the vehicle, rectifies the defect, and returns it to its legal owner, all at its own cost. This implies that Microsoft is selling BETA versions to this date. I am sure there must be laws as in India to sue Microsoft for deficiency of service regarding their products together with financial loss and anguish suffered by users of their products. If the users happen to get together and file a common complaint in the courts of their respective countries, Gates will become a pauper overnight.