January 7, 2008 10:40 AM PST
Microsoft admits Office 2003 'mistake'
The advisory, posted in December, told users that dozens of file formats had been blocked in the latest service pack for Office 2003--Service Pack 3 (SP3)--because they were insecure.
It provided a workaround for users who wanted to unblock the formats, but made the process complicated, requiring changes to the registry which could have made users' PCs inoperable if they were applied incorrectly.
On Friday, Microsoft admitted that the information it had provided was wrong, and that it had underestimated how many users had been affected. It now says that, instead of the file formats themselves being insecure, it is the parsing code that Office 2003 uses to open and save the file types that is less secure.
Speaking to ZDNet.co.uk on Friday, Reed Shaffner, worldwide product manager for Microsoft Office, confirmed that the advisory provided by Microsoft was incorrect, and that manual registry fix which Microsoft had provided had been difficult to implement by end users.
Asked why Microsoft had not made the fix easier to implement, Shaffner said: "We thought it would not impact many users. And the messages we have been receiving are that it hasn't affected many users. But it was a mistake on our part."
Microsoft updated the advisory on Friday evening and included links to four downloadable updates that would unblock the file formats. One update was provided for each of Word, Excel, PowerPoint, and CorelDraw file types.
The downloadable updates should prove to be much easier to implement than a manual registry fix, details of which were retained in the updated advisory.
The software giant also provided four downloadable updates to reblock the file formats.
Shaffner said: "For IT administrators, we recommend that they use the (registry) fix that was there before. For end users, if they frequently use the older formats, this (the downloadable update) is the way." He suggested that if users did not frequently use the older formats, they should apply the update.
David LeBlanc, a senior software development engineer in the Microsoft Office group, added further details to Microsoft's change of direction.
He wrote on Friday in his blog: "We noticed that attackers seemed to be preferentially hitting the parsers for the older formats, and if the great majority of you don't need the older format, it's risk without reward. This was the thinking behind disabling the older formats by default in Office 2007 and eventually Office 2003 SP3. We'll try harder to make enabling older formats much more user-friendly in the future."
Richard Thurston of ZDNet UK reported from London.
84 commentsJoin the conversation! Add your comment